New privacy policies for business owners responsibility is growing to ensure consumer’s personal privacy and information rights
Editor’s note: This is a third, in a series of three articles, on privacy policies note
In this article, I would like to explore three items, two of which involve mandates that can require additional notifications under the California Consumer Privacy Act (“CCPA”):
1. When PII is procured from minors and, in particular, consumers under the age of 13 years
2. When a company provides incentives, such as discounts, rewards, or other benefits, to their customers to part with their PII
3. The need for businesses to create a privacy rights infrastructure to address customer privacy rights concerns.
1. Minor Children and Children under the Age of 13 years:
- Where minor children under the age of 13 (“young minors”) are involved, specific laws at the state and Federal levels may also come into play. The most significant law in this regard is the national Children’s Online Privacy Protection Rule (“COPPR”). The COPPR is a federal law that can require, among other things, that “vendors,” which are marketing to young minors, post online notices advising parents and guardians that the business is targeting this demographic and an explanation concerning the information that is being collected and how it is being used. The law also requires such vendors to set up a mechanism to allow parents and guardians to consent to the disclosure of PII by a young minor and afford parents and guardians a reasonable opportunity to review the PII collected and to preclude or restrict its use.
As for other businesses who do not target minors and young minors, their privacy policies should specifically include a provision clarifying that they do not direct their products, services, and marketing efforts to children.
2. Financial Incentive Notices:
- Among the representations a Financial Incentive Notice is required to provide is an estimate concerning the monetary value of the incentive being offered. For example, if the financial incentive provided to customers is a 20% discount on the first $1,000.00 of product purchased, the monetary value being offered for the PPI would be $200.00. Not only is it necessary to represent the estimated value of the financial incentive being offered but the methodology concerning how that value is determined also needs to be explained.
- Additionally, the terms and conditions governing the offer of a financial incentive needs to be discussed, i.e., how would customers qualify for the incentive; when would their incentives expire, how would they be able to opt out of the program.
- Finally, a Financial Incentives Notice needs to include a non-discrimination statement explaining that customers who decide not to participate in an incentives program will not be discriminated against for not providing their PII, such as by way of limiting their rights vis a vis other customers.
According to one source, the regulatory body charged with enforcing the privacy protection laws of California has recently issued citations to businesses operating in California who have failed to include in their online materials an adequate Financial Incentives Notice.
3. Developing a Privacy Rights Infrastructure
At the same time, it is important that a business knows where its customer PII is being held within its information network. Customer PII should be segregated from other information and encrypted or otherwise password protect so that hacking risks are minimized.
At bottom, the objective in creating a PII infrastructure is to afford a business the capacity, readily, to locate a customer’s PII and to address customers’ privacy concerns in a timely fashion, which could include expunging, limiting the use of, or even transferring PII to another location.
The take away: