Overhaul Your Privacy Policy, Part 2: Elements of a Good Privacy Policy

Overhaul Your Privacy Policy, Part 2: Elements of a Good Privacy Policy

Like most legal documents, privacy policies are fairly bland, and, let’s be honest, few people read them. But the recent enactment of the California Consumer Protection Act (“CCPA”) has Joot fielding privacy policy questions from clients and service providers alike. In our previous post—Is it time to overhaul your privacy policy and notice?—we discussed whether your firm must comply with the CCPA. Today, we spend some more time focusing on the elements of a good privacy policy.

Regulation S-P, which was adopted by the SEC as required by the Gramm-Leach-Bliley Act, is the governing rule of privacy policies for investment companies, broker-dealers and SEC-registered investment advisers (a “firm”). Regulation S-P requires a firm to describe the conditions under which it may disclose nonpublic personal information about consumers to third parties and provide a method for consumers to prevent the firm from disclosing that information to certain third parties by opting out of that disclosure (subject to certain exceptions).

Here are examples of some of the requirements, as outlined in Regulation S-P, that need be included in your privacy policy:

  • The categories of nonpublic personal information that you collect: This can include social security numbers, asset information and employment information, to name a few.

  • The categories of nonpublic personal information that you disclose: This may include the same items as noted in the previous bullet point but is specific to the information that you share with affiliated and non-affiliated third parties.

  • The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information: Examples here include credit bureaus and service providers to the firm. Most firms must disclose nonpublic information to service providers to conduct business.

  • The categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose the information about your former customers: If you treat former customers’ information differently than you do current customers’ information, you will need to disclose the differences. But most firms usually treat current and former customers’ information in the same manner.

  • An explanation of the consumer's right to opt-out of the disclosure of nonpublic personal information to third parties, including the method(s) by which the consumer may exercise that right: Opt-out requirements do not apply when you provide nonpublic personal information for everyday business purposes, such as processing transactions or maintaining accounts. Nor does it apply if you are sharing information in response to court orders and legal investigations. An opt-out choice is required if you share personal information with a non-affiliate (or affiliate) for its marketing purposes. If you provide personal information to an affiliate for its marketing purposes or you receive personal information from an affiliate for your marketing purposes, you should also check out Regulation S-AM. (Bonus points if your name is Sam and you read this at 5am.)

  • Your policies and practices for protecting the confidentiality and security of nonpublic personal information: This can be a summary of your written procedures for safeguarding nonpublic personal information. Examples include items such as computer safeguards and processes for secured files.

Bonus Tip: Regulation S-P includes a Model Privacy Form that firms can utilize as a safe harbor version instead of coming up with their version of a policy. The form is a standardized “template” that has a specific layout and format that includes the required elements of a Regulation S-P privacy policy. The catch is that you must follow the instructions for completing the form carefully. Modifications are only allowed to the form as described in the instructions. If you are looking for an easy way to create a privacy policy, we encourage you to look at the Model Privacy Form.

Another Bonus Tip: Check out this 2019 Risk Alert from the SEC’s Office of Compliance Inspections and Examinations regarding Regulation S-P privacy notices and safeguard policies. The Risk Alert is a quick read that will give you a good idea of the privacy policy issues discovered through the SEC’s examination process.

Other elements that make a good privacy policy include

  • Brevity
  • Plain English
  • Readability
  • Availability in other languages
  • Accessibility to people with disabilities
  • Printable format

If you have questions about your privacy policy or how your business may be affected by the CCPA, please contact us.