Transparency should be a central part of any privacy program, particularly if your business is at the beginning of its privacy journey. Not only is transparency a key component for businesses looking to build trust, but it is also mandated under almost every modern privacy law – most commonly through privacy notice requirements.
Privacy notices represent one of the most highly visible aspects of your business’s privacy program, giving consumers information about how their personal information is used, their rights in respect to their personal information, and the third parties that personal information is shared with, among other things. It is also one of the most highly visible areas for regulators to assess your privacy practices.
For example, violations relating to privacy notice failures are among the most enforced by national data protection authorities. As a result, it is important to understand your obligations for what information you must provide, how you must provide it, and when. Beyond compliance, a robust, clear, and accessible privacy notice can give your organization the opportunity to communicate your privacy practices and is an important touchpoint for building a trusted relationship with your customers.
The benefits of having a clear and accessible privacy notice are plain to see, however the challenges that privacy notices present can have several pitfalls for your business. Keep reading to learn more about what privacy notices are, what you should include in yours, and how you can implement privacy notice best practices for compliance with US state privacy laws.
What is a privacy notice?
A privacy notice is a public facing disclosure that describes how your business collects, uses, shares and stores personal information and is typically presented though a business’s website, mobile, and other web properties. Generally, privacy notices should be presented to the consumer at the time of, or prior to, the collection of personal information.
The central purpose of a privacy notice is to inform individuals about how their information will be processed, and most privacy regulations provide businesses with a list of specific disclosures that must be presented to consumers. In the context of US state privacy, this typically includes the categories of information being collected, the purpose for which they are being collected, categories of third parties whom personal information will be made available to, and information relating to how consumers can exercise their rights. Understanding state-specific requirements and ensuring that the information is presented in a clear and understandable format is essential for fulfilling their transparency obligations and upholding the consumer’s right to be informed.
Privacy notices are one of the first areas that should be addressed when developing a privacy program for compliance with US state privacy laws and must be regularly monitored to keep up with regulatory updates. It is also important to note that privacy notices should not be confused with privacy policies, which are internal documents that set the foundations for personal information management within the organization.
What should a privacy notice contain?
When approaching privacy notices for US state privacy, one should first ask themselves, “What should I include?” The answer – It depends. All current US state privacy laws contain provisions for privacy notices, and while the need to present consumers with a privacy notice is consistent, what to include is not.
The nuances of privacy notice requirements from state-to-state means that a one-size-fits-all approach does not necessarily apply. However, businesses operating in multiple jurisdictions may choose to include information to satisfy the most stringent privacy notice requirements. To take either approach, you must first understand what is required in each state. The table below gives a snapshot of the types of information your privacy notice must contain under each state law.
| California | Colorado | Connecticut | Iowa | Utah | Virginia | |
| Categories of personal information | X | X | X | X | X | X |
| Purposes for collection/use | X | X | X | X | X | X |
| Sources of personal information | X | |||||
| Categories of information shared with third parties | X | X | X | X | X | X |
| Categories of third parties | X | X | X | X | X | X |
| How to exercise consumer rights | X | X | X | X | X | X |
| How to appeal a decision relating to a consumer request | X | X | X | X | X | |
| Contact details of the business/controller | X | X |
In terms of similarities between US state privacy notice requirements, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) sits as a marginal outlier from the group, requiring businesses to include information related to the source from which personal information was collected.
However, across all six state privacy laws, there are three constants that should be included in your privacy notice: categories of personal information, purposes for its use, and categories of third parties with which personal information is shared.
- Categories of personal information: Inform consumers of the broad types of information you might be collecting, such as names, addresses, dates of birth, etc.
- Purposes of use: Explain as clearly as possible how you intend to use the information, what purpose you have for its use (e.g., sale or share, advertising, mailing lists), and how long you intend to keep this information for the intended purposes .
- Categories of third parties: Include the types of third parties that you need to share personal information with to fulfill your intended purposes such as service providers, government agencies, or legal advisors. Make sure you disclose and link categories of personal information with the category of third parties you are sharing each type of personal information with.
It is important to take your audience into account when providing this information and ensure the language used is understandable and free from technical or business jargon.
CPRA employee notices
The CPRA extended the CCPA applicability by bringing employee information into scope in California, requiring businesses to also recognize the extended range of rights granted to employees in relation to the use of their information and the different purposes for processing personal information in this context.
As a result of the expanded scope of the CCPA (as amended), businesses must also ensure they have a privacy notice that focuses on the unique aspects of the employment relationship and provides employees with information about their rights and protections under the CCPA (as amended).
For employers who collect and process the personal information of California employees, an employee privacy notice should have several additions to a typical privacy notice that specifically addresses the collection, use, and disclosure of personal information in an employment context.
Operationalizing privacy notices for US privacy
Understanding your requirements is key. Putting them into practice is essential – and OneTrust can help.
OneTrust Privacy Notice Management can help you to draft your privacy notices in one centralized dashboard and give you control over how you manage your privacy notices across regulations, languages, and digital properties. OneTrust Privacy Notice Management allows you to scan your websites and apps to identify where notices need to be presented, while utilizing integrations to push notices live at relevant touchpoints.
Request a demo to learn more about how OneTrust Privacy Notice Management can help you to operationalize privacy notices for compliance with US state privacy laws.
