Is Your Privacy Policy Ready for 2020?

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

Many organizations are currently focused on updating their privacy policy to include content required by CCPA. While making those edits, now is a good time to take a step back and think more broadly about privacy program and operations generally, and in particular about the non-CCPA parts of your privacy policy.

Under CCPA and general privacy laws, companies want to think about the accuracy of their privacy representations. One area that might be overlooked right now in our focus on CCPA is other statements in the privacy policy, like those companies might make about the US-EU Privacy Shield. Companies participating in that Framework should review the statements they are making about compliance with that program. As we have written about previously, organizations participating in Privacy Shield for data transfer must annually recertify compliance to the Department of Commerce. If your certification has lapsed, or you are not maintaining the underlying compliance required to participate in the program, certain statements in your privacy policy may be viewed as deceptive by the FTC.

Indeed, the FTC has continued to bring enforcement actions against companies falsely claiming participation in Privacy Shield. In early December, the FTC settled with four companies on this issue, bringing the total number of Privacy Shield enforcement actions to 21 since 2016. In one case, the company’s privacy policy indicated that it participated in the program, even though its certification had lapsed. In another case, the company stated in its privacy policy that it “agreed to adhere to the Privacy Shield Principles,” and that it would “comply with the” framework. It had also started an application with the Department of Commerce. However, it didn’t finish that process. The FTC found the statements made in the privacy policy misleading, insofar as it represented that the company was a participant.

Putting it Into Practice: As we enter into 2020, companies should keep in mind not just new laws like CCPA (and any others that might get issued next year). Existing privacy laws and principles also will continue to impact privacy statements. When updating and reviewing their privacy policies, businesses should take the opportunity to review their policies for accuracy, and should consider building into their privacy program methods for keeping their statements current.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.