Whether it’s for the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), or other data privacy laws, businesses generally (and understandably) want to take the simplest route to compliance. For many, it’s tempting to say, “We already have a privacy policy on our website, so we’re good on compliance.”
It’s important to know, however, that a privacy policy alone does not make your business compliant with the CCPA, GDPR, or other data privacy laws.
It’s true that a big part of data privacy compliance centers around making certain disclosures on your website, but if what your business currently has on its website is a generic privacy policy generated by a free online service, it almost certainly does not meet current data privacy standards. Each of the data privacy laws has its own set of specific requirements and definitions that must be adhered to, and a generic privacy policy isn’t going to hit on all of these points.
You might be thinking, “But our policy generator has separate modules for the CCPA and GDPR.” This gets to a more important point: The disclosures required by data privacy laws aren’t just empty recitations of boilerplate language; they require a deep dive in your business’s current practices. Like the proverbial tip of the iceberg, they are the outward manifestation of a lot of behind-the-scenes work.
Here are just a few examples of the questions you may need to answer:
These kinds of analyses require a careful look at the day-to-day operations of your business and often involve multiple stakeholders (Marketing, HR, etc.). There are ways to streamline the process (learn more below), but you definitely can’t skip it.
Even if you have a privacy policy that contains all the required disclosures, compliance doesn’t stop there. There are a number of other requirements you may need to meet, e.g., logging consent from website visitors or maintaining sufficient security measures. The biggest one by far is responding to privacy requests from consumers.
Every new data privacy law since the GDPR has included the right for consumers to make certain requests regarding their information, such as deletion, access, or correction of data. While these requests may seem straightforward, in practice they can be quite complicated. In response to a deletion request, for example, you will have to consider:
Being able to handle these requests in a timely manner requires a lot of preparation and organization, much of which functions in tandem with the work you did to create your privacy disclosures. By completing all of the back-end preparation in advance, you can respond to a privacy request in a way that is compliant and also much more efficient.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
