Third-Party Risk Privacy: Understanding Policies, Notices and Consent
By: Venminder Experts on July 13 2022
6 min read
In the absence of federal privacy legislation, several individual states have signed their own comprehensive laws, including California, Colorado, Utah and Virginia. Aside from keeping up on emerging new privacy legislation, it can be challenging to understand the language found within these laws as well as how your vendors are remaining compliant with privacy expectations.
Two common requirements seen in privacy laws are the concepts of privacy notices and consent gathering. Notice and consent are closely related but serve distinct purposes. In this blog we’ll explain the purpose of each and provide some guidance on evidence to look for in vendor documentation. We’ll also provide some practical next steps for vendor assessments.
Difference Between a Privacy Notice vs. Privacy Policy
A privacy notice can be synonymous with a privacy policy, although the two are supposed to serve different purposes in an ideal world. Let’s discuss further.
Privacy notice is often confused with the term privacy policy. This is exacerbated by the fact that many privacy laws don’t require the actual use of the term “notice” when referring to the mechanism an organization uses to provide consumer-facing information about their privacy practices. You may be thinking, “If most privacy laws don’t care if you use ‘notice’ vs. ‘policy’, why are you bothering to explain the difference?” That’s a valid question. The short answer is that some laws, such as China’s Personal Information Protection Law (PIPL), DO require specific privacy notices. PIPL requires that companies “…shall truthfully, accurately, and completely inform the individual…in an eye catching manner and with clear and understandable language…” (PIPL 17). The differences between a privacy policy and privacy notice is explained in more depth in the follow sections.
Privacy Policies - The Purpose
A privacy policy should be thought of as the “by lawyers, for lawyers” document that dictates what an organization is legally required to do (and/or has voluntarily committed to doing) and the actions that must be taken to comply. It’s generally complicated and difficult to read due to the legal language used and is rarely helpful for a lay person in determining what an organization is doing with their data.
One study a few years ago stated that it would take the average American consumer over 200 hours to read all the privacy policies they would come across in an average year, and another found that the reading comprehension level required by some of the policies was greater than that required to read Stephen Hawking’s A Brief History of Time. Some of you must read these policies regularly as part of your job, so you know how dense and hard to decipher these documents can be.
A good privacy policy should function primarily as an internal-facing document that allows individuals within a company to understand the obligations of the organization to safeguard data as well as to identify ways the organization can improve their overall privacy posture.
Privacy Notices – The Expectation
As opposed to the lengthy and complex privacy policies, privacy notices should be short, clear and easily understandable by anyone. Notices should explain in plain language an organization’s data practices and other privacy-related information. Your vendors should have privacy notices implemented into their practices.
These notices can be delivered to users at different points during their use of a product/service, depending on the organization’s user experience design (UX) choices and applicable laws. Some laws require that a privacy notice be provided to a consumer at the point that data is collected, while others only require that an explanation of data practices be available to users if they want it.
For example, a privacy notice around the purpose for which a user’s email address is collected would be better shown when a user is prompted to enter their email address into a web form, instead of as part of a dense policy or end user license agreement (EULA).
Privacy Notices – The Reality
While the above example of a just-in-time privacy notice would be an ideal way to show the reason a company needs a user’s email address, reality doesn’t match this “privacy nirvana.”
The reason for this gap between privacy professionals’ ideal world and the real one comes down to compliance obligations and budget, in most cases. Because the penalties for non-compliance with privacy laws is steep, organizations need to ensure that their legal obligations are met within their privacy policies. Because re-designing UX (and lawyers) is expensive, many organizations stop after developing privacy policies that meet legal requirements.
Reviewing a Vendor Privacy Policy or Privacy Notice
A privacy policy or policy notice should, depending on applicable laws and regulations, document:
- What data is being collected
- What that data will be used for
- Who that data will be accessible to (including third-party vendors)
- How data will be kept secure
- What the rights are of the data subject (consumer) under applicable privacy laws and/or an organization’s privacy framework
- How to exercise those rights (one of which is withdrawing consent, discussed below)
The Basics of Consent
Consent is a mechanism by which companies can demonstrate that an individual has given permission to collect/process their data. General Data Protection Regulation (GDPR) includes consent among the list of legitimate bases for processing while other laws have different requirements. Consent should only be considered valid if an individual can reasonably be expected to understand the reason for collection (as spelled out in a privacy notice/policy).
Consent in the context of privacy is essentially permission directly from an individual to collect or use their personal information. Logically, permission should be revocable, which manifests itself in privacy laws as some form of “opt-out” clause, meaning an individual who provides consent must be able to withdraw that consent. Keep in mind, not only does your organization need to consider consent, but you must verify your vendors have consent processes in place to that comply with GDPR and other privacy law and regulation requirements if they will be collecting data on behalf of your organization.
Consent to process data is NOT required by all privacy laws prior to collecting/processing data. Here are two examples that differ on this requirement:
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires that organizations collect “meaningful consent” from individuals prior to processing their data.
- The EU’s General Data Protection Regulation (GDPR) on the other hand, lists consent as just one of the legitimate bases for processing, but it isn’t the only valid reason a company can use to process an individual’s data. However, when consent is used as a basis for processing, there are strict criteria that must be adhered to for the consent to be considered valid.
To be valid, consent needs to be a freely given, specific, informed and unambiguous indication of an individual’s agreement. This means consent should pertain to a single data practice rather than be bundled together with consent for multiple data practices. (An Introduction to Privacy for Technology Professionals section 5.4.1.2)
What consent mechanisms look like in the real world can vary, but a common one is a checkbox next to a form stating, for example, “By checking this box you are allowing us to use this email address for marketing purposes.”
Consent can also be documented through the requirement of a user to accept the terms of service or privacy policy before use, although these mechanisms are frequently too dense and complicated to be useful to individuals, which casts doubt on whether the consent could be considered “freely given, specific, informed, and unambiguous.”
Using Your Understanding of Notices and Consent in Vendor Assessments
Now that you have a better understanding of notices and consent, it’s important to know how to use this information in your vendor assessments.
Here’s some general guidance:
- When assessing whether a vendor has provided a privacy notice to consumers, it’s acceptable at this time to look for a privacy policy on their website. However, that criteria may be adjusted to include screenshots of applicable public-facing privacy notices as proof.
- It may be helpful to review the privacy policy for any mention of consent, but the main areas that you will find evidence for this will be within questionnaire responses (e.g. SIG 2022 question P.3 and child-questions address choice and consent). Consent is harder to quantify, as it’s not always required that a company obtain explicit proof of consent prior to processing, and the consent mechanism can vary depending on the product.
Third-party privacy expectations need to be set. As new regulations are expected to emerge, it’s important to ensure that your organization and its vendors remain educated and compliant.
Related Posts
Third-Party Data Protection: Are Your Vendors Prepared?
Cybersecurity incidents, such as data breaches and ransomware attacks, have become increasingly...
5 Ways Privacy Scores Help Manage Third-Party Risks
This blog post was written in collaboration between Venminder and Osano, who is a data privacy...
Meeting the Third-Party Risk Standards of NIST 800-53
Organizations of all sizes and industries continue to be at risk of sophisticated cybersecurity...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.