Privacy Policy Importance And Is A Lawyer Required
One of the most common questions, especially by newer and smaller businesses, pertains to why having a privacy policy is important and whether a lawyer is required to draft their website or app privacy policy versus the common alternative of using a privacy policy generator such as through a service like Rocket Lawyer. Here, we discuss the relevant considerations to consider when deciding whether a lawyer should draft your privacy policy or if an online privacy policy generator might be sufficient.
The short answer is no; a lawyer is not legally required to create a privacy policy. With that said, as is often the case with legal matters, it is more complicated than just a yes or no answer.
Several privacy policy legal considerations must be accounted for when attempting to comply with the various recent privacy and data protection laws. In large part, because privacy law is such a dynamic area of the law, there are important nuances to account for when making decisions concerning a privacy policy for your business, particularly because many of the answers are intensely fact and scenario-specific.
For starters, if you are a one-in-a-million business owner who is somehow an expert in privacy and data protection law, there is indeed no need for a privacy policy lawyer to do the drafting and analysis. Beyond that, while it is always better to have an expert perform a service, realistically, especially for smaller businesses, budgets are limited, and a cost-benefit analysis is necessary. The core factors to consider generally revolve around the business’s data processing practices, size, and overall risk profile. Therefore, to help you determine whether it is wise to work with a lawyer to create your privacy policy, we analyze the factors at play and tips to keep in mind in this discussion.
A Brief Primer On The History Of Privacy Policies
Privacy policies geared toward companies operating online have been around practically since the advent of the Fourth Industrial Revolution when digital and the internet made the electronic collection of personal information increasingly ubiquitous. Thus, even before the flurry of recent privacy laws, such as the GDPR and the CCPA, came into effect, there was a steady move toward providing users of websites and apps with at least a minimum amount of clarity about what information was collected and processed.
As technology and associated tracking and data-backed advertising proliferated with “data becoming the new oil,” there was a growing concern among consumers and governments about the potential for abuse or danger from such unbridled collection and processing of personal information. Spurred by incidents where personal data was used for what was perceived as nefarious purposes, new, often complex, and potentially arduous privacy laws have been passing rapidly.
What Should A Privacy Policy Include
Though each law has nuances and compliance requirements, several core themes permeate practically all privacy-focused laws. One of these is that of notice. It generally refers to giving consumers information about what personal information is collected and how it is used (including if it is shared or sold), secured, and stored. It also relates to notifying users about how they can exercise any rights afforded under relevant regulatory frameworks. These rights commonly include rights to opt out of various forms of data use and deletion rights. The notice element is a common requirement of privacy laws, including under the CCPA and the GDPR. It focuses on ensuring that users are informed in their decision-making regarding their data and protected to some degree. In that respect, the privacy policy acts as a legally mandated notice. Beyond notice, a privacy policy includes various other tenets that depend on the specifics of the company in question.
Why Is A Privacy Policy Increasingly Important
The passage of privacy laws in both the United States, such as California’s CCPA, and on the international scale, such as the European Union’s GDPR, has upped the stakes for businesses that do not follow the relevant laws they are subject to. Beyond fines and the cost incurred navigating or defending regulatory enforcement actions relating to privacy law violations, companies that provide clear privacy policies and other transparency measures are more trusted by potential customers, leading to business growth. In that light, having an up-to-date and best-in-class privacy policy protects a business from costly government action and helps improve the bottom line.
The Size and Type Of Business
One of the first and primary considerations when deciding whether to use an attorney for one’s business’ privacy policy depends on the size of the business in question. The general rule is that the larger the company, the more legal risk. The risk comes in the form of increased attention from regulatory enforcement agencies for potential privacy law violations and the more significant number of customers that could be points of risk in the privacy realm. Further, specific privacy law regulatory frameworks, such as the California Consumer Privacy Act (CCPA), only apply to businesses that reach specific revenue or data processing benchmarks. Still, we have seen numerous instances of what can be considered smaller companies to be the targets of regulatory action due to various privacy and data protection infractions, including those relating to specific clauses in their privacy policy.
The Data Processing Activities Of The Business
Beyond the size of a business, the scope and kind of data processing it undertakes also plays a significant role in its overall risk posture and, consequently, what type of effort and resources must be put into the privacy policy it utilizes. Using customer personal information for targeted advertising, profiling, sharing, and selling will add credence to the critical need for a robust privacy policy. Regulatory frameworks added focus on the processing activities mentioned as they increase the likelihood of abuse and damage to people’s fundamental privacy rights. Therefore, engaging in these activities requires an added level of scrutiny and oversight by a business, including a well-drafted privacy policy that protects the business overall and ensures compliance and avoidance of enforcement actions.
The Location Of The Business
Though privacy laws generally have extraterritorial reach and regulate businesses beyond the country or state’s borders, the actual location of a company does play a role in the overall approach to a compliance regimen. For example, a company based in California and operating almost solely domestically with a small number of customers in Brazil (which has its privacy law called the LGPD) would do well to focus more on the CCPA and its impending replacement, the CPRA. Still, the actual location of a company is not the be-all-end-all; instead, the customer base, which we discuss next, is also very relevant. Regardless, ascertaining which privacy laws apply and must be accounted for in the privacy policy is necessary.
