Earlier this year, the EU’s GDPR—the General Data Protection Regulation—went into effect, delineating how companies handle consumer data for EU citizens. Because the internet is accessible worldwide, most companies have had to update their privacy policies in case they get visits from EU citizens.
Types of Data You Collect
If your business collects personal data, you may be required by state law or federal guidance to itemize the types of personal data you collect. Let your customers know all types of data collected, including the following:
- E-mail address
- Mailing Address
- Phone Number
- Credit Card Information
Many businesses collect information from their customers for varying situations. Privacy laws require businesses to collect only personal data that is needed and indicate why they need it. For example, a mailing order would likely require the customer name, address and potentially phone number.
Don’t forget about phone data, either. Customer service and sales are often required to gather private information from clients via telephone, so detail why data could be collected from those calls.
Beyond the Policy: If your company collects data through other devices, be as transparent as possible about it. Disney, for instance, collects user data through its MagicBand wristband, and it has an entire section of its site built to answer user questions about what data that system collects and why.
How the Data Is Used (Including Cookies)
Spell out how you use the data you collect so customers are clear on why they are giving you their information. Everything from website logins to online customer service access requires personal data collection.
Data sharing with third-party partners should also be disclosed. If your company hands any data off to any other companies, be sure you’ve invested in highly secure partnerships and platforms—your customers deserve to know you’ve done due diligence to protect their information if and when you have to pass it on.
Beyond the Policy: The EU’s recent privacy regulation update led to a lot of companies being more up front about their cookie policies in the form of homepage popups, but not every company does it well. Follow Channel 4’s example (which you can see at the top of its homepage), and create cookie notifications that are transparent and understandable.
Storage and Security Policies
On top of how data is used, don’t forget to let users know if your company stores their data and, if so, what security measures you’ve taken to keep that information safe.
This point is especially crucial for any type of payment information. The Payment Card Industry Data Security Standard was designed so merchants who accept and process credit card payment information do so in a secure environment. If you accept payments via website for services or products, ensure you are PCI compliant and list the compliance on your site. Best practices range from encryption to employee procedures, so mention your compliance in the footer of your site and advise your customers during their checkout.
Beyond the Policy: If your company regularly deals with or processes sensitive information, consider adding a dedicated page to explain your security protocols. Mailchimp’s Security page is a good model to start from.
Opt-Out Procedures & Company Contact Info
Companies that send out commercial email marketing campaigns are required by the FTC to have opt-out options listed in each email. You should also have an opt-out policy listed in your privacy statement so customers know how to control their information.
Allowing your customer to access your opt-out process quickly will help them have faith that you have their best interest when it comes to marketing to them or collecting their data.
Beyond the Policy: If you haven’t already, consider setting up a reliable and accessible customer support line and make the line hours and contact information easily accessible online. Go Verizon has a good example of a dedicated customer service page with clearly posted hours and phone number.
Indicate the Effective Date
If your company uses cloud-based software and contact management systems, be sure to check out our article on Ensuring Security in the Cloud.
About the Author: Elaine is a digital journalist whose work has been featured in various online publications, including VentureBeat, Women’s Health, and Home Business Magazine. She writes about sustainability and tech, with emphasis on business and personal wellness.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.