- Why are privacy policies important?
- What happens to your personal data?
- Which emails make the FTC angry?
- What is the CCPA?
Why Privacy Policies Are Becoming More Strict
All US states and the EU are implementing different privacy laws. This means jurisdictions have become much stricter regulating what companies can put in their privacy policies, and what they can or cannot do with your personal data. Attorney Mo explains that the various jurisdictions want to make sure that companies are actually giving the consumer the correct information with very specific details of how and when their information will be used.
Does Anybody Read Privacy Policies?
Use of Your Personal Data
Section 6 Use of Your Personal Data is primarily a bullet point list of specific reasons and ways that Expensify can use your personal data:
- To help open your account
- To send you a welcome email to verify your email address
- To improve the user experience
- To respond to your inquiries
- To provide improved administrative services
Attorney Mo explains that this particular list is a narrow approach to drafting privacy policies, and she recommends more broad and generalized explanations. The danger a company runs by having a long and specific list, is that consumers might believe this is the exact list of activities that the company is using – these activities and nothing more.
Making the document easy to read by using headers, sub-headers and bullet point lists is fine according to attorney Mo. But, she recommends general paragraphs to explain subjects, which would include some examples that highlight the broad explanation.
For example, the company might tell users that they would like to communicate with them about products and services and then give some examples. They might also explain they would like to use the information for marketing and advertising and provide more examples. This way the company is explaining in generalities and not tied to specificities.
Transactional vs. Marketing
Privacy policies, including this one, spell out how the company may contact you with certain notices about product changes, updates, technical matters, and even new products and services. Companies have a right not to provide service to you if you refuse to accept emails from them, and the FTC takes marketing promotional information via email very broadly.
However, attorney Mo says the FTC “gets angry” when companies send marketing and promotional emails and pass them off as transactional emails.
When sending commercial marketing emails in the US, companies are required to follow the FTC’s CAN-SPAM Act rules. The business must disclose if they are sending a marketing email and must give the consumer the ability to opt out of future emails.
European Disclosure Laws
While the FTC enforces federal laws regarding privacy policies and emails in the US, in 2016, the EU passed the General Data Protection Regulations (GDPR) on data protection and privacy in the EU. While many states have a few paragraphs concerning data protection and privacy, the GDPR is an 88-page comprehensive document.
California is Different
While the EU has the GDPR, California has the CCPA to protect consumers’ data privacy. Attorney Mo explains that California’s CCPA is similar to the EU’s GDPR, but there are some differences in approach and language. As an example, California talks about the allowable commercial use of the data, while the EU focuses on the legal basis for using the data.
|B.||Additional Disclosures for California Residents|
“To send promotional communications newsletters, personal interest pieces, interests for the Expensify community, and news about events, elections, and campaigns.”
Should you draft specific or general?
With the different jurisdictions and their various rules, attorney Mo explains that businesses usually choose one of two methods for drafting their privacy policies. Some choose to write specific and segmented policies, with notices of certain jurisdictional requirements. Others decide to draft a more general and broad-based policy as a floor and then provide additional notices to consumers in those areas.
Attorney Mo mentions the following practical tips:
- A general broadly written policy with examples often works better than a specific bullet-point list type approach.
- Make sure the company’s emails follow the jurisdictional law and rules. In the US, the FTC guidelines are relatively clear-cut.
THE GUEST: Irene Mo is an associate with Hintze Law working from the San Francisco Bay Area. She counsels clients on a wide range of privacy and data security issues, including conducting and setting up Records of Processing Activities, Data Protection Impact Assessments, implementing global data protection programs, and integrating privacy protections into emerging technology. She can be found at LinkedIn or Twitter.
THE HOST: Mike Whelan is the author of Lawyer Forward: Finding Your Place in the Future of Law and host of the Lawyer Forward community. Learn more about his work for attorneys at www.lawyerforward.com.
