The United States has become home to a number of new state consumer privacy laws over the last few years. In 2023, comprehensive privacy laws went into effect in California, Colorado, Connecticut, and Virginia, with a similar law set to go into effect in Utah on December 31. While each state has its own law in place with unique requirements, they all require that consumers be given notice about how their information is being collected, what information is being collected, and how it is being used. 

In addition to the various versions of privacy notices required by these new laws, the FTC also requires companies to provide consumers with notice about their data practices. Its authority for these federal notice requirements comes largely from Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices.” While their actual requirements are different, the focus of the state privacy regulations and the FTC is the same: giving consumers more control over their personal information through transparency about companies’ practices and the consumers’ rights.

Every organization that operates online should have a privacy notice on their website. These notices are most commonly referred to as “Privacy Policies” by US organizations, while organizations based in other countries typically refer to them as “Privacy Notices.” However you refer to it, once you have your privacy notice or privacy policy created, the next step is to figure out how to operationalize it.

The first decision you need to make: where to post the privacy notice.

Privacy Notices in Website Footers

If your organization operates a website, you need to link to your privacy notice.privacy policy in the footer. That link absolutely needs to have the word “Privacy” in the title– some organizations have historically used things like “Terms and Conditions” or “Legal” as more general links that would then give you the option to link to the privacy policy as well as other policies, like the terms of use for the website. Under the new state rules as well as due to international requirements if you are operating in Europe as well as certain Latin American or Asian countries, your link to your privacy notice must be both direct and visible from the website, so you cannot avoid using the word “Privacy” in the footer. You may simply say “Privacy,” or you could say “Privacy Notice,” or “Privacy Policy,” or some other variation, as long as it is very clear to any visitors that, if they want to know what your privacy practices are, that is the link they should click on.

You also need to make sure that your privacy footer link is conspicuous–don’t try to minimize it by putting it into small text or text that is otherwise difficult to read or notice. Also be sure your link is clearly visible in the footer of both the desktop and mobile versions of your website. If your web team has been looking for authorization to spend time optimizing the site, this is actually good news for them. Optimizing the site for mobile will benefit your overall business in addition to helping you comply with privacy requirements. 

Layered or Pop-Up Notices

In situations where you are not able to give someone the entire privacy policy, you can provide it to them in “layers.” “Layered notices” give a short version of the relevant privacy information along with a link to or instruction on how to access the full privacy policy. How much information is included in the “top” layer should be based on your situation. What are you collecting? How are you interacting with the consumer (directly or indirectly–do you need to inform them that they are interacting with you?)? Is there anything that may surprise the consumer that you need to include in the top layer?

Most online layered notices online are provided through pop-ups. Either upon landing on a page or when a user clicks into a form that will collect additional info, a pop-up will appear and inform the user about the data processing activity in a simple one or two sentence description. It will also allow the user to view the entire privacy notice by clicking on a phrase like “Learn More” or “See Our Full Privacy Policy” at the bottom of the pop-up box.

The most common layered notice via pop-up is used for cookie controls. Since cookies try to load when a user lands on a website, the website uses a cookie banner to control the loading of certain types of cookies. The pop-up informs the user that they can allow or deny certain processing activities and either lets them toggle the controls in the initial pop-up or click into a deeper pop-up or separate page where they can manage the cookie types and read more information about each type, and they are also typically given the option to read the full privacy notice. 

Similarly, if your website engages in any novel, unexpected, regulated, or sensitive data collection practices, you should consider placing a layered notice that will send your visitors to your more in-depth privacy notice if they want a full explanation on the site. That is why cookie banners should allow users to opt out of targeted advertising (in order to comply with certain state laws and regulations, such as California’s). You may also need a pop-up if you are running an app or website that is doing something completely unexpected. For example, if you have a calculator app that also turns on geolocation when the user divides something, a geolocation popup should appear because the typical user would not expect their calculator app to collect that information. 

If the processing activity will include sensitive personal information, you should also consider obtaining the users’ consent. Although only a limited number of states require opt-in consent at this stage, it is considered a best practice and will enable you to more easily scale your operations and move into additional jurisdictions. A popup can both act as a layered notice informing the user that the app is about to collect sensitive personal information and asking for the user to consent to that collection. It can refer the user to the full notice to get the more detailed explanation of  how you actually use the sensitive information you collect.

You may have noticed that the biggest app marketplaces have already started requiring apps to provide some form of layered notice in which users have to go to their phone settings in order to enable location tracking and to specify whether it can be used all of the time, only when the app is turned on, or only when the app is turned on and the user allows it for that session. 

Telephonic Privacy Notices

Although some organizations now operate solely online, the majority of consumer-facing companies still collect at least some personal information over the phone via their customer service and sales departments. If your organization collects personal information over the telephone, you must provide telephonic notice during the calls. 

