HTLJ
Privacy notices are meant to provide a meaningful and clear understanding of a company’s privacy practices so that consumers can make informed choices on sharing their information. However, privacy notices are often loaded with legal jargon, overwhelming to read and found to be meaningless. This article proposes that by investing the time to craft a privacy notice that is clear, easy-to-understand and transparent about a company’s actual privacy practices, companies can build goodwill and trust with customers and help to reduce the risk of regulatory actions.
Introduction
Information privacy and how to best protect one’s privacy is often a featured story in the news.
Consumers are taking note of these stories and concerns about their privacy is impacting their buying decisions. More than half of U.S. adults surveyed reported they had decided to not purchase a product or service because they were concerned about their personal data being collected. [1]
With the rapid advance of new technologies and the use of consumer’s personal information to make these technologies more valuable, consumers are demanding protection of their private information and government is responding with regulations.[2] A central theme in this protection has been to provide the consumer with notice of what information a company is collecting about them and how the company is using the information.
Given the importance of a privacy notice in protecting a consumer’s privacy, privacy advocates and government agencies promote the concept of a meaningful privacy notice that clearly presents and fully explains the relevant privacy practices in a readable format for consumers.[3] This meaningful notice is meant to provide the consumer with the knowledge needed for them to make informed choices about sharing their information. However, most privacy notices provided to consumers are found to be “confusing, inconspicuous, and inscrutable.”[4]
This paper covers the benefits of a meaningful privacy notice and how a company may use their privacy notice both to build trust with customers and reduce the risk of regulatory action.
Benefits of a Meaningful Notice
A privacy notice is an important touchpoint for companies to engage with their customers. While many believe that a privacy notice is overlooked by customers, most Americans have been asked to agree to a company’s policies outlined in a privacy notice and twenty-two percent always or often read the privacy notice, while another thirty-eight percent sometimes read the notice.[5] Considering that up to sixty percent of an organization’s customers may be, at the very least, glancing at the privacy notice this is an important opportunity for a company to build trust with their customers.
Transparent notices that are aligned to business practices also protect a company from regulatory action. The Federal Trade Commission (FTC), the country’s privacy cop,[6] is tasked with protecting consumers privacy from deceptive and unfair trade practices. The FTC’s focus has been to encourage companies to provide notice as well as gain consent for their collection and use of consumer information. With the shift in consumers’ expectations of privacy—and the federal government lacking in comprehensive privacy law—more states are responding with their own privacy laws that impact the requirements for the privacy notice. This patchwork of federal and state privacy laws creates challenges for firms to comply with regulations related to the privacy notice. Taking the time to build a robust set of privacy policies—that are clearly conveyed in the meaningful notice—helps companies reduce the regulatory risk of a privacy violation.
Meaningful Privacy Notices Build Customer Trust
Cisco’s Data Privacy Benchmark Study[7] found nearly half of the respondents do not believe they can protect their data, with the chief reason being that companies make it too hard to understand what they are doing with their data. Even if a privacy notice meets regulatory requirements, when the privacy policy is not conveyed in a transparent way to help consumers clearly understand and make choices about their data use, a firm could suffer customer loss as well as reputational and financial damage.
A study of the actions and attitudes of consumers with respect to their data privacy found a new segment of “privacy active” consumers who are well-informed on privacy practices. Eighty-three percent of these privacy active consumers read the notice, and these consumers have acted to switch companies based on data practices.[8]
Additionally, if a firm suffers a data breach or is impacted by spillover public sentiment from a competitor’s data breach, their notice’s lack of transparency can put them at risk of reputational damage and associated loss of market value. A joint research publication by University of Washington and Colorado State University found firms that lacked transparent privacy policies suffered a 1.5 times larger drop in stock price after a breach event (their own or a competitor’s) than those with high transparency in their notices.[9]
Meaningful Privacy Notices Reduce Regulatory Risk
Besides retaining customers and reducing revenue loss from a breach, companies should invest in privacy notice that is clear and understandable to avoid regulatory action. A well-planned notice also provides companies a sound base if they need to add more information to the notice due to changing privacy laws.
