At Wiland, our clients often ask us what they should be doing to ensure their compliance with today’s complex patchwork of state consumer data privacy laws—including the 15 state general consumer data privacy laws that are in place or will come into force over the next three years. We’ve worked to address these client concerns in previous entries in the Wiland Blog, including discussing the basic contours of new data privacy laws, providing timely updates and suggestions on how organizations can comply, and noting specific marketing and fundraising challenges associated with the evolving definition of sensitive data.
Today, we’re highlighting another crucial aspect of data privacy compliance that we informally refer to as “painting the front door.” It’s a practice that acknowledges that your organization’s formal compliance with legal requirements and the positive consumer perception that results from your commitment to the ethical use of data are of equal importance to your continued success.
What is Painting the Front Door?
Simply put, “painting the front door” means that you are mindful that what you present to parties outside of your organization will be assumed to represent your approach to data privacy and ethics, and so it must be compliant with applicable laws and also something with which you are comfortable. When thinking about this concept, consider the following questions:
- What data privacy-related language and options do consumers and regulators see when they visit your website?
- Are all of your data privacy statements, disclosures, and other necessary documentation up to date and easily accessible?
- How easy is it for consumers to submit data privacy questions and requests?
- Are the choices available to consumers regarding the use of their data clearly stated?
- Is all of your external-facing data privacy language and related user experience consistent with your brand voice and synonymous with your organization’s mission?
When you purposefully address these questions, you ensure that it’s clear to all external parties that you are taking data privacy seriously and that you are committed to establishing and maintaining consumer trust in your organization.
In this “front door” metaphor, the “painting” isn’t merely cosmetic. It’s ensuring that the externally visible components (the “front door”) of your data privacy program match the robustness of your organization’s commitment but don’t overstate or exaggerate it. In addition, no two front doors are painted alike. Yours should represent your organization’s unique and ownable position on the importance of proper data use and stewardship.
Before you get out your paintbrush, though, there are two important components that must be in place and in practice—your technical data privacy program and legal data privacy program. This is the crucial operational work done behind the door that facilitates the publicly visible aspects of the privacy program that your organization displays. What follows is a discussion of each of these branches, along with practical advice on how to address them in your privacy strategies.
Your Technical Data Privacy Program
Having clear objectives is crucial to ensuring that your technical data privacy program—the ins and outs of how the data that you possess and process is stored and utilized—is up to snuff in functionality and compliance. There are two considerations that should always be top of mind for marketers and fundraisers as you approach your technical data privacy requirements:
- Do right by consumers, your external stakeholders, and your internal stakeholders. Compliance begins with this genuine desire to respect others. You cannot fake this. If your organization doesn’t have a policy of doing right, fabricating one for “window dressing” will likely only make matters worse in the end.
- Satisfy your legal obligations under all applicable laws. This has become extremely difficult in recent years due to the evolving patchwork of state data privacy laws and a vacuum of federal standardization. Nevertheless, it is foundational to a successful data privacy program.
In most cases, committing to these two principles should be enough to protect your organization in technical data privacy matters. But there are additional, more specific goals that can bolster your technical data privacy foundation even further:
- Demonstrate your commitment and compliance with reporting, statistics, and documentation.
- Create a distinct, standalone data privacy program that is continuously active through business growth and other staffing changes.
- Optimize your organizational efficiency in data privacy procedures to minimize expenses, effort, and problems.
Each organization must determine the appropriate steps for them to best meet these objectives. To help you in these efforts, there are many great examples, standards, and frameworks available, such as the common and popularly used U.S. National Institute of Standards and Technology (NIST) Privacy Framework. Built around the learnings from nearly a decade of experience within its cybersecurity framework, this model provides practical guidelines for qualitative and quantitative assessment of a privacy program. It considers a handful of typical privacy practices, including:
- Identify: Know what data you hold and process, along with why and how you do so.
- Govern: Set privacy policies at the organization level.
- Control: Develop, implement, and enforce the practices needed to successfully meet the policies you have set.
- Communicate: Establish individual and organizational connections to help controls succeed.
- Protect: Properly safeguard data from unauthorized access (reflective of the framework’s cybersecurity pedigree).
To assess maturity and determine necessary enhancements, corrections, and next steps, the plan then recommends that you evaluate each area within your organization and assign your program one of four grades:
- Partial: You know the things that you must do and are trying to make them happen.
- Risk-Informed: You are identifying the most critical activities to your organization and getting executive buy-in to address them.
- Repeatable: Your privacy practices are documented, executed consistently, and in priority order.
- Adaptive: Your privacy program satisfies current needs and is ready and able to accommodate changes and future needs.
Regardless of your data privacy goals and how you measure them, it’s vital that you actively plan and manage your privacy program. That’s the only way to keep up with the evolving state of modern data privacy and ensure your consistent organizational compliance.
Your Legal Data Privacy Program
Chief Data Ethics Officer
Chief Legal Officer
Working to maintain legal compliance with today’s myriad state data privacy laws can feel daunting. One of the basic starting points for moving toward a mature, effective data privacy program is carefully considering the information and language that you present publicly on the topic. Here are a few key considerations that we’ve uncovered at Wiland as part of our own commitment to upholding the highest caliber data privacy compliance and ethics:
- Perform a tag, button, and signal audit, as several new state laws may require that additional actions be taken within your website and other digital properties. For example, if you “sell” data to third parties or “share” it with them, California requires a very specific button or link to be included on your site. Several states, including California, Colorado, Connecticut, and others, require in certain circumstances that you recognize a signal from consumers’ browsers asking that you exclude them from these activities. Sometimes partner or third-party technologies used on your website, if not configured carefully, can be considered by the laws to be “selling” or “sharing” data. These can be easy issues for regulators to spot using automated means if you don’t realize that you have technologies in place that are allowing data from your site to be used for third-party marketing in any way.
- Make sure your internal team is prepared and practiced. Consumers have a number of data-related rights under new state laws, and organizations are required to provide methods for exercising those rights. From website forms to toll-free phone numbers, make sure that your methods are easy to use, gather all the data you need, and present a reasonable process for consumers to make inquiries. If there is an email address listed to contact you, make sure you know who receives the email, that they know how to handle basic requests and questions, and that the process works as seamlessly as possible. Think through answers to common questions you have received or expect to receive so that you can consistently, politely, and accurately respond to inquiries.
Disclaimer: Every organization must be the final judge of its policies and is solely responsible for its data privacy disclosures and practices. The information contained within this blog post does not constitute legal advice, and Wiland strongly encourages all organizations and clients to check with their own legal counsel with respect to any legal questions.