When Should I Have a Privacy Notice?
Last updated
Last updated
You should actively provide people notice of your privacy practices if:
You are collecting sensitive personal information. This is information such as date of birth, social security number, health information, financial information, etc. Consider the information about yourself that you would find sensitive if giving it to another person.
The intended use of the information is likely to be unexpected or objectionable. Again, try to put yourself in the position of the people from whom you are collecting information. What would this person reasonably expect their information is being collected and used for? For example, when I hand over my credit card for a purchase, I expect my financial information is being used for that payment; not to sign me up for special offers or discounts.
The information will be shared with another organization in a way that individuals would not expect. For example, if I collect personal information to provide a transportation service, but I provide that data to a third party for marketing retail services.
Providing personal information, or failing to do so, will have a significant effect on the individual. For example, failing to provide their personal information means the person cannot receive services. Or, alternatively, providing the information means the person will be signing up for a program involving intensive engagement, such as weekly check-ups.
There is a fundamental difference between telling a person how you use their information (privacy notice) and getting their consent. In many cases it is enough to be transparent using a notice. But in others, you will need a positive indication of a person's agreement. This is often referred to consent or "release of Information (ROI)". The diagram below provides guidance on when you should use consent/ROI versus a privacy notice. The ShareSF Guide: Consent provides guidance on creating a consent form.
