Start-ups and emerging businesses sprinting toward profit have a complex privacy landscape to navigate, but there are several helpful bits of insight that may help mitigate common mistakes, particularly in drafting privacy notices.
This was part of a detailed and in-depth preconference workshop yesterday here at the IAPP Privacy Academy and CSA Congress, with insight from some of the privacy world’s top legal, operational and regulatory voices.
“Say what you do; do what you say,” said former LinkedIn VP, General Counsel and Security Erika Rottenberg. But, she pointed out, for companies just getting started, creating a new privacy notice from scratch isn’t always necessary, and simply borrowing from another business is a dangerous, ill-advised move. She said one key is to start with a generic template, “then sit down with your tech and marketing people and your advanced strategic planning” teams to get everyone on the same page.
“Figure out what you’re doing today and what you’re going to do tomorrow,” Rottenberg said, “and get consent for all of that” from the start. She noted it’s much more difficult to get buy-in from folks like marketing and product development to change privacy notices retroactively. Lydia Parnes, partner and co-head of Wilson Sonsini Goodrich & Rosati's Privacy and Data Protection Practice, said that not only applies to start-ups but to big businesses as well.
Irish Data Protection Commissioner Billy Hawkes expressed caution, however, about using too-generic of a privacy notice template and pointed out that businesses should be as transparent about their data practices as possible.
Another consideration when drafting your notice? “Don’t make bold statements,” Rottenberg pointed out. Phrases such as “we never do this” and “we have great security” will lead your organization down a slippery and dangerous slope. The temptation, particularly from your marketing people, will be there. With so many breaches making headlines, selling sound data security is a potential marketing trap. One solution, though, is to note you practice "reasonable security standards."
Plus, stray from making bold statements such as “we don’t share data” and “stay far away from saying we never do X,” Rottenberg stressed. At the time of drafting, your business may legitimately not practice “X,” but with rapidly changing technology, markets and business models, you may want or need to practice “X” down the road.
Epsilon Executive Vice President, Chief Privacy Officer and General Counsel Jeanette Fitzgerald said it’s also key to look to data security standards produced by the likes of ISO (International Organization for Standardization) and Payment Card Industry Data Security Standard and to hire security experts to help you understand your data security protections and to point out any possible vulnerabilities.
“It really does help you understand your system,” she said. You may find something with a one-in-a-billion chance of happening as well as something with a much higher risk. This allows you to prioritize your security risks and give you a road map to follow.
Rottenberg pointed out that internal “White Hat days” are also a really strong method of finding potential vulnerabilities in your data architectures. “Have everyone hack into your system,” she said. You might find out some valuable information.
U.S. Federal Trade Commissioner Maureen Ohlhausen reminded the room that finding vulnerabilities are hugely important because organizations' “privacy and security are only as strong as its weakest link.”
Plus, it’s important to consider who your audience is when drafting your notice. Panelists identified at least five differing audiences to consider: your users, the regulators, judges and juries, the media and public relations and privacy advocacy organizations.
So how do you write to all five? “You do all of those,” said Rottenberg. “Put your policies in plain English,” she said. Don’t write them at a 12th-grade level; give it to your marketing people, your family members, and get their feedback. “Make it readable,” she added.
In trying to reach different audiences, Ohlhausen said the FTC backs a layered approach. There’s a value, she said, to having one easy-to-read notice for consumers but more detailed notices that use standard legalese. Additionally, technology has a strong role to play here, pointed out Wilson Sonsini Goodrich & Rosati Partner and Privacy and Data Protection Practices C0-Head Michael Rubin, by allowing apps and websites to provide users with more granular, just-in-time disclosures.
Of course, this is just the first stage in creating your privacy notice, but keeping some of these tips in mind will give you a strong head start.
If you want to comment on this post, you need to login.