Blog

What to include in your US privacy notice

Privacy notices are ubiquitous, however their required contents varies from jurisdiction to jurisdiction

Bex Evans
Product Marketing Manager, CIPP/E, CIPM
June 13, 2023

A statue of Justice in front of the US Supreme Court

Transparency should be a central part of any privacy program, particularly if your business is at the beginning of its privacy journey. Not only is transparency a key component for businesses looking to build trust, but it is also mandated under almost every modern privacy law – most commonly through privacy notice requirements.  

Privacy notices represent one of the most highly visible aspects of your business’s privacy program, giving consumers information about how their personal information is used, their rights in respect to their personal information, and the third parties that personal information is shared with, among other things. It is also one of the most highly visible areas for regulators to assess your privacy practices.  

For example, violations relating to privacy notice failures are among the most enforced by national data protection authorities. As a result, it is important to understand your obligations for what information you must provide, how you must provide it, and when. Beyond compliance, a robust, clear, and accessible privacy notice can give your organization the opportunity to communicate your privacy practices and is an important touchpoint for building a trusted relationship with your customers. 

The benefits of having a clear and accessible privacy notice are plain to see, however the challenges that privacy notices present can have several pitfalls for your business. Keep reading to learn more about what privacy notices are, what you should include in yours, and how you can implement privacy notice best practices for compliance with US state privacy laws.  

 

What is a privacy notice? 

A privacy notice is a public facing disclosure that describes how your business collects, uses, shares and stores personal information and is typically presented though a business’s website, mobile, and other web properties. Generally, privacy notices should be presented to the consumer at the time of, or prior to, the collection of personal information.  

The central purpose of a privacy notice is to inform individuals about how their information will be processed, and most privacy regulations provide businesses with a list of specific disclosures that must be presented to consumers. In the context of US state privacy, this typically includes the categories of information being collected, the purpose for which they are being collected, categories of third parties whom personal information will be made available to, and information relating to how consumers can exercise their rights. Understanding state-specific requirements and ensuring that the information is presented in a clear and understandable format is essential for fulfilling their transparency obligations and upholding the consumer’s right to be informed.   

Privacy notices are one of the first areas that should be addressed when developing a privacy program for compliance with US state privacy laws and must be regularly monitored to keep up with regulatory updates. It is also important to note that privacy notices should not be confused with privacy policies, which are internal documents that set the foundations for personal information management within the organization. 

 

What should a privacy notice contain? 

When approaching privacy notices for US state privacy, one should first ask themselves, “What should I include?” The answer – It depends. All current US state privacy laws contain provisions for privacy notices, and while the need to present consumers with a privacy notice is consistent, what to include is not.  

The nuances of privacy notice requirements from state-to-state means that a one-size-fits-all approach does not necessarily apply. However, businesses operating in multiple jurisdictions may choose to include information to satisfy the most stringent privacy notice requirements. To take either approach, you must first understand what is required in each state. The table below gives a snapshot of the types of information your privacy notice must contain under each state law. 

 

 California Colorado Connecticut Iowa Utah Virginia 
Categories of personal information XXXXXX
Purposes for collection/use XXXXXX
Sources of personal information X     
Categories of information shared with third parties XXXXXX
Categories of third parties XXXXXX
How to exercise consumer rights XXXXXX
How to appeal a decision relating to a consumer request XXXX X
Contact details of the business/controller X X   

 

In terms of similarities between US state privacy notice requirements, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) sits as a marginal outlier from the group, requiring businesses to include information related to the source from which personal information was collected. 

However, across all six state privacy laws, there are three constants that should be included in your privacy notice: categories of personal information, purposes for its use, and categories of third parties with which personal information is shared.  

  • Categories of personal information: Inform consumers of the broad types of information you might be collecting, such as names, addresses, dates of birth, etc.  
  • Purposes of use: Explain as clearly as possible how you intend to use the information, what purpose you have for its use (e.g., sale or share, advertising, mailing lists), and how long you intend to keep this information for the intended purposes .
  • Categories of third parties: Include the types of third parties that you need to share personal information with to fulfill your intended purposes such as service providers, government agencies, or legal advisors.  Make sure you disclose and link categories of personal information with the category of third parties you are sharing each type of personal information with.

It is important to take your audience into account when providing this information and ensure the language used is understandable and free from technical or business jargon. 

 

CPRA employee notices 

The CPRA extended the CCPA applicability by bringing employee information into scope in California, requiring businesses to also recognize the extended range of rights granted to employees in relation to the use of their information and the different purposes for processing personal information in this context.   

As a result of the expanded scope of the CCPA (as amended), businesses must also ensure they have a privacy notice that focuses on the unique aspects of the employment relationship and provides employees with information about their rights and protections under the CCPA (as amended).  

For employers who collect and process the personal information of California employees, an employee privacy notice should have several additions to a typical privacy notice that specifically addresses the collection, use, and disclosure of personal information in an employment context. 

 

Operationalizing privacy notices for US privacy 

Understanding your requirements is key. Putting them into practice is essential – and OneTrust can help.  

OneTrust Privacy Notice Management can help you to draft your privacy notices in one centralized dashboard and give you control over how you manage your privacy notices across regulations, languages, and digital properties. OneTrust Privacy Notice Management allows you to scan your websites and apps to identify where notices need to be presented, while utilizing integrations to push notices live at relevant touchpoints.  

Request a demo to learn more about how OneTrust Privacy Notice Management can help you to operationalize privacy notices for compliance with US state privacy laws.  


You may also like

Webinar

Privacy Management

The road to privacy compliance: A spotlight on Oregon & Delaware legislation

We explore the new Oregon and Delaware privacy laws, how they differ from other US privacy laws, and what they mean for your business.

September 14, 2023

Learn more

Regulation Book

Privacy Management

Utah Consumer Privacy Act law book

Download the Utah Consumer Privacy Act law book and have the official UCPA text at your fingertips for when the law takes effect on December 31, 2023.

September 04, 2023

Learn more

Blog

Privacy Management

The road to 50 states: Delaware and Oregon join the US privacy landscape

Get in-depth analysis on two upcoming US Privacy laws, the Oregon Consumer Privacy Act (OCPA) and the Delaware Personal Data Privacy Act (DPDPA), with OneTrust DataGuidence and a panel of experts.

August 10, 2023

Learn more