Navigating Privacy Policies, Cookie Policies, and Data Protection Agreements Artwork

VanRein Compliance Podcast

Learn how you can secure the future of your business with a clear plan to reduce your risk. We discuss all compliance and data security matters of SOC2, ISO27001, HIPAA, GDPR, CPRA, NYShield, Texas HB300, ISO27001, HiTRUST and include life stories as well. It's NOT just a boring BizCast. We also talk about our Family Business and how you can start your own Family Business that will reshape your future.

All Episodes

VanRein Compliance Podcast

Navigating Privacy Policies, Cookie Policies, and Data Protection Agreements

October 18, 2023 • Rob & Dawn Van Buskirk • Episode 63

0:00 | 22:05

Send a text

Ever wondered how the pumpkin spice latte you love so much could possibly lead to a profound conversation about data privacy? Your hosts Rob and Don, are here to make that transition smooth! In this episode, we'll be sharing tales from our lives, dabbling in band competitions, football games, and even our views on the overpowering pumpkin spice craze. But the real kicker comes when we shift gears to unbox the intricate world of privacy policies, cookie policies, and Data Processing Agreements (DPAs).

Does the legal jargon in these policies make your head spin? Fear not! We simplify these essential terms, highlighting the crucial aspects every organization needs to consider - data usage, possible sales, and even advertising methods. We walk you through the maze of global and state privacy laws, helping you craft a policy that perfectly fits your needs. Learn why ignoring cookie banners could land you in hot waters legally, and why accepting all cookies should never be an option. Let’s unravel the complexities of data privacy together and make sure our personal information stays safe. Join us for this peculiar blend of fun and function - it's a ride you won't want to miss!

Thank You for Listening to the VRC Podcast!
Visit us at VanRein Compliance
You can Book a 15min Call with a Guide
Follow us on LinkedIn
Follow us on X
Follow us on Facebook

Privacy Policies, Cookie Policies, and DPAs

Rob 0:00

Hello and welcome back to the VanRein Compliance podcast with Rob and Dawn. I'm Rob. And I'm Dawn and hello folks, we're back.

Dawn 0:07

We are back.

Rob 0:08

We have a fun filled episode this week, talking a little bit about oh, we're going to have a homecoming, we're going to talk about eclipse, and then we're going to dive into privacy policies, cookie policies and I like cookie monster policies and DPAs Right.

Dawn 0:24

Oh, cookies, hmm, oh yeah, we may have to go to the crumble cookie and get some of those cookies.

Rob 0:39

Hey, speaking of I bet you, they have pumpkin spice. Oh my gosh, I know right, everything is pumpkin spice.

Dawn 0:44

What's the deal with the pumpkin spice? I know we we talked about that before, so I think it's too much yeah.

Rob 0:48

Don't you think? Is it? Is it or is it not enough pumpkin spice?

Dawn 0:51

I don't know I think it's overdone, but that's okay. But hey, we had a fun filled weekend of football, which again we won Um, I think it was like 69 to zero.

Rob 1:04

So we're killing it again. This year 62 something.

Dawn 1:07

Um, and we had uh UIL with uh for band, which is um, a uh. It's a state competition. It's a state competition, yes, to go to state. We won Um. We moved on from regional, so we have area um in two weeks from now. So that's awesome, our band is rocking it. Then we had homecoming, so yes, we had oh, wait, wait, wait back up. We had the eclipse here in Texas. We were able to see the eclipse, have the eclipse. It was super cool.

Rob 1:37

That was fun. Yeah, don't look right at the, just don't look at it. Yeah, if you look at it, you burn your eye out.

Dawn 1:43

Well, hopefully no one did that yeah.

Rob 1:45

We all have a little glen, we have the glasses. We stood in the parking lot because it's after UIL, after the band competition. And we all looked at the sky.

Dawn 1:53

Yeah, it was kind of cool.

Rob 1:55

And he had that dark like hue. That was the cool part. I think that, like damn, it's very.

