Many organizations are currently focused on updating their privacy policy to include content required by CCPA. While making those edits, now is a good time to take a step back and think more broadly about privacy program and operations generally, and in particular about the non-CCPA parts of your privacy policy.
Under CCPA and general privacy laws, companies want to think about the accuracy of their privacy representations. One area that might be overlooked right now in our focus on CCPA is other statements in the privacy policy, like those companies might make about the US-EU Privacy Shield. Companies participating in that Framework should review the statements they are making about compliance with that program. As we have written about previously, organizations participating in Privacy Shield for data transfer must annually recertify compliance to the Department of Commerce. If your certification has lapsed, or you are not maintaining the underlying compliance required to participate in the program, certain statements in your privacy policy may be viewed as deceptive by the FTC.
Indeed, the FTC has continued to bring enforcement actions against companies falsely claiming participation in Privacy Shield. In early December, the FTC settled with four companies on this issue, bringing the total number of Privacy Shield enforcement actions to 21 since 2016. In one case, the company’s privacy policy indicated that it participated in the program, even though its certification had lapsed. In another case, the company stated in its privacy policy that it “agreed to adhere to the Privacy Shield Principles,” and that it would “comply with the” framework. It had also started an application with the Department of Commerce. However, it didn’t finish that process. The FTC found the statements made in the privacy policy misleading, insofar as it represented that the company was a participant.
Putting it Into Practice: As we enter into 2020, companies should keep in mind not just new laws like CCPA (and any others that might get issued next year). Existing privacy laws and principles also will continue to impact privacy statements. When updating and reviewing their privacy policies, businesses should take the opportunity to review their policies for accuracy, and should consider building into their privacy program methods for keeping their statements current.