At the beginning of any call in to your organization, you could have a recording that informs the caller that their personal information may be collected. The recording should specifically reference the collection of sensitive personal information if that is likely to occur. For example, if you collect social security numbers or information about political affiliation as part of your identity verification process, inform the caller that they will be asked to provide sensitive personal information during the call. The message should refer the callers to the url for the full privacy notice. 

If a recorded message does not work for your organization, you should train your employees to provide consumers with the same notice verbally, before they ask the caller for any personal information. In either situation, the caller should receive a layered privacy notice that informs them as to how to access the full privacy policy.

Privacy Notices in Apps 

If your organization operates an app, the privacy policy also has to be visibly accessible there. It should be on one of the initial pages of the app itself or have its own link in the menu button, and it should be accessible on the download page of the app store(s) where it is listed for download. The privacy policy should also be accessible from the app’s Settings menu if that navigation will be more intuitive to users than finding it in the menu itself. Remember that the goal is transparency and visibility when you decide how to direct users to the privacy notice inside of your app. Use of layered notices is often appropriate in apps because they are easier for consumers to read open and click through in the mobile format.

Privacy Notices in Chatbots

If your organization operates a chatbot or other interactive online tool, it is likely the chatbot is collecting personal information. Your privacy policy link should be clearly visible on the webpage or in the app that is loading the chatbot, but is also a best practice to give a layered notice in the chatbot. This could involve having an auto-message load at the beginning of a chat that informs the user that the chatbot may collect personal information. It can then refer them to the full privacy policy via a link. As with an app, a full-text version of the privacy policy in the chatbot itself would be difficult to read due to formatting, which is why we recommend a layered notice.

In-person Privacy Notices

If your organization operates from in-person locations, you also need to provide on-site privacy notices. At a storefront, a typical place for posting an on-site notice would be at the cash registers, which is where you are most likely to ask a customer for personal information (such as a phone number, email address, or credit card). Remember, no matter how you are collecting their information, you need to give people notice at or before the point of information collection.

Notice at a brick-and-mortar location is typically provided in a layered manner because it isn’t practical to expect a customer to sit and read your entire privacy policy before the check out. For that reason, most retailers will post a sign by the register that gives a brief description of their practices and the url of their full privacy policy and tells them they can ask an employee for a physical copy if they would like one.

In addition to your layered privacy notice signage, you may need additional signage for certain types of personal information processing. Collecting video images via CCTV or other similar systems for security or other purposes, especially if you are running facial recognition on the images, requires prominent notice under privacy laws in the US (and may require affirmative consent in some jurisdictions if you for the facial recognition analysis). You should have visible signage in the areas where the surveillance is taking place (most often displayed prominently at the entrance) that informs your visitors that you are recording them, taking photographs, or engaging in other activities that collect sensitive information. If you cannot reasonably obtain their assent, posting the signage at the entrance gives visitors the opportunity to decide not to enter the premises if they do not assent to the recording.

Employee Privacy Notice

If you are subject to California’s Consumer Privacy Act and have any California employees, you are required to provide your employees with notice about your processing of their personal information and should read further on this specific topic.

Dark Patterns

If at any stage of providing notice to visitors or users you attempt to hide what your organization is actually doing, you may be committing a breach of the FTC Act that prohibits “unfair or deceptive acts or practices” or a separate breach of state privacy law by engaging in what is referred to as a “dark pattern.” 

A user interface is considered a “dark pattern” if it has “the effect of substantially subverting or impairing user autonomy, decision-making, or choice.” Essentially, that means that, if you “technically” comply by making a required disclosure but try to hide it in tiny or unreadable print or by the use of language in double negatives, etc., you are impairing the user’s ability to exercise their choice because they haven’t been properly informed. The “dark pattern” warning applies to everything related to privacy law. If you try to subvert the intent of the law so that users will not exercise their privacy rights, so that it is more difficult for them to exercise their rights, or so that they are likely to select options that will provide them with less privacy protection, you may find your organization being investigated for the dark pattern itself, even if your privacy notice includes all the proper, required information.

Conclusion

It is possible to draft one privacy policy that meets all of the requirements of the various US state laws and the FTC. You might also choose to take the approach of having a different notice for consumers in different states. This may make more sense for those organizations that have fairly segmented data. However, for many organizations, having one unified policy is the simplest approach. 

Once your organization decides whether to have a unified or segmented privacy notice, review how you are collecting data. Use that information to decide  how and where you should be giving consumers access to your privacy policy. There are many situations in which you need to provide notice, and this article has only addressed some of the most common. Your additional posting needs will be determined by how you do business, who you are doing business with, and what their expectations are likely to be. All of the state privacy laws and the FTC have a unified goal–transparency. 

Disclaimer: The information included here is based on best practices generally and should not be used as legal advice. Placement of privacy notices requires consideration of multiple factors, as indicated in this article. Please consult counsel if you are unsure of your posting requirements.