The Location Of Customers
Beyond the physical location of a business and its legal nexus, in the context of privacy laws, more focus is put on the location of the persons having their personal information collected or processed. For example, the European Union’s GDPR focuses on residency in the EU, and the CCPA uses the terminology of “California consumers.” Therefore, though a business might be outside of the EU or California, it very well might be subject to the regulations contained therein if it collects personally identifiable information (PII) of residents of a jurisdiction with a privacy law framework with extraterritorial reach.
The Danger Of A Privacy Policy That Overpromises
When embarking on securing a privacy policy, one of the more common courses of action that smaller companies embark on is via either an automated policy generator or simply copying and pasting from a policy on the internet. However, this path poses additional openings for legal action beyond the potential copyright infringement risk. First, making overbroad promises in a privacy policy, which can be construed as a contract with the website or other asset visitors, can be leveraged against a company. Specifically, suppose a company claims in its privacy policy to engage in a specific regimen of data collection, processing, and securing that is, in reality, in contravention of its actual practices. In that case, what can result is private action from consumers and enforcement from regulatory agencies, including the Federal Trade Commission (FTC) or State Attorney Generals. On the private action side, legal liability may be argued based on consumer protection statutes. On the regulatory enforcement side, such false promises are often pursued based on Section 5 of the FTC Act, which regulates unfair and deceptive practices or state-specific unfair or deceptive acts or practices (UDAP) laws. (In August 2022, the FTC announced it would be exploring additional rulemaking as it relates to “commercial surveillance, including targeted advertising, and data security practices, further stressing the increased regulatory focus in this area.) A lawyer drafting a company’s privacy policy and advising stakeholders on their responsibilities helps ensure that false promises are not being made. Second, it helps the relevant actors understand their compliance duties outlined in the privacy policy.
Updates As The Privacy Law Regulatory Landscape Evolves
Few areas of the law are more dynamic and fast-changing then privacy and data protection law. On a practically weekly basis, a new law is being introduced, coming into effect, or significant guidance emanates from one of the relevant regulatory bodies. For this reason, privacy policies and associated compliance efforts are not an area where “a set it and forget it” approach is prudent. Even when automated privacy policy generators will push updates to previously created policies when there is a change in the law, the question becomes how one ascertains whether the new law or change applies to their specific business. In contrast, when working with a lawyer, especially when there is an engagement that includes privacy tune-ups, which we recommend for most businesses yearly, there is a steady assurance that privacy policies and practices are up to date and provide adequate compliance and protection. Further, the attorney will already be familiar with the core facts about the business and data practices. Therefore, said regular tune-ups could be minimal in resource expenditure, and new clauses can be seamlessly incorporated into existing assets.
Handling Requests Relating To Consumer Rights
Another common theme that runs through the current privacy law frameworks revolves around requests from consumers exercising their rights under the relevant regulations. For instance, under both the GDPR and CCPA, there are rights where a consumer can contact the company in question that has collected their personal information and request that such information is provided or deleted, among several other Data Subject Access Requests (DSARs). A whole host of nuances come into play with such requests, including how to respond and under what legally allowed timelines, among other legally mandated procedures. Not following the required methodologies can result in regulators deeming a business to be non-compliant and subject to enforcement measures.
In light of the technical complexities, having an attorney who provides the privacy policy for one’s business and is familiar with its operations is in a unique position to help navigate the proper handling of these requests most efficiently. In contrast, the company that used an auto-generated privacy policy from Shopify, Rocket Lawyer, or some other vendor (without a tailored review from an attorney) they are unlikely to be familiar with DSAR requirements. The company will, therefore, find itself in a challenging situation when it comes to compliance. Further, should the company in question decide to get counsel for proper compliance, it is likely that the cost will be higher than it would have been if they used an attorney to create a privacy policy from the outset. This is because the new attorney will have to do the additional legwork of learning the business and their privacy practices instead of the attorney who would have already been familiar with the company. After all, they drafted the initial privacy policy.
What If There Is Regulatory Action?
As privacy laws come into effect and regulators phase out what was seen as initial good faith compliance windows and attitudes of leniency, there is an expectation that enforcement measures will become more aggressive. For businesses with a privacy policy drafted by an attorney, navigating any associated action for noncompliance through the said attorney will be more seamless as there is already a familiarity with the company’s specifics.
The Business Value Of A Robust Privacy Policy
As we touched on briefly earlier, beyond the legal requirements and associated considerations for a privacy policy, there are also other advantages. Specifically, a robust and straightforward privacy policy shows customers that a company is best in class and values its customers. Further, as time passes, prospective customers look to understand how their information is processed. In line with this, having a tailored privacy policy that focuses on simplicity and clarity while being custom to the company in question helps maximize the business value of a privacy policy.
Comparing Rocket Lawyer & Other Privacy Policy Generators With A Lawyer
There is a clear advantage of the privacy policy auto generators such as the ones offered by Rocket Lawyer as they are free, and costs are always front of mind for newer businesses. With that said, the points we covered outline some of the significant disadvantages that should be considered and weighed against the advantages of free privacy policies. As we mentioned, much of the decision will revolve around the specifics of the business in question, including its location, size, and type of data processing activities, among other factors.
The Dynamic Nature Of The Privacy Law Landscape
Regardless of a company’s route regarding a privacy policy and associated compliance, the privacy law landscape is highly dynamic and changes regularly. From new state laws to developments on the international front, businesses must stay updated to avoid costly regulatory action. Beyond the legal side, consumers increasingly seek company disclosure about their privacy practices. Transparency through a best-in-class privacy policy increases trust and brand loyalty among customers, making privacy a creative way to differentiate from competitors and gain market share.