If you are interested in being a guest on Contract Teardown, please email us at email@example.com.
Irene Mo [00:00:00] They’ve gotten a lot stricter on what you actually put in the document to make sure that you are actually giving consumers the correct information with very specific details of how and when you’re using their information.
Intro Voice [00:00:12] Welcome to the Contract Teardown Show from Law Insider, where legal experts tear down contracts from some of the most well-known companies and high profile executives around the world.
Mike Whelan [00:00:57] Hey everybody, welcome to the contract Tear Down show. I’m Mike Whalen. On this show we hang out with smart friends like Irene with the purpose of breaking down contracts and documents that are on the inter webs. Irene, how are you today?
Irene Mo [00:01:14] I’m good.
Irene Mo [00:01:45] So this document is important because it is what gives consumers notice that you are using the information, you’re collecting their information and the purposes that your company is using this information. And recently, with all the different states and then the EU coming up with their privacy laws, they’ve gotten a lot stricter on what you actually put in the document to make sure that you are actually giving consumers the correct information with very specific details of how and when you’re using that information.
Mike Whelan [00:02:21] And we’re using this specific one from Expensify, because hilariously, the CEO, I think his name is David Barrett, sent an email out to literally everyone telling people he thought you should vote for which in this very split America easily offended 30 percent of his his user base and maybe violated some privacy rules. So we’re using this one to talk about a bit what happened there, but more for drafting purposes. How do you write this in a way that CEOs don’t go off the deep end and threaten your entire company? Irene, why am I talking to you? What’s your background? Tell me a bit about you and then we’ll get into the document.
Irene Mo [00:03:00] Yeah, so I am a senior associate at aleeda consulting, we are a boutique privacy and security firm, so I am a consultant. So what you might hear here might actually be a little bit different than what you hear from an attorney. So we instead of giving legal advice, which, you know, sort of tends more on CYA making sure to avoid every and all risk, we look more holistically at the business and do business risk. And of course, you know, because I am an attorney, standard disclaimer, nothing I say here represents my company and these are all my personal opinions. But, you know, basically that’s what I do. I look at the business as a whole, evaluate your risk and then give you advice based on that holistic view.
Mike Whelan [00:03:49] This is like the visual version of a re-tweet. I don’t like anything in the thing I’m retweeting. I haven’t even read it yet. I’m saving it to read later. So don’t don’t hold Irene accountable. It’s the visual read tweet. All right, here’s what we’re going to do. We’re going to go through specific sections of this document. But first, I wanted to give you a chance to talk about the overview of the thing. When you look at this document, this is intended for consumers, right? This is consumer facing. So if I’m writing this and formatting this, I’m trying to get it read. Do people actually read this thing when you look at it?
Mike Whelan [00:05:26] So going into specific sections, I’m looking down at number six in this document and it’s titled The Use of Your Personal Data, and it’s got a bullet point list. And under that, some paragraphs and the list is fairly long. It’s fairly inclusive, talking about what they can do with your data. But you wanted to talk about a couple of these that refer to promotional communications. I’m seeing a bullet point that says to send with your consent or where a friend has referred you to us promotional communications, also hardcopy or electronic newsletters or surveys. There’s all the standard stuff that you would think of and identify you as a member. I’m going to give you like I’m going to give you support. But talk to me about this marketing material line and why that kind of thing is written so expansively.
