Earlier this year, data associated with 700 million LinkedIn users (that’s 92% of users) was posted for sale on the dark web. The data provided included email addresses, full names, phone numbers, personal and professional experience, gender, and geolocation records, amongst other things. LinkedIn has maintained that this event was a violation of their terms of service, not a data breach, since it involved the scraping of publicly available data, not the taking of private information (read our post on data scraping to find out the difference!).
While LinkedIn may not be required under existing data breach notification laws to notify affected individuals that their personal information was involved in a large-scale data scrape, events like this are likely to affect consumer trust in your company. Increasing transparency about your data practices and privacy is an important step in managing the reputational (and legal) risk that comes with collecting, storing, using, accessing, or transferring personal data. It is also widely recognized as a core principle in privacy and data protection. Both the European Data Protection Supervisor and the 7 Foundational Principles of Privacy by Design hold that transparency is key in any data protection and privacy program.
So, how can your business increase transparency about data practices and privacy on your website?
Make it Easy for Users to Manage Their Privacy Settings.
Consumer demand for transparent and straightforward management of their personal privacy is growing in many jurisdictions around the world. Your company should prioritize making privacy management simple for users. Our quick tips for this are as follows:
- Collect only what you need from your users. This streamlines the management of that data for the user and your business.
- Consider creating a ‘privacy center’ within the user account settings. The ‘privacy center’ should contain a copy of the privacy policy and terms of use, as well as relevant privacy management settings allowing users to access, update, and delete their personal data and opt-out of certain uses of their personal data (such as the sale of their personal data to third parties)
- It may be useful to include a user’s subscription settings here if your company sends out marketing emails.
- You may also want to answer some FAQs about your company’s privacy and data security practices to build additional trust with your users.
Bear in mind that you may be required to provide some of this functionality if you fall within the scope of certain laws such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) and the General Data Protection Right (GDPR). Even if you aren’t covered by these laws though, it can be worthwhile making it easy for users to manage their privacy settings on your website,
Use Clear, Concise Language When Describing Your Data Practices.
Businesses covered by the CCPA are required to give consumers a notice at collection and details of consumers’ privacy rights and how to exercise them in its privacy policies. However, you may wish to describe your company’s data collection and privacy practices on your website even where you aren’t covered by the CCPA to align with consumer expectations.
Your company’s data collection and privacy practices should be clearly outlined in a notice at collection and expanded upon in your privacy policy. You should use clear and concise language whenever and wherever you describe your data practices. Good practices include:
- Use words and phrases that are commonly used and easy to understand in the place of jargon, wherever possible.
- Make sure the layout of your documents makes sense, and include features to make the material searchable and easy to navigate.
Avoid Dark Patterns on Your Website.
“Dark patterns” refer to user interface features or designs on websites and mobile apps that trick, manipulate, or confuse visitors. They are problematic because they are capable of tricking users into providing personal information where they may not have otherwise chosen to do so or hiding settings that would allow them to control their privacy.
Dark patterns that prevent or mislead users trying to exercise their right to opt out of the sale of their personal information (a right granted to California residents under the CCPA) are not permitted in California. Businesses are required to make accessing the opt-out notices easy, including via a “Do Not Sell’ link in the footer of the webpage. (Read more about California’s law on dark patterns here).
However, removing dark patterns from your website for all privacy management can help to build consumer trust and confidence. The ‘Privacy Center’ we outlined in Tip 1 should be clearly visible, marked with reasonably sized font, and easy for users to access in an easily navigable location on the website. It should be named something clear and jargon-free, like ‘Privacy settings’ or ‘User Privacy’, and it should be accessible within one click once the user has logged into their account.
For businesses with an email marketing list, it is a good practice to allow users to unsubscribe in as few clicks as possible and without needing to log into their account.
Detangle Consent from User Terms and Conditions. They are not the same.
The Terms and Conditions, also known as Terms of Use or Terms of Service, on your company’s website outline the rules for your website’s users. Most Terms of Service statements include a limitation of liability, permitted use, copyright, and the governing law for the website. These have the effect of adding legal protection, safeguarding the content you have on your website, and increasing the transparency on your website.
User consent, on the other hand, may be collected through just-in-time notices at the point of collection or where users agree to privacy policies or the collection of cookies. Sometimes passive consent – such as choosing to provide information after having been informed of how it will be used or continuing to use a website or mobile app after being informed of how to view its privacy policy can suffice. However, in certain circumstances, you must obtain a user’s affirmative, opt-in consent on both web and mobile apps. For instance, you may need affirmative opt-in consent for setting cookies, sending marketing communications, and collecting information from children. To be safe navigating the nuances, consult with legal counsel. When in doubt, be aware that for consent to be valid (in accordance with the GDPR and various other privacy laws), it must be freely given, informed, unambiguous, specific, and obtained via clear, affirmative action.
Make it Easy for Users to Delete Their Data and Their Accounts.
A limited “right to be forgotten” is granted to California consumers under the CCPA but, again, consumers generally expect to be able to manage, update, and delete their data regardless of the company’s legal obligations.
Under the CCPA, businesses are required to designate at least two methods for users to submit their request to be deleted. This can be a toll-free number, email address, webform, or hard copy form. But we suggest making it simple for users to delete (and manage) their data and accounts via their online settings. It should be possible for users to do so in 2-3 clicks after accessing their privacy settings within their account. The ‘Delete Data’ and/or ‘Delete Account’ functionality should be easy to find, free of jargon, and easy to access for users.
The CCPA outlines that users who do not have an account must be permitted to submit a request to have their personal information deleted without creating an account. Businesses can achieve compliance here by making any two of the following easily accessible for users: a toll-free number, email address or hard copy form, or webform. Again, digital methods may be most appropriate for businesses with a website.
Need Help? Ask Us!
If you need assistance navigating privacy and data protection best practices or increasing transparency on your website, get in touch. Our privacy attorneys would love to help!
Otherwise, if you have any questions, comments or suggestions for future topics, let us know either in the comments on the social media post sharing this content or via email at info@cgl-llp.com
See us back here next week for 5 more tips!
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.