Dawn 1:59

Halloweeny, I like saying that word. You just like to say that I know, it was very cool that we were able to see that. I know not not all. I think there's like five states and then there was also like northern part of South Africa. I think I got to see it.

Rob 2:14

Yeah, yeah, but yeah.

Dawn 2:15

Super cool. And then we had homecoming oh, my gosh.

Rob 2:19

So, um, yeah, well, and so did we, because we had to drive to Kiddos, yeah, and then that whole week.

Dawn 2:23

you know, it was Friday the 13th too Well yeah, we had that too.

Rob 2:26

So we had that.

Dawn 2:26

Yeah, I know it was kind of a full weekend. Um, homecoming, yes, got to drive the Kiddos, the Kiddos and his date to the dance at the high school. And that was fun seeing all the kids and the girls like their sparkle dresses Sparkles were big. Um, boys, it was varying, but there was one boy in it and he had a really cool like light pink suit. So there was some really cool pastel colored suits which I thought was really cool. That's fun. Yeah, yeah, I like that. Yeah, it was very cool. Oh, boy.

Rob 2:57

Is it good he cleaned up? Mm-hmm, yeah, he cleaned up nice Even like showered in his shade and looked good Of course he did. Smelled good yeah.

Dawn 3:05

Yeah.

Rob 3:05

Yeah, we had to hose him down outside.

Dawn 3:07

No no.

Rob 3:08

Nice, no hosing, no hosing of the boy.

Dawn 3:11

It was fun though. But, anyway, I know it was homecoming, um well, a different different times a year for different different parts of the country, but I think we've all. I think we're all, I think it's all happened everywhere now, but uh.

Rob 3:24

Do we get it all through? Yeah, I think so.

Dawn 3:26

Yeah, but it was very fun times, and now we continue with our band, tobur, as we call it.

Rob 3:31

Band Tobur.

Dawn 3:32

Um and yeah, and the goodness Quarter four, here we are.

Rob 3:37

Here we are, quarter four. Yeah, exactly, and did you listen last week because I put in the news ticker info, the sorry, the news ticker noise clip News.

Dawn 3:46

Remember you wanted the news. Oh, yes, thank you. Yeah, put that in there for you. You didn't listen to it, did?

Rob 3:50

you. I don't know, maybe Folks, she does not listen to her own podcast. Come on, don, you got to listen to your own podcast, you guys, you don't understand what it sounds like. I do?

Dawn 4:00

I do listen to it here and there.

Rob 4:02

Oh my Lord yeah.

Dawn 4:04

But some, you know some people can listen to podcasts as they work. I can't listen to things that are Um like that Spoken word yeah. I can't, I can do. I do my like chill or focus music.

Rob 4:15

Mm-hmm.

Dawn 4:16

Um, it has some words, some instrumental. I can do that. I can't do work and listen to podcasts at the same time.

Rob 4:23

No, no, doesn't work, doesn't work for me.

Dawn 4:26

Nope, so, but anyway, those of you that can, more power to you. I guess you can multitask in that way. That's just something I can't focus on, because when I'm trying to and usually it's because I'm working on policies which that's a good segue Privacy policies, cookie policies and DPAs, which are very, very much heavy in legal verbiage.

Rob 4:52

And detailed.

Dawn 4:52

So, yeah, definitely can't focus on those and listen to someone telling me about whatever, whatever their agenda is, well why don't we?

Rob 5:01

there we go, we should segue over to the rest of the podcast.

Dawn 5:08

Yes, let's do it. All right, let's do it.

Rob 5:11

So this week we wanna dive into privacy policies, cookie policies and DPAs. We've been, I think the last two weeks. We spent more time with attorneys and clients and, oh my Lord, all kinds of well, cpi is two, but all kind of ties in but really focusing on these policies, but not only the creation of the policies and the language of the policy, but the implementation of the policy, that exactly that is a big thing.

