Please note: the information presented below is not legal advice and is for informational purposes only.
I’m guessing the answer is probably never.
According to a Deloitte survey of 2,000 consumers, 91% of people consent to legal terms and services conditions without reading them. That number jumps to 97% for people ages 18 to 34.
As businesses who want to build trust with our audience, we need to show that we care about enabling our users to protect their personal data and be informed about how their data is used, stored, and protected.
Progress in the land of privacy
As someone who is passionate about data privacy, I’ve long dreamed of the day when people would read privacy policies and actually hold businesses accountable to them.
As we’ve moved so many of our daily interactions online due to the recent pandemic and quarantine, more people are starting to pay attention to their online privacy, finally.
Though we still have a long way to go with getting individuals to do their own research before submitting personal data to apps and websites, the introduction of regulations such as the GDPR and the CCPA has forced businesses to take a step in the right direction with data privacy.
However, privacy policies still seem to be an afterthought for many organizations.
People not reading privacy policies in detail does not make having them any less important. They protect your business from potential lawsuits and massive fines if data is exposed. Plus, just because people aren’t reading the policies in detail does not mean they don’t actually care about their data being protected.
Plus, the recent transition of almost every daily activity to a virtual version, due to COVID-19, has sparked more interest in data privacy among users.
Who knows, people may even start reading privacy policies before clicking “accept.”
The move online and the risks that come with it
As we frantically scrambled to move our businesses, our schools, even our family dinners online during the early days of the pandemic, many people and businesses failed to look closely at the privacy risks associated with their actions.
Cillian Kieran, CEO and founder of privacy company Ethyca wrote in the Harvard Business Review: “Across industries, teams with expertise in real-world spaces are rushing into digital ones where they’re novices and pumping huge amounts of user data into new systems.”
This is exactly what happened.
For many businesses to survive the pandemic and get quickly on track doing business in the newly virtual world, they were forced to jump into a variety of new tools they knew very little about.
From moving in-person events online to accepting contactless payments, businesses adopted new technology at an alarming speed and rarely did the necessary due diligence regarding how well these new tools protect the data and personal information they were collecting.
Unfortunately, every single solution put in place to transition to a virtual experience means risking the mismanagement of data or exposure of personal information.
Beyond just making sure the third-party tool’s privacy practices are legal and in line with your own, you are also responsible for updating your customers and subscribers to any updates to the way you process, store, or protect their personal information.
Every time you move a part of your business online without carefully considering how the data used in that process is managed, you are risking exposure and breach of this data.
While this may seem like something that could be a secondary concern to be dealt with after the immediate crisis at hand, that is certainly not the case.
A privacy breach could result in everything from PR nightmares to large fines and even lawsuits.
Bringing health information into the equation
This is about more than just using new tools for business transactions.
Many organizations are also collecting and sharing a brand new type of information they haven’t dealt with before: personal health information.
Due to COVID-19, many organizations are collecting information such as temperatures and known exposure to those positive for the virus. They’re also tasked with sharing if someone has tested positive with those who may have been directly exposed.
For example, if an employee tests positive for COVID-19, it may be necessary to disclose this information to other employees who may have been exposed to this person at work.
However, this information cannot be disclosed without the individual’s consent.
You’ll also need to be sure any COVID-19 related information about an individual is kept safe and secure, with access limited only to those who have permission to acquire it.
Your business may need to develop policies and procedures for disclosure of any COVID-19 related information about employees.
While privacy policies do not need to be written by a legal professional, you should consult one familiar with online data privacy practices and regulations to make sure your policy covers everything it should.
There are also some tips and tools available later in this article to help you.
The FTC is focused more on consumer protection than privacy, but the two are quickly becoming one and the same as so much of our lives now take place online.
What this means is you can absolutely find your business in big trouble if you don’t take this seriously.
Because of the potential financial and reputation-related risks a data breach can have on an organization, many companies are taking the necessary steps to update their practices and policies due to changes prompted by COVID-19.
