9 Steps to Creating a Consumer Consent Program

6 minute read. This article gives actionable tips on creating a flexible consumer consent program for your business.

‍

Your approach to consumer data privacy can build or break your brand. We can guide you to create a consumer data privacy policy and a robust privacy program that can help shield you from fines and reputational damage. Our nine-point checklist below will help you create a flexible program that can change as new regulations emerge and existing ones evolve.

“86% of consumers care about data privacy and 79% are willing to spend time and money to protect it.”
Cisco Consumer Privacy Study, 2021

1. Establishing a privacy program lead

By assigning one person overall responsibility for data privacy, you improve your chances of building a complete and robust privacy program. The European Union’s General Data Protection Regulation (GDPR) requires that firms handling large amounts of consumer data have a Data Protection Officer (DPO). Other members of the data protection team should include the Chief Information Officer, Chief Compliance Officer, a legal representative, IT/IS, among others.

2. Determining the data to protect and its locations

After establishing your data protection team, you need to identify the personally identifiable information (PII) that needs to be protected and the systems and applications that store and use that information. Updates to the data, like changes of address, need to be tracked as well.

3. Authenticating data subject identities and their requests

Data privacy laws grant your consumers (data subjects) the right to request, review, and amend the data you hold about them. To avoid paying potentially hefty fines and damaging your brand, you must be able to confirm that data subject requests are legitimate.

A best practice is to verify the identity of a data subject within seven days of the privacy request submission. If the subject cannot verify their identity within that time, industry analysis indicates that there is a higher likelihood of the DSR being illegitimate.

Companies usually initiate the verification process via an email address and/or phone

number provided at the start of the business relationship. Common verification questions include:

1. What is the last piece of content the subject downloaded from your website?
2. What is the last interaction the subject had with a representative of your business?
3. What is the last item the subject purchased, its price, or the shipping details?
4. Selecting a baseline data privacy regulation

To ensure your program covers all applicable privacy regulations, it’s a best practice to comply with the most stringent one. In the U.S., compliance with the California Privacy Rights Act (CPRA) should cover you for most of the other state regulations.

It’s important to remember that privacy laws are applied based on the location of the data subject requester, rather than the location of your firm. If you have consumers in Virginia, then you must comply with the Virginia Consumer Data Protection Act, which is largely a subset of the CPRA.

4. Selecting a baseline data privacy regulation

To ensure your program covers all applicable privacy regulations, it’s a best practice to comply with the most stringent one. In the U.S., compliance with the California Privacy Rights Act (CPRA) should cover you for most of the other state regulations.

It’s important to remember that privacy laws are applied based on the location of the data subject requester, rather than the location of your firm. If you have consumers in Virginia, then you must comply with the Virginia Consumer Data Protection Act, which is largely a subset of the CPRA.

5. Creating data audit and retention policies

To ensure long-term compliance with data privacy laws, you need to regularly audit your data and delete it when it is no longer needed. These two steps can reduce your risk as your business is responsible for protecting the data you store. If you no longer need the data, then you should remove it.

Data audit guidelines

• Categorize the data to separate consumer, business, and third-party data.
• Categorize personal data that you sell.

• If you don’t sell data, then state that.
• If you do sell data, you must provide a “Do Not Sell” information page to allow consumers to opt out.

• Identify consumer information that is owned by data subjects who reside in states with data privacy laws like California, Connecticut, and Virginia.
• Data should be easily identifiable and accessible so that you can respond to requests quickly and with confidence that there is no duplicate data located elsewhere on your systems.

Data retention guidelines

To determine how long to keep data before deleting it, it can help to know why the data was collected in the first place. If the purposes for which you collected the data are no longer applicable, you should probably delete to reduce your risk. In the event your business is the victim of a security breach, strong data minimization and retention policies help limit the impact of a data leak.

6. Drafting your privacy policy

At this point, you are ready to create your privacy policy, which should cover the types of information you collect, including:

• Customer communication
• Account information
• Log files
• Cookies
• User data
• The purpose of collecting the data
• How the data is processed, shared, or used
• How the data is stored, secured, and accessed
• How long collected data is retained by the company (as established in Step 5)
• How users can access their data (GDPR/CPRA requirements)
• When and how you use cookies

There are lots of online examples and resources you can use to kickstart this process, including https://gdpr.eu/privacy-notice/ for help writing a GDPR-compliant policy.

7. Helping data subjects exercise their privacy rights

The next step in the process is “notification,” in which you communicate the availability of your privacy policy to customers and business partners. All privacy regulations require you to make it easy for your stakeholders to find and read your privacy policy.

Best practices for promoting your privacy notice include:

• Adding a link to your privacy policy page on your organization’s home page.
• Creating a pop-up window that states your policy when visitors arrive at your home page.
• Bricks and mortar businesses should post the privacy policy in a visible location.

In addition to posting your privacy policy, you need to explain how data subjects can submit their privacy requests and opt outs by:

• Providing a privacy policy page that summarizes the main privacy policy items along with a table of contents that includes clickable links.
• Displaying a link for consumers who chose to opt out of sale of data on your company’s homepage. The privacy policy itself should also provide details about how to submit opt-out requests to your company.
• Providing an email address that is dedicated to the intake of privacy requests so that the privacy team can meet regulatory response deadlines.
• Giving data subjects different methods to submit their privacy requests: an email address, toll-free number, or physical mailing address.

8. Training your employees

By educating your employees on your firm’s privacy policy, you can help to ensure they are part of the solution. Employee training should occur at least annually and ideally every six months. The training should include a detailed overview and/or review of:

• Your privacy policy
• The privacy regulations that are applicable to your business
• The definition of Personally Identifiable Information (PII)
• How to escalate privacy concerns, requests, or complaints
• Best practices for handling PII
• Your company’s common security measures

9. Continuous improvement

The regulatory environment is constantly evolving with new regulations. To reduce potential disruption from this shifting environment, your privacy lead or DPO should schedule a comprehensive, annual review of the regulatory landscape and your privacy program.

To help ensure that your privacy program is flexible and future-proof, you should adjust your program when the following events occur:

• New privacy regulations are implemented that apply to your company or data subjects
• A merger or acquisition that affects your company
• Significant changes to your databases and storage of PII
• Onboarding of new vendors for PII collection or ‘sale’ of PII

How can PrivacyCare help?

To cost-effectively ensure you are complying with privacy regulations, you need to track consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, you risk costly penalties and reputational damage.

To strengthen and enhance customer loyalty, PrivacyCare offers a system that features:

1. Customizable data-subject-request (DSR) forms that consumers can use to initiate their data request.
2. Consumer authentication.
3. A flexible record-keeping system that can support any DSR process, helping businesses comply with multi-state data privacy laws.
4. A database of the DSRs and their status.
5. A cost-effective solution that avoids unnecessary upgrades involving data analytics, data management, and data security functions.
6. A SaaS platform that eliminates the need for businesses to purchase and manage hardware or software.
7. Up-to-date with latest changes to data privacy laws across the U.S.

Start building your own consumer content program for free with PrivacyCare today.

‍