How-to guide: How to draft a privacy policy, and privacy and data security provisions in contracts (USA)

Introduction

This guide will assist in-house counsel, private practice lawyers, and risk and compliance teams in the United States to draft a privacy policy and standard clauses, notices, and representations and warranties related to data security and privacy that are part of their organization’s data security and privacy compliance program.

This guide covers the following:

Overview
Privacy policies and notices
Privacy and security provisions in contracts

This guide does not cover the details of any state or federal privacy or security laws. For this reason, this guide should be read in conjunction with How-to guide: How to determine and apply relevant US privacy laws to your organization and Checklist: Understanding privacy laws in the US.

Section 1 – Overview

1.1 Privacy and data security law basics

Broadly speaking, data security deals with protecting data from unauthorized access and corruption. This is typically accomplished through the implementation of various protocols and technological controls. Privacy deals with ensuring that certain types of an individual’s private information (eg, financial, health, and personally identifiable information) are subject to heightened protections and limitations on disclosure.

In the United States, privacy and data security law are intertwined. There is no clear line dividing the two and, in fact, many laws deal with both. An organization’s privacy and data security obligations stem from a variety of sources: state and federal regulations and laws, contractual agreements, and common law. It is an area of law that is currently in flux with proposed legislative additions and changes coming out regularly, particularly at the state level. Accordingly, it is important to monitor legal developments in this area.

1.2 Preparing standard clauses, notices, and policies

1.2.1 Conduct organization-specific analysis

You should undertake an organization-specific analysis to determine which clauses, notices, and policies are required or are prudent based on the laws governing your organization and the privacy risks inherent in its operations. Review How-to guide: How to determine and apply relevant US privacy laws to your organization and Checklist: Understanding privacy laws in the US for assistance in this process.

1.2.2 Common standard clauses, notices, and policies

The following are common types of required standard clauses, notices, and policies:

privacy policies;
initial privacy notice, annual notices, breach notifications, opt-out notice;
data breach notices;
contractual privacy and security representations and warranties;
confidentiality agreements;
data processing agreements;
terms of service;
cookie policies;
data retention and deletion policies;
user consent forms;
incident response plans;
terms related to cross-border data transfers;
security incident notifications; and
vendor risk assessment policies.

Section 2 – Privacy policies and notices

2.1 Privacy policies

2.1.1 Generally

A privacy policy is a legal document that discloses how an organization gathers, uses, and discloses an individual’s information and data. In the United States, privacy policies typically refer to digital privacy policies that are posted on websites and digital apps and govern an individual’s use of the website or app. As used in this guide, a privacy policy refers to these types of digital privacy policies. Virtually every US organization should have a privacy policy. A few examples of privacy policies of major corporations include those provided by Apple and Microsoft.

2.1.2 Key drafting considerations

The details of an organization’s privacy policy will vary; however, the following issues are applicable to all privacy policies.

Information collected – the policy should disclose what types of information are collected as well as how that information is collected. For example, if an organization uses cookies to track and obtain information about a website user’s internet usage, it should disclose this in its privacy policy.
Use of information – the organization should disclose how it uses the information collected. It is common for digital privacy policies to indicate that the information collected helps the organization deliver services and products and customize the website or app experience. For example, if an organization shares information with third-parties or if the information is used only for internal purposes.
Disclosure of collected information – the organization should disclose how and when it discloses collected information to third parties. For example, if an organization uses third-party service providers for payment processing, it should disclose that it shares personal information with third-party providers and provide the name of the third-party and why that service is used.
Data protective measures taken – although not usually required by law, summarizing the security measures used to protect information is becoming a best practice when preparing privacy policies.
How to update information – the notice should include an explanation of how an individual can update or correct their information. Often, it is helpful to include a contact email where an individual can send such requests.
How to opt-out – if applicable, set out in the privacy policy how an individual may opt out of the collection or sharing of their information.
Policies regarding minors – the privacy policy must address the collection of minors’ information. Organizations that do not target or intentionally collect data from minors may often include provisions prohibiting minors from using their website or digital service. Organizations that target or collect information from minors must include provisions in their privacy policy that comply with the Children’s Online Privacy Protection Act of 1998, 15 USC section 6501, et seq., and the Federal Trade Commission’s corresponding COPPA regulations, 16 CFR sections 312.1, et seq, (together, COPPA) and any other relevant laws governing privacy requirements applicable to minors. For additional guidance, consult Checklist: Understanding privacy laws in the US.
Business-specific requirements – privacy law in the United States is closely connected to the organization’s industry or type of business. The organization should therefore consider whether any governing laws provide guidance about additional provisions to include in the privacy policy.
State-specific requirements - certain states, such as California, have their own privacy laws with additional requirements such as the California Consumer Privacy Act (CCPA), Cal Civ Code 1798.100, et seq. and the California Privacy Rights Act (CPRA), also known as Proposition 24. Organizations working across multiple states should consider any applicable state-specific laws to determine additional provisions that may be required in the privacy policy.
Changes – privacy policies should indicate that they may be subject to change and specify whether notice will be given of such changes.

