Ed. Note: This is the eighth installment in a year-long series the WLF Legal Pulse is hosting of “frequently asked questions” on two California laws aimed at protecting the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the American Bar Association for granting us permission to share them with our readers.

Data privacy has become one of the greatest areas of risk and concern for business.  It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020.  Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it. The American Bar Association (ABA) recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by David Zetoony the Co-Chair of the United States data privacy and security practice at Greenberg Traurig LLP.  The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business.  The following excerpt was reproduced with the permission of the ABA. 

***

Question: Should it be called a “privacy notice,” “privacy policy,” “information notice,” “privacy statement,” or something else?

Companies use different names to describe the document that discloses their practices in relation to the collection, use, and disclosure of personal information.  Some of these include “Privacy Policy,” “Privacy Notice,” “Privacy Statement,” “Privacy Center,” “Information Notice,” and “Data Protection Notice.”

Statutes have been equally inconsistent in their use of terms.  For example, the California Online Privacy Protection Act (CalOPPA) refers to the creation of a “privacy policy” but acknowledges that the document can be described via a text link to consumers in any manner so long as the link “[i]ncludes the word ‘privacy.’”¹  The CCPA does not, itself, require a privacy policy, but the Act refers to the fact that some businesses may have an “online privacy policy” and states that certain information must be disclosed in that document “if the business has an online privacy policy or policies . . . .”²  The regulations implementing the CCPA, on the other hand, state that “[e]very business that must comply with the CCPA and these regulations shall provide a privacy policy in accordance with the CCPA and [the regulations].”³  As with CalOPPA, the CCPA’s regulations require only that the document be labeled with the word “privacy.”  The European GDPR refers to the obligation of a controller to provide “information” to data subjects and does not reference explicitly either a “policy” or a “notice.”  In its interpretation of the GDPR, the Article 29 Working Party typically referred to a website “privacy statement” or a “privacy notice” but recognized that “commonly used terms” by organizations included “Privacy,” “Privacy Policy,” “Data Protection Notice,” and “Fair Processing Notice.”⁴  The U.S. Federal Trade Commission-which is often looked to as the primary federal data privacy regulator for most companies in the United States-has used the terms “privacy notice” and “privacy policy” interchangeably.⁵

The net result is that companies can choose how they want to label their disclosure of privacy practices, so long as their label would be understood by a reasonable person.

From a practical perspective, many companies maintain internal policies that are not intended to fulfill the function of notifying data subjects of the company’s privacy practices.  For example, a company might have a “privacy policy” focused on the company’s commitment to comply with certain privacy laws, or that sets up an internal structure for managing privacy within an organization.  A company might also have a “privacy policy” that discusses whether, or how, the company monitors the email of its employees; or a “privacy policy” that discusses the type of information that will be shared with managers or supervisors.  It can be confusing to create an external “privacy policy” when other “privacy policies” exist for internal operations and procedures.  Using the term “Privacy Notice” typically avoids that confusion.  Arguably, “Privacy Notice” also is better aligned with the intent of privacy-related statutes that is, to have companies “notify” data subjects of their privacy practices.  As a result, this book predominantly utilizes the term “privacy notice.”

Notes

1. Cal. Bus. & Prof.. Code § 22577(b)(3)(A) (West 2021).
2. Cal. Civ. Code § 1798.130(a)(5) (West 2021).
3. Cal. Code Regs. tit. 11, § 999.304(a) (2021).
4. See also Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, 17/EN/ WP 260 rev. 1, at 8, 14 (Adopted on 29 November 20017) (Last revised and Adopted on 11 April 2018).
5. See FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policymakers (March 2012).