Published:

Behind the Scenes: What it takes to monitor privacy laws

General

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

One thing that makes Termageddon different from other Privacy Policy Generators is that we’re regularly monitoring the privacy law landscape to ensure our generator remains up to date so that our partners and users can worry less about fines and lawsuits. It’s a service we’re proud of for two reasons:

  1. It’s a crucial step
  2. It takes a lot of time and effort


That being said, oftentimes people don’t know what we mean when we say we ‘monitor privacy laws’ and ‘auto-update Privacy Policies’ accordingly. So, we wanted to share an overview of what goes on behind the scenes at Termageddon to ensure no privacy laws sneak up on us or our customers. 



Why is it important to keep track of privacy bills? 



Overall, diligently tracking privacy bills as they make their way into laws is what gives Termageddon one of its biggest advantages over the competition. The amount of time we spend studying privacy bills so that our product is well-equipped for when/if those bills become laws, is what our clients truly appreciate. By the time a bill becomes law, we’ve already taken steps to prepare ourselves and our partners for it. 

Businesses that work with us also find tracking helpful for the following reasons as well:

  • Tracking privacy bills helps them determine what obligations or requirements their business may be subject to in the future. For example, if a number of privacy bills would require businesses to allow consumers to opt out of targeted advertising, then they know to start looking into cookie consent banners that contain such options. 
  • Tracking allows them to determine what privacy rights individuals may get in the future, letting them prepare well in advance to, for example, delete customer information (they prepare in advance by determining where the data is located so that they can easily find it when it comes time to respond to such a request).
  • Finally, it allows businesses to prepare for enforcement. For example, some bills include a private right of action that would allow consumers to sue businesses directly so they know that they need to prepare to comply with a law to the letter to avoid being sued.

How do we keep track of privacy bills? 

Step 1: Alerts


Privacy bills are introduced and are placed in the legislative process very frequently. We get alerts regarding new privacy bills and where they are in the legislative process through LexisNexis StateNet. By using LexisNexis StateNet, we set alerts (e.g. privacy or Privacy Policy) and get email alerts whenever a new bill with those terms is introduced. 

We can also track each bill through the legislative process and receive alerts once the bill has reached certain steps in the process (e.g. approved by the Senate or placed into a Committee).You can see what an alert looks like here (this one is for the Minnesota House Bill 2257)

Once we receive an alert like this, we click “track bill” and then receive alerts whenever the bill takes the next step in the legislative process. We also check legiscan.com and IAPP.org for news and interpretations of the bill. 

Step 2: Review Bills


The next step is to review each bill and add the bill to the state and global privacy bill trackers. We review each bill for the following items:

  1. Who the bill applies to; 
  2. Whether the bill requires companies to have a Privacy Policy and what disclosures that Privacy Policy would need to contain; 
  3. How the bill will be enforced (i.e. whether it will be enforced by the state’s Attorney General or include a privacy right of action (meaning that consumers could sue businesses directly)). We review what fines could be imposed under the bill if it were to become a law; 
  4. What privacy rights the bill provides to consumers, including:
    1. The right to access data; 
    2. The right to delete data; 
    3. The right to correct data; 
    4. The right to restrict the processing of data; 
    5. The right to opt out of certain uses of data; 
    6. The right to portability; 
    7. The right to not be discriminated against based on the exercise of privacy rights; 
    8. The right to be forgotten.
  5. Whether the bill regulates automated decision making and/or profiling;
  6. Other obligations for controllers or processors;
  7. The effective date of the bill if it were to become a law. 

Once we started tracking the bill and have added it to our privacy bill trackers, we look at the bill throughout the legislative process through the alerts that we received. We keep up with a bill’s progress via dashboards like this:

this entire process for dozens of bills each year. 

The legislative process ends when a bill has either failed passage or has been signed by the Governor. Here is an example of a bill that has been signed by the Governor and has thus become a law: 

Once the bill has been signed by the Governor, it becomes law and the legislative process tracking ends. At this time, we take a look at the final text of the law, compile and send out the law’s Compliance Guide on our blog and start preparing to update policies. 

At this time, we also check guidance from the state and articles from the IAPP, the American Bar Association, and state Bar Associations to see if there is any guidance or relevant interpretations of the law and its requirements.

