Privacy and Data

Drafting a Privacy Notice

How well we communicate is determined not by how well
we say things, but how well we are understood.

Client:
Webflow.com
Release Date:
September 14, 2018

This checklist simplifies the process of developing a privacy notice into 6 steps and provides insight on key points to consider while drafting.

Step 1: Gather Information

Engage key employees who know how the business collects, stores, uses, and discloses personally-identifiable information ("PII"). Consider that key employees with relevant information may sit in various departments.

Step 2: Identify Legal Requirements

Consult FTC, state laws, and regulations. Businesses should also consider that certain industries, types of personal information and advertising techniques may require additional obligations.

At a minimum, it's important that business meets the following standards:

  • Provide notice, awareness, and transparency in privacy practices (e.g., in a privacy notice);
  • Give the consumers a cost-free way to opt-out of the business using or maintaining their PII;
  • Allow consumers to access and correct their PII; and
  • Maintain PII accurately and securely.

Step 3: Format the Notice

When drafting the privacy notice, tailor its format to fit the business' needs and structure. For example, simple notices may be clearly presented in one document, whereas more complex notices could be more easily summarized by dividing the notice into segments. It is important to consider that certain industries have sector-specific format requirements or standards.

"Do not use a template approach that ignores the business' actual practices."

Step 4: Draft the Notice

Write the notice in plain and clear language, so that the reader can clearly understand it.

The notice should include the following information in separate and distinct sections: 

  • Description of the notice's scope;
  • Descriptions on what types of PII the business collects;
  • Details on how the business collects, uses, and shares PII;
  • Include specific call outs for sensitive data, automated collection and tracking technologies;
  • Provide sector or geographic-specific disclosures;
  • Share details on individual choice, opt-out, or access mechanisms;
  • Detail data security standards or practices followed;
  • Describe revisions and updates to the notice; and
  • List contact information and information on how to register complaints.

Review the draft notice with key stakeholders to ensure it matches actual business practices.

Step 5: Publish the Notice

Clearly and conspicuously label the notice so it is easy for consumers to locate. Business should also consider whether additional delivery requirements apply. For example, GLBA, HIPAA, COPPA, and certain state statutes set specific delivery requirements for their notices.

Step 6: Post-Publication

Update the notice regularly to reflect changes and communicate changes to consumers. Ensure to always retain copies of past versions.

Clients are My Priority