The policy covers how they store and share this information in a short and simple but comprehensive statement. It covers the necessary items which include how they will store, retain, protect, and share your data.
I’m sure at some point during the quarantine you’ve used Zoom to meet online.
While Zoom was one of the top apps people flocked to at the beginning of the health crisis, the company was soon criticized for many of its questionable privacy practices, including being accused of selling personal data, analyzing user videos for ads, and tracking people’s attention during calls.
The company updated its privacy policies to clarify some elements and stated that some features would be completely disabled, such as attention tracking.
While the attention tracking feature was not nearly as scary as most people took it to be, Zoom understood that its users felt jeopardized and knew that it was time for action.
All it takes is one informed person to question your privacy practices and adherence to your stated policy (or lack thereof).
Don’t expect regulators to be lenient due to COVID
Depending on those enforcing the regulations to be forgiving due to the current climate is not a safe bet. In fact, they will likely be more stringent due to the rapid and risky transition to mostly virtual business.
The Marriott Hotel Group was fined $123 million back in 2019 for failing to do the necessary due diligence regarding their data acquisition and storage. The risk of being fined only increases as more regulations come into play, such as the CCPA.
California Attorney General Xavier Becerra has shot down attempts to delay the enforcement of the CCPA, stating: “We’re committed to enforcing the law starting July 1. We encourage businesses to be particularly mindful of data security in this time of emergency.”
The regulations are real and important to abide by, regardless of where you are located or where you do business.
This doesn’t even have to be a time-consuming or overwhelming task. You can respect your subscribers’ privacy and minimize the risk of data exposure with a few simple steps.
Take a look at how your new third-party vendors handle data and privacy
Whether you’ve added a payment solution, webinar platform, or even started running ads for the first time (especially if you’ve started running ads for that first time) it’s important that you understand how each solution captures, stores, and protects the data it encounters.
One key thing to look for: your third-party solutions should not subcontract data to another data processor unless you’ve instructed them specifically to do this.
This is the only way to be sure your business is legally protected from anything a subcontracted vendor does with data.
Perform an assessment of your own data practices
A basic risk assessment, while a bit tedious, makes you think critically about making decisions that impact your data use, storage, sharing, and more.
Plus, if you are eventually charged with a violation of privacy, you will have documentation to prove you did take steps to mitigate risk of exposure.
There are even a variety of data protection impact assessment templates available such as this one from the UK’s Information Commissioner’s Office.
The two things you should strive for in your privacy police are clarity and simplicity. While you do need to cover all necessary aspects regarding data you collect, process, and store, you can do so in a simple and easy to understand format.
They help you create policies that automatically update when the laws change and are written by real people, not generated by an algorithm.
Editor’s Note: IMPACT may receive compensation from Termageddon if you sign up using the link included in this article. This in no way affects our recommendation.
Make sure there’s someone who owns data protection at your organization
As with most things, if there’s not one person responsible for “owning the thing” it likely won’t happen. This is even more important in times like these where changes are happening quickly and things easily fall through the cracks.
When you assign someone to be responsible for decisions regarding data, it means there will always be someone making sure data doesn’t get overlooked in the process.
Officially, this person is often called a data protection officer or DPO. Even if you don’t assign an official DPO at your organization, someone should be the main contact who is to be consulted before any decision regarding data or vendors is made.
Even if the person responsible isn’t well-versed in data privacy laws and regulations, you need someone to be the ultimate owner of making sure these things are indeed addressed, even if it means reaching out to your organization’s legal representative.
Ideally, this is someone who has a passion for data or is interested enough to stay educated on the topic, while not necessarily making it their whole job.
I do this for IMPACT!
Assign someone at your organization to be the owner of your data privacy practices and consult them before making any further decisions regarding technology and data.
Consider doing an audit of all the tools you use and exactly what data you collect, how it’s stored, and how it’s protected.
Wondering where to begin?