How to Notify Your Customers of Your Privacy Practices, and What Not to Do

Guest Bloggers - March 9th, 2016 by Woopra Team.

The post below was written by Leah Hamilton, a qualified solicitor and writer working with TermsFeed.

Setting up good privacy practices for your business is a key part of building customer trust and staying in line with your legal obligations. Your business should have a comprehensive privacy policy in place, as well as internal policies that promote the protection and care of customer data.

Having clear policies can help customers to trust you more, and will also ensure that your business appears transparent and honest. Customer trust is hugely important for retaining repeat business, and showing integrity when dealing with customer data goes a long way towards building that trust. So, it’s important that your customers are made aware of how you value their privacy, and your internal policies that protect them and their information.

Let’s take a look at what privacy practices your business should have in place, and also how to let your customers know about them. We’ll also examine some common pitfalls that may crop up when you are figuring out how to share your privacy practices with your customers.

What Privacy Practices Should You Have In Place?

The foundation of your privacy practices should be a clear and comprehensive privacy policy.

Privacy Policy

The exact contents of your policy will vary depending on both which jurisdiction you operate in and which jurisdiction your customers are from. In the US, there is no federal data protection law for users of websites or online services. In contrast, the European Union has a new, region-wide regulation coming into force in the next couple of years. Most jurisdictions are moving towards privacy laws that mirror, or at least borrow from, EU laws, with the US, in many ways, lagging behind.

A California state law provides the most clarity of expectations for business owners in the US, who should take note of this law if there is any possibility that they have customers who are California residents. The legislation is called the California Online Privacy Protection Act (CalOPPA), and it sets out what your privacy policy needs to contain as well as how it should be displayed.

First, CalOPPA requires that website or online service operators must “conspicuously post [their] privacy policy on its Web site, or … make that policy available”. CalOPPA also requires certain clauses to be covered in your Privacy Policy, such as:

  • what information is collected, and who this information may be shared with
  • how users can request changes to their information
  • how the operator will let users know that the Privacy Policy has changed
  • the effective date of the Privacy Policy
  • how “Do Not Track” requests of users are dealt with
  • whether other third parties may collect information about users through the service

All of these requirements should form the backbone of your privacy practices.

Internal Business Policies

The second important aspect, which is nearly as crucial as staying in line with privacy legislation, is ensuring that your business has a clear code of ethics for dealing with customer data and handling the private information of customers. This is more of an internal policy, rather than a public privacy policy or public code of how you deal with data.

Aspects of your internal policy may be replicated for public view to build trust in your customers, but its primary purpose should be to set clear expectations for staff as well as establishing what kind of behaviors are appropriate.

Notifying Customers of your Privacy Practices

Once you have set up your privacy policy and internal business guidelines for dealing with private data, the next key step to take is to ensure that you notify your customers of your policies.

Clickwrap vs. Browsewrap

From a legal perspective, it is important to ensure that your users are legally bound by your privacy policy. To be legally bound, they must have had reasonable notice of the terms and must have agreed to it in some way (also called manifested assent).

Most websites post their privacy policy using a method called browsewrap. While there are some conditions under which browsewrap can be effective, in most cases a browsewrap agreement would not be legally binding on the customer. Browsewrap is where the website or service provides a link to the privacy policy but expects the user to find this link by way of their own browsing through the website, with no particular prompting from the website owner.

Here is an example of browsewrap from Reuters:

Reuters privacy policy link

You can see that the Privacy Policy is in small writing down the bottom of their footer, and is not distinguished from any of the other links in any way. It would be hard to argue that the website user has had “reasonable notice” of this Policy, and no way of knowing whether they agree to it or not.

The other method that is becoming more widely used by online services and websites is called clickwrap. Clickwrap is where the user needs to click a button or checkbox with a statement saying “I agree to the privacy policy”.

This method has generally been viewed as legally enforceable by the courts. Most businesses display a clickwrap agreement as a pop-up when the user arrives at the website, particular in relation to cookies, or as part of their sign-up form when a customer creates an account or signs up to a mailing list.

Here is an example of clickwrap from Form Assembly:

Form Assembly privacy practice: clickwrap

You can see that when the user creates an account, they need to click the checkbox to agree before they can proceed. They have been provided “reasonable notice” of the policy, and there is clear agreement.

Making Changes to Your Policy

The next thing you need to have in mind is how to notify your customers if you make a change to your privacy policy. The best way is to send an email to your customers, such as this example from Medium:

Medium privacy practice of sending email with updates

Another acceptable method is to post a notice on your website in a conspicuous location that tells your users that your policy has changed, such as this message from Twilio:

Twilio privacy practice: website update

Sharing Internal Policies

Finally, consider whether you want to share your internal privacy practices and ethics with your customers. If your business has a strong privacy protection ethic, this can be valuable in helping to build confidence in your customers and associate your brand with integrity and trust. For example, the Chevron Business Conduct and Ethics Code contains a section on data privacy, that sets out how they expect their employees to behave:

Chevron data privacy practice

Note that Chevron sets out clearly that relevant laws should be followed, but also that employees should respect confidentiality, use data properly and within authorized uses, and should only process personal data if there is a “legitimate business reason” to do so. They also note that “only the personal data needed for the task at hand” should be collected, and no more.

Releasing a document such as this shows how Chevron intends data privacy issues to be treated within the company, which can help customers to feel more confident in the business.

Now let’s take a look at some common pitfalls when implementing these methods of sharing privacy practices.

Common Pitfalls

One of the easiest mistakes to make when using ‘clickwrap’ methods to get consent to your policies is not linking to your Privacy Policy in the text next to the checkbox or button.

When you use the clickwrap method, the Privacy Policy or legal agreement needs to be brought to the user’s attention, and if the agreement is not hyperlinked with the “I agree” text, it is unclear for the user what exactly they are agreeing to. You can see in the example from Form Assembly above that the Terms of Service and Privacy Policy are both hyperlinked in the text near the checkbox.

The second common pitfall in sharing privacy practices with customers is not keeping on top of the rules. The law changes, and due to the increasing pervasiveness of technology data privacy is a particular area of law that is developing quickly.

You need to ensure that someone in your business is tasked with reviewing these issues regularly to ensure that you are in compliance, as there’s no point sharing your Privacy Policy with customers if it’s no longer compliant with the law. A good starting point is to look for recent changes every six months, and check whether they affect your business policies or practices.

Finally, your business should be acutely aware of exactly who you are collecting data from. For example, EU citizens are subject to EU data protection regulation, even if your company is not based in the EU.

This means that if you are based in the US, but collecting the data of EU citizens, or there’s a chance you might be, you need to comply with EU law for the collection, processing, and storage of their data. If you aren’t even aware that you are collecting the data of EU citizens, you won’t be able to comply, and may face fines or penalties.

Conclusion

Setting up clear, comprehensive privacy practices for your business is an important step in building customer trust, and protecting you from falling foul of the law. Notifying your customers of your Privacy Policy, as well as the internal data collection ethics of your business ensures that your customers are aware of what data you are collecting, and what your attitude is towards their personal information.

Be careful of common pitfalls, and ensure that you always keep up to date on your legal obligations.

Leah Hamilton is a qualified Solicitor and writer working at TermsFeed, where businesses can create legal agreements in minutes using the Generator.

Do you know what your customers are doing?
Find out in 5 minutes.

Try Woopra for free. No credit cards. No obligations.