Irene Mo [00:06:13] Sure, so actually, if you for in my opinion, if you look at the Expensify sort of like bullet point of the list, I think that this is a lot more narrow and discrete than I would usually draft it. I would usually do broad categories like to communicate with you about our products and services and then maybe give a couple of examples and then say for marketing or advertising and then give another seven examples. The way that this one is drafted with such an extensive list of sort of gives the impression to the reader that these are the exact discrete activities that we’re using. This is like the whole set of them, which sort of very narrowly limited the scope that the company can use information for. What that being said, though, the marketing and the newsletter and promotional information, that is pretty broad. The FTC, you know. They take marketing promotional information very broadly, where they do get angry is where a company tries to pass off marketing or promotional emails as a transactional email. And that means emails are related to your account, for example, verifying your identity or contacting you about certain features that you have, billing, stuff like that. So the FTC can disagree with me. There were two supreme and they say something different. Like nothing I say here matters because it’s that Disney World. But where they get mad is when you try to pass off the. Commercial e-mail as a transaction of email, and you don’t include things that are disclosing that this is like an ad or you don’t get people to unsubscribe option because that’s the thing. Companies are free to, you know, not provide their service to you if you choose not to receive any emails from them, including your transaction emails. But if it’s a marketing or promotional email, you have to give the consumers a way to unsubscribe from those.
Mike Whelan [00:08:20] Yeah, and I’m looking through on the paragraphs that are below the bullet points and it talks about we may also use your personal data to send important notices to you. So to your point about the specificity of this particular list, you know, it seems like they’ve got this list and then they sort of try to go back and make it broad again if I’m, you know, for the purpose of making sure that I’m doing the CYA right. If I’m the lawyer and not the consultant thinking about the CYA, you seem to be saying that it would have been better had they sort of kept things broad from the beginning and not would you not have put a bullet pointed list like this in the first place?
Irene Mo [00:08:58] No. So I think using a lot of headers pattern, bullet points list, those are sort of what makes it easy to read and friendly. What I would have rather than done is have that paragraph that sort of lists what they do. And then you see how they use the words, such as where they it’s sort of more like an example of what they do within that category of activities. I would rather they kept it sort of general like that so that you are giving broad categories and meeting notice requirements. But, you know, people know that, like, these are just examples of stuff that you’re doing with in that category and that, you know, this bullet point, the list is not the exact things that you do.
Mike Whelan [00:09:43] Yeah, I was wondering because later they get into a bunch of disclosure disclosures for specific jurisdiction. So I’m looking down at the Europe disclosures in 15. It says juristic jurisdiction, specific provisions and a talks about Europe. And we’ll get into some other ones. But I’m I’m looking at this and it says participation in the Privacy Shield application of the Privacy Shield framework and Privacy Shield principles here, they start getting more specific. Is it possible that the specificity early related to, you know, these other jurisdictions require something more specific? So let’s go ahead and give it for everybody and then do these future European few European disclosures, like is there a relationship between what those jurisdictions require and the overall document? Does that make sense?
Mike Whelan [00:11:30] That’s interesting. So you might have done the opposite of what they did, meaning keep the overall document because it’s the floor as general and then give the specific disclosures for the jurisdiction as opposed to let me go ahead and make an exhaustive list and try to include everything. And then my California paragraphs are really short.
Irene Mo [00:11:49] Yeah. I mean, it actually depends on the company and the information they collect and then their risk in each jurisdiction. So it sort of looks like we’re here. Their biggest risk is the EU because that specific jurisdiction, specific notice is the most expansive, whereas later on when we look at all the other ones, they’re just like a couple of paragraphs. So it just depends on the company and where their risk lies with their data.
Mike Whelan [00:12:17] Yeah. Speaking of tell me about the there was something interesting under the California disclosures. There’s a paragraph that says we adopt this notice to comply with the CCPA and any terms defined in the CCPA have the same meaning when used in this notice. And then they have a like a definition section. This is what we mean in terms of California law. What do you know why that’s required? Why have a different definition section for California specifically?
Irene Mo [00:12:43] So California has the CCPA has a lot of sort of why I would say in terms of art where they. Use different wording and definitions than the GDPR, for example, those are the two basic laws that everyone is most concerned about and the reason why the price, because the responsibilities that are defined in the CCPA versus the GDPR is different depending on how they classify your company. So the reason why they include that is because the statutory language in the cap is very specific. For example, they talk about sort of the way that you can use data as a business or commercial purposes, whereas in the GDP you would say legal basis. So those are the different types of terminologies that really define what you can do within those laws.
