Is there an ideal and foolproof Privacy Policy?
This is one of the most difficult questions to answer nowadays. Especially considering all the jurisprudence already established in Europe with the GDPR, the extensive history of cases, and the numerous tips we see in the market. Not to mention the judicial decisions that are already emerging in Brazil with the LGPD.
I'll answer you promptly: No. And I'll help you understand why.
I believe it is possible to develop a line of reasoning that can assist each one of us entrepreneurs, DPOs, lawyers, third-party consultants, etc. Ultimately, everyone can have a clear understanding of how the game works to avoid being caught off guard.
Below is the logic behind a privacy policy and some principles to help you understand the game. Perhaps even assist you in adapting your company and addressing any doubts that may arise along the way.
What makes a privacy policy better or worse?
To be as straightforward as possible: Does it accurately reflect the reality of data usage and flow within the company?
Here is the key to understanding any privacy policy: It must truthfully reflect the motivations and data flow in the company's routines.
Therefore, before we evaluate the quality of a privacy policy, it is essential to understand why it exists and its purpose. Is it becoming clearer?
In a simple and direct manner, I would highlight that a company's privacy policy is:
A public declaration of the objectives, interests, and responsibilities that companies have regarding the use and application of data, especially personal data, for the execution of their business model.
In other words, the guidelines provided in the privacy policy give us a real understanding of how that business operates regarding data usage and the actual commercial and/or legal purposes for which the data is used.
What do I need to know and map out to create my Privacy Policy?
In essence, it is not possible to structure a privacy policy without understanding the foundations of the business. Don't worry, I'm not complicating things for the sake of it, but rather showing you that without this knowledge, even a lawyer charging thousands of dollars per hour won't be able to assist you.
By the way, a good piece of information for you is that the privacy policy does not necessarily need to be written by a lawyer or in "legalese." According to the LGPD, before anything else, it must be clear, educational, and easily readable for the data subject. So, whether it's you, your lawyer, or anyone who understands the processes, purposes, or legislation of your market, it's all good. Prioritize readability, clarity, and the ability for any visitor or customer accessing your platforms to understand and interpret the information.
However, it is worth noting that we recommend at least seeking advice from a lawyer. There are certain criteria and potential complexities in the market that they can assist you with more adeptly. For example, the healthcare industry has specific legislation that already treats patient data differently, and therefore, it may sometimes supersede LGPD requirements.
We are in Brazil, my friend, so, as usual, everything depends on the specific circumstances.
Anyway, let's go through the essential points you need to know to create any privacy policy. Points such as:
3.### Relevant laws governing the activities of players in the market;
4.### Product and/or service portfolio;
5.### Revenue streams and distribution channels;
6.### Basic understanding of the company's organizational structure; (Headquarters and branches, size, number of departments involved, decision-making hierarchy, etc.)
7.### Supply chain;
8.### Sales and after-sales service;
9.### Communication channels; ...
Without this initial detailed understanding, the privacy policy will be incomplete and consequently flawed.
For example, what good does it do if I state that I use data on Facebook, collect addresses, emails, and CPF (Brazilian individual taxpayer registry number) for signing up for my plan and for email marketing, with data disposal in case of opt-out, if there is a legislation in my market that requires me to store this data beyond the data subject's requests?
I believe it is clear now how much information we need to consider. However, this should not discourage you! In fact, it is precisely the knowledge of these processes, or in other words, the understanding of the entire operation, that will give you greater confidence to determine whether the privacy policy is "good" or not. Again, it must reflect the reality and day-to-day operations of the company.
One of the tools/processes that can help you confidently structure the privacy policy is Data Mapping. If you don't have one yet or haven't considered implementing it, I'll summarize it for you in the link below.
Data Mapping: The Life Jacket for LGPD
At the beginning of everything are the legal bases of the LGPD, that is, the legal grounds (legitimate reasons) why companies not only can, but must access customer data in order to do their jobs well.
Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?
Want to understand why there are cookie banners on every website you visit today? This article is for you!
Tired of the ads from that site you visited following you around? Is your computer running slow when accessing a particular website? Want to delete all cookies from a specific service or site?
In this article, you will have a great introduction to the topic, as well as various other variations that revolve around the subject: Cookies and LGPD.
In this article, we will answer all your questions regarding fines under the LGPD (Brazil's General Data Protection Law).
In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.
While both regulations share the goal of safeguarding individuals' rights regarding the processing of their personal data, there are some important differences between them. It is crucial to understand these distinctions and their implications, particularly in the context of internet cookies.
What are the criteria for this choice, and what are the strengths and weaknesses of each option? Well, we're here to help you because this decision needs to be well thought out!
It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.
A privacy policy is a document that outlines how an organization collects, uses, discloses, and manages a customer's data. It's essential for building trust with users and complying with legal requirements. However, if you're not familiar with it, don't worry as we're here to help you.
Ignoring Terms of Use and their significance within a website, particularly now with LGPD, is a common mistake that both consumers and website owners frequently commit.
Brazilian LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them are imported from other countries and regulations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.
Your website have users accessing from Texas? So be ready… the Texas Data Privacy and Security Act is here to shake things up. Don't worry; we've got your back. This guide will walk you through everything you need to know to ensure your website complies with the new regulations.
Are you ready for the Florida Digital Bill of Rights (FDBR)? If your website has users from the Sunshine State, you better be! With new regulations coming into play, it's important to ensure your website complies to avoid any nasty surprises. Let's dive into the details and get your site ready for Florida's latest privacy law.
The Oregon Consumer Privacy Act (OCPA) is a regulation designed to enhance consumer privacy rights in Oregon. By setting strict guidelines on how businesses collect, process, and share personal data, the OCPA aims to give consumers more control over their personal information and ensure businesses handle this data responsibly.
AdOpt
Resources
Legal Terms
© GO ADOPT, LLC since 2020 • Made by people who love
🍪