Keep in mind that we’re tracking over 30 privacy laws at any given moment. Meaning this process is happening over and over again on a pretty regular basis. 

How do we update policies once a bill becomes law?

Step 1: Development schedules


The first thing that we do is look at the effective date of the law (usually, we have a year or two to update policies prior to a law going into effect) and create an engineering and development schedule to ensure that: 

  1. We have plenty of time to engineer the updates; 
  2. Our development team has plenty of time to add the updates to the app; 
  3. Our customers have ample time to answer any new questions about their website/business.

Step 2: Determining what questions need to be asked, if any


First, we determine who the privacy law applies to and what questions we need to ask our clients so that the software can determine if that particular privacy law applies to them. For example, the Colorado Privacy Act states that the law applies to the following:

We then read the law to determine what each of these items means (for example, whether the law states what it means to “conduct business in Colorado”). We also look at who is exempt from the law (for example, whether nonprofit organizations are exempt). 

Once we have determined who the privacy law applies to, we add the questions that we need to ask and the conditional logic for asking each question to a diagram that helps determine what privacy laws apply to a particular license.

Next, we read the privacy law again to determine what disclosures it requires Privacy Policies to make. Below is the initial list from the Colorado Privacy Act. 

It is important to note that each privacy law includes a list of disclosures that Privacy Policies need to make, and these disclosures are different per privacy law. However, in addition to these disclosures that are specifically enumerated within each privacy law, there are additional disclosures not listed that are required by that law in the text as well. In the example above (III), the Colorado Privacy Act also states that businesses must respond to privacy rights requests within 45 days and must list the privacy rights provided (even though that’s not included in this list). 

Once we have compiled the list of questions that need to be asked, we create a diagram of the questions and their conditional logic. You can see the questionnaire diagram below (all of the new questions are in yellow):


Now that we have compiled the questions for the privacy law, we check other privacy laws to see if there are any overlaps or conflicts with the questionnaires for other privacy laws. For example, some privacy laws require you to provide the logic behind automated decision making while others do not. 

We make sure to match up the questionnaires so that the same questions are not asked multiple times and that our clients have to answer the least amount of questions possible to gather all of the information that is needed. 

Then, we compile the text of the policy, including all of the variations in the text. For example, if a client engages in automated decision making, we need to show one paragraph while if they do not, then we need to show another paragraph in the text. We also need to insert the selections that they made as their answers to the questionnaire or any text that they input into the fields when answering a particular question. We also check the text to make sure that it integrates well with other privacy laws (e.g. multiple privacy laws apply to the client) and resolve any conflicts between privacy laws. 

Once the questionnaire diagrams and text are ready, we ship these documents over to our development team to have everything added to the app. 

If there are no new questions:

We send an email to our clients letting them know that their policies have been updated and explain how/why they were updated.

If we need to ask new questions:

First, the development team adds the new questions to the app and we send an email to our clients letting them know that they can answer new questions. 

Next, the development team adds the new text to the app and client policies are updated with the new text after the client has answered the new questions. Updates are applied to the client’s website policy pages automatically through the embed code.

Step 3: Updating policies for further developments in the law


Once the policies are updated for the law itself, further developments may require additional updates. Using our Colorado Privacy Act example, new rules were introduced that further interpret the law and add to the list of required Privacy Policy disclosures. In addition, cases and guidance from Data Protection Authorities or Attorney Generals may further change the Privacy Policy disclosure requirements. 

With these additional changes, we follow the same process as above. We also create new text and send this over to the development team and follow the same process.

When it comes to rules and regulations, the timeline is much more compressed than with the law itself. Sometimes we have six months to make updates but other times the timeline is more like six days before the rules and regulations are effective. Rules and regulations can affect the questionnaire and/or the text (sometimes it only affects one of those).


Conclusion


Our partners sometimes ask why we’re a subscription-based service instead of just a product. This is the primary reason for that. 

In order to be an effective Privacy Policy Generator, we feel it’s essential to put in the time and effort needed to keep on top of all the changing privacy laws around the globe so that our product is never playing catch-up to these changes. Termageddon customers trust us with their websites, and we honor that by not skipping any steps. This aspect of our business requires daily attention from our legal, marketing, dev, and sales teams in order to make it work.

That being said, after years and years of digging through every privacy bill/law, we now understand why so few others bother doing it.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates