Having clear policies can help customers to trust you more, and will also ensure that your business appears transparent and honest. Customer trust is hugely important for retaining repeat business, and showing integrity when dealing with customer data goes a long way towards building that trust. So, it’s important that your customers are made aware of how you value their privacy, and your internal policies that protect them and their information.
Let’s take a look at what privacy practices your business should have in place, and also how to let your customers know about them. We’ll also examine some common pitfalls that may crop up when you are figuring out how to share your privacy practices with your customers.
What Privacy Practices Should You Have In Place?
The exact contents of your policy will vary depending on both which jurisdiction you operate in and which jurisdiction your customers are from. In the US, there is no federal data protection law for users of websites or online services. In contrast, the European Union has a new, region-wide regulation coming into force in the next couple of years. Most jurisdictions are moving towards privacy laws that mirror, or at least borrow from, EU laws, with the US, in many ways, lagging behind.
- what information is collected, and who this information may be shared with
- how users can request changes to their information
- how “Do Not Track” requests of users are dealt with
- whether other third parties may collect information about users through the service
All of these requirements should form the backbone of your privacy practices.
Internal Business Policies
Aspects of your internal policy may be replicated for public view to build trust in your customers, but its primary purpose should be to set clear expectations for staff as well as establishing what kind of behaviors are appropriate.
Notifying Customers of your Privacy Practices
Clickwrap vs. Browsewrap
Here is an example of browsewrap from Reuters:
This method has generally been viewed as legally enforceable by the courts. Most businesses display a clickwrap agreement as a pop-up when the user arrives at the website, particular in relation to cookies, or as part of their sign-up form when a customer creates an account or signs up to a mailing list.
Here is an example of clickwrap from Form Assembly:
You can see that when the user creates an account, they need to click the checkbox to agree before they can proceed. They have been provided “reasonable notice” of the policy, and there is clear agreement.
Making Changes to Your Policy
Another acceptable method is to post a notice on your website in a conspicuous location that tells your users that your policy has changed, such as this message from Twilio:
Sharing Internal Policies
Finally, consider whether you want to share your internal privacy practices and ethics with your customers. If your business has a strong privacy protection ethic, this can be valuable in helping to build confidence in your customers and associate your brand with integrity and trust. For example, the Chevron Business Conduct and Ethics Code contains a section on data privacy, that sets out how they expect their employees to behave:
Note that Chevron sets out clearly that relevant laws should be followed, but also that employees should respect confidentiality, use data properly and within authorized uses, and should only process personal data if there is a “legitimate business reason” to do so. They also note that “only the personal data needed for the task at hand” should be collected, and no more.
Releasing a document such as this shows how Chevron intends data privacy issues to be treated within the company, which can help customers to feel more confident in the business.
Now let’s take a look at some common pitfalls when implementing these methods of sharing privacy practices.
The second common pitfall in sharing privacy practices with customers is not keeping on top of the rules. The law changes, and due to the increasing pervasiveness of technology data privacy is a particular area of law that is developing quickly.
Finally, your business should be acutely aware of exactly who you are collecting data from. For example, EU citizens are subject to EU data protection regulation, even if your company is not based in the EU.
This means that if you are based in the US, but collecting the data of EU citizens, or there’s a chance you might be, you need to comply with EU law for the collection, processing, and storage of their data. If you aren’t even aware that you are collecting the data of EU citizens, you won’t be able to comply, and may face fines or penalties.
Be careful of common pitfalls, and ensure that you always keep up to date on your legal obligations.