Page 63 - Cyber Defense eMagazine August 2023
P. 63
in the states of Iowa, Indiana, Tennessee, Montana, Florida, and Texas have each passed more
comprehensive state consumer data privacy laws with more laws contemplated in even more states.
These state consumer data privacy laws require companies to provide information to the public about the
information they collect, why they collect that information, what they do with the information, with whom
they share that information, if they sell that information, how they protect that information, and when they
delete that information. These statutes also provide the public with certain rights concerning the data that
is collected from them by companies, including the right know what information is collected, to delete
information, to prevent the sale of information, to correct erroneous information, and to transfer their
information to another business. Regulations mandate that this information is required to be provided to
the public prior to or at the time the information is collected.
Because commerce is increasingly conducted via the internet and mobile applications and since almost
every company has a presence on the internet or a mobile application, website and mobile application
privacy policies have become a key way companies can satisfy the requirements of these data privacy
laws by making the required disclosures and allowing for inquiries to be made from the public. This
elevates the importance of the privacy policy to one of the key documents in this entire regulatory process.
For all companies, the privacy policy is key to satisfying regulatory obligations. But for companies
operating in multiple states, the privacy policy must do more than simply report on the activities of the
company—it must simultaneously satisfy multiple, specific regulatory requirements under multiple laws.
Crafting a compliant privacy policy to meet the requirements of the increasingly complex patchwork of
state consumer privacy regulations in place in the United States requires considerable analysis and
consideration. These privacy policies must be thorough and attentive to all laws and regulations
applicable to a business both currently and in the foreseeable future. They must be accurate (as false
statements concerning data privacy practices can be considered an unfair or deceptive practice by the
Federal Trade Commission and create liability for the company). And they must be updated regularly to
account for the changing practices of the company and various laws. For too many companies, the
thoroughness, attentiveness, accuracy, and contemporaneity required by these statutes and regulations
is not reflected in their privacy policies, which leads to problems with the second reason these policies
are so important.
The second reason that privacy policies are important is that they are a revealing window into the
compliance operations of a business. As state regulations and laws have increased regarding consumer
data privacy, so too has the need to enforce those regulations and laws. Doing so requires information
on a company’s data collection, use, protection, transfer, and deletion practices - all information found in
a well-crafted privacy policy.
For those working in data privacy and working with the ever-increasing regulations concerning the
collection, use, protection, transfer, and deletion of consumer data, privacy policies are particularly
enlightening documents. As noted earlier, because most companies’ compliance activities are internal to
the organization and not readily ascertainable, without an audit of a company’s compliance program, it
can be difficult to assess the thoroughness, thoughtfulness, and sophistication of a company’s
compliance efforts. A privacy policy can provide insight in these areas. By examining the public privacy
policy posted by a company on its website or mobile application, a regulator can quickly and accurately
assess the compliance maturity and sophistication of the company. For a person familiar with data privacy
Cyber Defense eMagazine – August 2023 Edition 63
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.