Federal and State Privacy Laws
Today several federal laws require specific information be conveyed in the privacy notice. These include the Children’s Online Privacy Protection Act of 1998 (COPPA),[10] Gramm-Leach-Bliley Act (GLBA)[11] and Health Insurance Portability and Accountability Act of 1996 (HIPAA).[12] Also, new state privacy laws add requirements that impact the privacy notice. For example, the California Consumer Privacy Act of 2018 (CCPA) and California Privacy Rights Act (CPRA)[13] have a significant impact on the information required in a notice.
Federal Trade Commission and Consent Orders
The FTC requires companies within their scope of enforcement to be transparent in their privacy practices and to adhere to what they have disclosed in their privacy notice using Section 5(a) of the Federal Trade Commission Act[14], which prohibits unfair or deceptive acts or practices in or affecting commerce.[15] The FTC often settles with companies under the agreement the company will comply with the FTC consent order. These consent order usually contains financial penalties, requirements for corrective action, audits and other compliance requirements.[16]
Conclusion
As companies navigate an increasingly complex environment of privacy practices, they must find a way to communicate their privacy practices in a way that meets the expectations of consumers and conforms to evolving regulations. A company can leverage their privacy notice to build a meaningful message about their privacy practices to build trust and goodwill with their customers and resolve the concerns of their privacy active customers. A meaningful notice may protect companies from losses due to the negative press of data breaches and other privacy violations. As the FTC enforcement and other privacy regulations evolve, a robust and meaningful privacy notice can be an added protection for companies and a means for them to be able to quickly adjust as needed to additional legal requirements.
[1] Andrew Perrin, Half of Americans Have Decided Not to Use a Product or Service Because of Privacy Concerns, Pew Research (April 14, 2020) https://www.pewresearch.org/fact-tank/2020/04/14/half-of-americans-have-decided-not-to-use-a-product-or-service-because-of-privacy-concerns/.
[2] Swish Goswami, The Rising Concern Around Consumer Data and Privacy, Forbes Technology Counsel (Dec. 14, 2020), https://www.forbes.com/sites/forbestechcouncil/2020/12/14/the-rising-concern-around-consumer-data-and-privacy/?sh=148938d0487e.
[3] Kamala D. Harris, Making Your Privacy Practices Public Recommendations on Developing a Meaningful Privacy Policy, Attorney General California Department of Justice (May 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf.
[4] Ari E. Waldman, Privacy, Notice, and Design, 21 Stan. Tech. L. Rev. 74 (2018).
[5] Brooke Auxier et al., Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, Pew Research Center Internet & Technology (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/.
[6] Thomas Pahl, Your Cop on the Privacy Beat, FTC Business Blog (Apr. 20, 2017), https://www.ftc.gov/news-events/blogs/business-blog/2017/04/your-cop-privacy-beat.
[7] Cisco, Consumer Privacy Survey the Growing Imperative Of Getting Data Privacy Right, Cisco 11 (Nov. 2019), https://www.cisco.com/c/dam/global/en_uk/products/collateral/security/cybersecurity-series-2019-cps.pdf.
[8] Thomas C. Redman & Robert M. Waitman, Do You Care About Privacy as Much as Your Customers Do?, Harvard Business Review (January 28, 2020), https://hbr.org/2020/01/do-you-care-about-privacy-as-much-as-your-customers-do.
[9] Kelly D. Martin et al., Data Privacy: Effects on Customer and Firm Performance, 81 Sage Journal of Marketing 1, 36-58 (2017).
[10] 15 U.S.C. §§ 6501–6506.
[11] 15 U.S.C. §§ 6801-6810.
[12] Health Insurance Portability and Accountability Act of 1996 (HIPAA) (HIPPA) (Pub.L. 104-191, Aug. 21, 1996, 110 Stat. 1936).
[13] Cal. Civ. Code §§ 1798.100- 1798.199.100.
[14] 15 U.S.C. § 45(a)(1).
[15] Federal Trade Commission, Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices, Federal Trade 12 (2016), https://www.federalreserve.gov/boarddocs/supmanual/cch/ftca.pdf.
[16] Daniel J. Solove & Woodrow Hartzog, The Ftc and the New Common Law of Privacy, 114 Colum. L. Rev. 583, 606 (2014).
