Privacy Policy Concepts

00:01

Hello, everyone, and welcome to Module four of 10. As we discussed the notice and transparency obligations established by the C C p A.

00:10

A programming note for you. This is where we are in our course outline. We started the course by reviewing the history of the C C p. A and why the law came into existence

00:20

in module to. We then transferred into discussing the scope of the law, the businesses that are subject to it, the geographic application of the C C P. A and the definition of personal information.

00:32

Then, in Module three, we jumped into the actual privacy obligations that are established by the law.

00:39

The first thing we reviewed in Module three was the consumer rights

00:43

in Module four. We will review the notice and transparency requirements established by the C C. P. A.

00:53

Lesson 4.1 will be dedicated to privacy policy concepts in future lessons. In less than 4.2, we will actually review the specific privacy policy obligations established by the C C. P. A.

01:06

Now, just to keep ourselves organized, these are our learning goals and objectives. In this lesson, we will review how to draft a privacy policy

01:15

that would be layered on top of the privacy policy concepts we will review.

01:21

Then, in less than 4.2, we will review the specific CCP requirements of a privacy policy.

01:29

Let's jump right into it.

01:30

The Golden Rule for privacy policy. Its main function

01:34

is to explain to the world how your business handles personal information

01:38

when you think back to Module one and why the CCP even came into existence. You understand very quickly why privacy policies are so important.

01:49

Because privacy advocates, the consuming public and anyone else just generally interested in how their information is handled is going toe have no idea what recourse they have or how information is stored, how long it saved all those things unless the business declares in some sort of

02:06

public facing way. How that happens,

02:10

The privacy policy is the way that companies satisfy that obligation.

02:16

Your privacy policy also needs to always match reality.

02:20

I would say about a quarter to maybe a third of all regulatory enforcement actions in the privacy space have to do with companies not accurately capturing how their business handles information in their privacy policy.

02:32

In the alternative, there is an objective factual error in their privacy policy that later comes out when an individual investigates how companies actually handle information.

02:45

I beg of you. Please make sure that your privacy policy indeed matches what is happening in a really world context with how information is handled.

02:55

Now let's move on from the Golden Rules and discuss some helpful hints

03:00

when drafting a privacy policy. I beg of you. Please do not copy another businesses. Privacy policy Regulators have actually issued specific fines for this, and they will call out companies when they do that

03:14

at work. I probably come across this in some way once every other month or so.

03:19

It's quite embarrassing for the privacy professional at the business when they have to finally admit that they simply

03:24

copied and pasted a privacy policy.

03:29

If you are going, however, to need to start somewhere and you can't start from scratch, I do think that there is a happy medium

03:36

when you can look at other at another company that has a very similar business model and take a look at some of the provisions that they have included in their privacy policy.

03:45

No, that is not me giving you a blessing to copy and paste what they put. But

03:50

it can be helpful as a useful starting line or guide post to see how information is handled there

03:55

and again with the main caveat.

03:59

Making sure that it lines up with your data handling practices at your company.

04:05

I strongly believe that drafting a privacy policy needs to be a team effort.

04:12

It's been my experience when working with businesses of all sizes, that the best privacy policy is one that is not drafted and simply approved by one person or one department.

04:21

What is rather reviewed and collectively drafted by several service lines.

04:26

It is normally driven by, I have to admit, some sort of legal counsel.

04:30

It could be your

04:32

general counsel. It could be your privacy officer or even an outside law firm that might be taking lead in drafting a privacy policy.

04:41

There are also privacy advisors, including privacy consultants such as myself,

04:46

that will frequently be involved in drafting a privacy policy.

04:49

We might even take the lead in that

04:51

That's fine

04:53

leverage that resource, if you have it

04:56

that truthfully is probably about a third of my life. It's dedicated to drafting privacy policies.

05:01

But

05:02

you must always, and this is something I make a point of doing.

05:06

Get the violin from the key stakeholders at your company.

05:10

Your CSO, the chief information security officer,

05:13

absolutely needs to be involved in the drafting of a privacy policy.

05:16

Information, security and privacy are the opposite sides of the same coin.

05:23

They both need to be involved in this public declaration of how information is handled.

05:28

It's going to be I t. That has the most intimate knowledge of the network in archival procedures and data retention and data loss prevention protocols.

05:35

All that stuff is typically going to be included in a privacy policy.

05:40

It's not just I t. That needs to be involved.

05:44

Groups, including and especially marketing your business operations. If you have a privacy department, obviously include them. Of course,

05:51

human resource is they all need to be involved in the drafting of your privacy policy.

06:00

Previously, I stated that employee data is outside the scope of the C C. P A.

06:05

And for now, it ISS,

06:08

though there are amendments that will likely change that in the future.

06:11

Ah, privacy policy applies to all global data handling practices.

06:15

If your business has exposure to the GDP are or other privacy laws in the world. You absolutely need to include human resource is.

06:23

I also strongly recommend you update your privacy policy at minimum once a year.

06:29

If there ever is a law that comes out that fundamentally changes the privacy world, for example, we're going to talk later about C C. P A. 2.0, that merits another review of your privacy policy.

06:44

In summary, in less than 4.1, we discussed why privacy policies exist.

06:49

They provide the consuming public and regulators Ah, better understanding of your data handling practices at your business.

06:57

It is one of the main reasons why the CCP A also came into existence.

07:01

It is to inform the consuming public of how information is handled

07:06

the process for drafting a privacy policy. It is not a one person show.

07:11

It's rather a collaborative effort.

07:14

I highly recommend, including not just i T, but marketing and other service lines that frequently are called data stewards who are responsible for handling information within the organization.

07:25

The key objectives when drafting a privacy policy,

07:28

the first and foremost is making sure that it matches up with the rial world handling of information

07:33

that covers privacy policy concepts.

07:35

We will now jump into less than four point to where we discuss the specific privacy obligations that the C C P A requires.