2.2 Privacy notices

2.2.1 Generally

The term privacy policy is sometimes used interchangeably with the term privacy notice, even though the two terms are not necessarily fungible. For the purposes of this guide, the term 'privacy notices' refers to the written notices provided by an organization to individuals or businesses regarding the organization’s privacy practices or privacy breaches. The most common privacy-related notices are:

Initial notice – the initial notice of an organization’s privacy practices, given at the outset of a business relationship, or when the organization begins to collect data.
Annual notice – an annual notice of the organization’s most current privacy practices that must be provided in certain business sectors (eg, banking).
Breach notice – the required notification(s) that must be made when a data breach impacting an individual’s data occurs.
Opt-out notice – a notice that communicates that an individual may opt out of certain collection, use, or disclosure of their data as well as the process for doing so. Such notice is given as a part of other required notices, such as the initial notice or the annual notice.

Some laws, such as the Gramm-Leach-Bliley Act of 1999 (GLBA), require organizations to provide one or more of these notices. Even if not required, an organization may choose to prepare and use some or all of these notices. For example, annual notices help prevent arguments that an individual was not aware of changes to privacy practices.

2.2.2 Key drafting considerations

When preparing privacy notices, consider the following key considerations for each notice.

Type of notice – when you are drafting the notice, consider the type and purpose of the notice.
Required information – make sure you include all legally required disclosures or information for each notice type.
Timing of notice – send all required notices at the proper time. For example, an organization should not wait six months to send an initial notice.
Method of providing notice – make sure the mechanism of providing notice is consistent with legal requirements. Whether to send a notice by post, email, digital PDF upload, or posting online, will depend on the laws that govern the notices.
Terms of privacy practices – notices should either include the organization’s privacy practices in the main body of the notice, be sent with a copy of the organization’s privacy practices, or include a hyperlink or other easy mechanism to access the terms of the organization’s privacy practices. Again, review organization-specific legal requirements as some dictate how privacy practices are provided.

Section 3 – Privacy and security provisions in contracts

3.1 Privacy and security provisions generally

3.1.1 What are privacy and security provisions?

Privacy and security provisions are contractual provisions where one or both parties agree to undertake specified actions to protect data privacy and data security.

These agreements are typically between two businesses, a business and a contractor, or a business and a vendor or service provider. Privacy and security provisions may be set out in standalone privacy and security contracts or as part of a wider contractual agreement.

3.1.2 When to use privacy and security provisions

Privacy and security provisions are most frequently used when a business will or may provide access to data that is governed by privacy laws, or when access is given to other sensitive business data. The use of privacy and security provisions is explicitly required under some federal and state laws, such as the business associate contract requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In other cases, use of this type of provision is not explicitly required but is necessary for a business to ensure it complies with its general obligations to take reasonable measures to keep data, especially private data, secure. Finally, businesses may choose to use such provisions in order to be proactive about data protection.

3.2 Key drafting considerations

Drafting privacy and security provisions requires a careful review of applicable law and the situation at hand. However, there are key considerations in the list below that should be taken into account when drafting privacy and security provisions.

Access to data – identify the types of data to which the data recipient will be provided access. It is usually helpful to define the various categories of data to which the data recipient will receive access, such as personally identifiable information, confidential information, and proprietary business information.
Use of information – detail any restrictions on the use and disclosure of information. Restrictions may vary depending on the category of data. For example, personally identifiable information may be subject to stricter requirements than confidential information.
Legal compliance representation – the data recipient should represent and warrant that they will comply with all legal requirements regarding the data to which they have access. When it is clear that specific laws such as HIPAA or GLBA apply to the data involved, the representations should specifically indicate that the service provider will comply with these laws.
Required information security measures – a large portion of privacy and security provisions should set out, in detail, the information security measures the service provider will utilize. For example, requirements might include limitation of user access to data, level of encryption, segregation of private information, and multiple layers of security controls, and back-up and restore processes.
Required provisions – state and federal laws may require that certain provisions are included in certain agreements. For example, the California Privacy Rights Act of 2020 (CPRA) requires service provider agreements to grant the business the right to take steps to ensure that the service provider uses personal information in a manner consistent with the business’s obligations under the CPRA.
Use of subcontractors – set out whether subcontractors may be used. When they are used, require subcontractors to comply with all of the same privacy and security requirements of the agreement. The agreement may even provide the form of a privacy and security agreement that subcontractors must sign. In guidance provided by the FTC in Cybersecurity for small business: Vendor security, it is recommended that companies should:
Put it in writing. Spell out your security expectations up front and include specific provisions in your contracts about protecting data. If a vendor vacillates, maybe they’re not the right partner for you.
Verify compliance. ‘Trust, but verify,’ as the adage goes. Don’t just take vendors at their word. Establish a process so you can conﬁrm they’re following your rules.
Make changes as needed. Cyber threats are constantly morphing. Make sure the security methods your vendors use are up to date – and up to your data.
Data breach – the agreement should address what the service provider’s obligations are in the event of a data breach. At a minimum, require the provider to provide notice of the breach.
Compliance audits – often, the service provider is required to conduct or hire a knowledgeable third party to conduct annual audits to ensure compliance with the requirements of the privacy and security agreement.
Remedies – address remedy-related issues such as attorneys’ fees and costs, and the availability and scope of indemnification in the event of a breach of the agreement.
Data at close of agreement – the agreement should specify how data should be returned, disposed of, or destroyed at the end of the contract term.

Tailor the amount of detail and breadth of privacy and security provisions to the situation. In some agreements, a single paragraph will be sufficient; in others, independent security and privacy agreements are warranted. If your organization is subject to other privacy laws (eg, those contained in the EU’s General Data Protection Regulation (GDPR)), more information and a more detailed statement may be required.

Additional Resources

HIPAA’s business associate contract requirements