Mike Whelan [00:13:39] I’m looking through there’s different pieces of the California, you know, they talk about collection use and disclosure of personal information. There’s quite a few paragraphs. Anything else about California that we should know if we’re drafting that? We make sure we add sections like this, if we’ve made sort of a generalized contract and then are focusing on California.
Mike Whelan [00:14:54] Hmm. And then finally, they’ve got one in Australia. But again, I think I think to your point, we’re seeing a lot of this pattern where we say, OK, our document, you know, these these disclosures are sort of the floor. We’re going to do the minimum for each jurisdiction and then we’re going to use our document to be used as widely as possible. And for an international company like this, it sort of has to be. So I want to get to principles. And in that, I want to talk about a little bit what the CEO did. And, you know, you tell me if if you’re in the position where you’re the lawyer in-house trying to control this kind of thing. So this CEO, when this happens, was the founder. And at the time, when you’re the founder of a little bootstrap company trying to raise money, you can do whatever you want. Right. But when you become CEO, you’re an employee. And so I’m wondering for the purpose of this kind of drafting, of drafting this kind of this kind of document, how do you set the CEO and the other people up in the company so that they don’t do things that could get them in big trouble in all these jurisdictions? Right. It’s not just that you wrote the thing, it’s that people have to be incorporated in their brains.
Irene Mo [00:15:58] Right, so specifically for the GDPR, there are six legal basis is that you can process information, so you would want to make sure that whatever you list in your notice that your company is aware of that. So before a new product or like a new feature launch, you’d want to have it set up where if your company isn’t in the habit of doing what we call data protection impact assessments, which is sort of assessing the privacy risks associated with the new product or feature that at the very least like the product team or the future team, as at least reaching out to the privacy attorney and saying, hey, this is what we’re thinking about doing early on. And I think this is something that’s very that’s echoed with all in-house attorneys. We want to be brought on as early on as possible so that we’re not the no person at the end. So that’s sort of goes to beyond drafting these governance documents, you really want to build a culture within the company that is privacy focused and what we like to call privacy by design, where you are building in privacy and into these products and in these processes so that it’s not an afterthought where there’s a scrambling at the end where we’re like, oh, crap, are we doing something with consumer data that we’re not actually supposed to be doing?
Mike Whelan [00:17:29] Yeah, I’m assuming to your point that a document like this, which is public facing, might be just the outer bounds, but then internally as a company, you’ve got to define some you know, some point short of that that so that we totally avoid getting to that outrebounded.
Irene Mo [00:18:45] I don’t think so. I think the way it’s take I mean, I don’t I don’t think it’s a hot take, I mean, if I I think there are multiple ways that, you know, if their attorney had to answer to a supervisor supervisory authority, whether it be the FTC or one of the supervisory authorities in the EU, I think there are multiple ways that this notice is written that would cover their political emails being sent out from the company.
Mike Whelan [00:19:16] Hmm. Yeah. Yeah, this one was I mean, it definitely got out in the ether. If you look at Twitter, it seemed like everybody in the world received this email and was was pretty had strong feelings one way or the other. Well, I appreciate you talking to us about it. It is such an interesting lesson in lawyers do the thing where they write the thing and then you’ve actually got to go implement it with human beings. So it’s an interesting tale. Will have all these resources available at Lawnsider.com/resources. Irene, if people want to get in touch with you to learn more about what you do and examples like this of practical lawyering, what’s the best way to reach out to you?
Irene Mo [00:19:54] I’m on Twitter, and then I’m also a good way to connect is on LinkedIn
Mike Whelan [00:19:59] awesome will make sure that people have links to that. Remember it’s lawinsider.com/resources. And if you want to be a contributor on the contract tear down show, just email us. We’re at Community@LawInsider.com. We’ll see you guys next time. Thanks again, Irene.