Rob 5:40

Have you actually implemented it? Yes, we can create the document, we can get the approvals, we can get the sign-offs, but do we actually implement it? And so that's how we test the controls. If it's HIPAA, if it's SAC2, if it's high trust GDPR, you have your policy, you have your procedure and then you test that right, you verify it. But then, you also have to test if it's been implemented in the organization.

Dawn 6:01

Evidence, evidence of implementation.

Rob 6:04

That is a huge piece of compliance and security. And yes, you have taken kind of more of the brunt because Dawn does like to craft the policies. You're getting very good at it, by the way.

Dawn 6:15

Yeah, it's so, folks, if gosh, I wish we could see your hands right now.

Rob 6:21

They're all raising their hands.

Dawn 6:23

If you don't have a solid privacy policy on your website, you better get going, because you have to not only call out how you use the data that's being entered in your website, how you're using that customer data, if you're selling it, if you're advertising, how are you doing that Advertising your services, the cookies, so on and so forth but also what states. Each state has privacy laws. Most of the states do, and are you calling that out? Do you have customers in the state of California? Have you made a note of CPRA on your privacy policy? Do you work in the EU?

Dawn 7:15

Do you call out GDPR.

Rob 7:16

GDPR yep.

Dawn 7:18

And light bulb here. Light the bulb yeah do you have residents in the UK?

Rob 7:25

UK has a separate.

Dawn 7:26

GDPR.

Rob 7:27

From the Brexit, yes, from the Brexit. I know, is it Brexit or Brexit, brexit, brexit. There's both of them.

Dawn 7:33

Whatever, so it's important to know where are you doing business and who you're doing business with, and that it's really to have a framework. And that's what we provide at Van Rijn is that you know we've talked to a lot of you know auditors, a lot of you know different entities and a lot of them do not create policies for customers.

Dawn 8:01

We don't do it for customers, but we do the framework and so, as one of our customers, you have to actually you've got to put in a little bit of work here, because when you get to these policies, it becomes you know, how is your Google analytics working back here? How is your cookie like? You really need to state kind of that information GDPR. Who are your sub processors?

Dawn 8:27

Yeah, I mean GDPR is all about who's the controller, who's the data processor, who are your sub processors? And are you transferring data outside the EU, outside the UK? Is it staying in the States? How are you? Where's your data going? So that's a big thing international transferring of data. So all this stuff that I'm talking about not to overwhelm is all the details and then some that you need in a privacy policy. The cookie policy is also part of this, but I think what Rob was kind of getting to is not only that, but the cookie banner on the website.

Dawn 9:06

So that is key as well, because you've got to give folks the choice to choose necessary, strictly necessary, or if they want to be part of your advertising marketing all that kind of stuff.

Dawn 9:18

So giving those consumers the choice there. We have been advised that there's been attorneys that have got have, you know, serve lawsuits, if you will, for companies that don't have cookie banners, companies that don't have that don't state how they're using consumer information, you know, and that type of thing. So be very careful. It's always good to have legal counsel. It's a small business, we do, and if you are a business, typically you do as well. It's always good to have them look it over. Like I said, we can provide the framework. You can fill in some of the blanks and some of the stuff that's real specific to your website and business, but definitely have someone in the legal field review that as well.

Rob 10:08

Yeah. So the key is with a privacy policy. It's there to enhance your brand's reputation and establish trust with your audience. The audience needs to know how the data is handled. Those, you know, those are central components making sure what's included, the data collection methods, the purpose of the data processing, the data protection measures. You need to have all of that. So even at the bottom, at the trash bar, if you will, in the bottom of the website, you need to have those policies. If you don't know how to take care of those policies, you don't know how to craft those, just let us know. You know we're happy to help. We do a lot of this work. Now, when we go from privacy into the cookie monster policies a lot of us have seen this where you have, the banner pops up and goes hey, you wanna accept all cookies and I have to say right now, never, never, never accept all the cookies.

Rob 10:57

Never. Take the moment and click the choice and it'll either say deny all cookies or it'll say accept essentials.

Rob 11:06

Because there are some cookies geographical, time-dependent cookies that are needed for the website to work. But if you ever wondered why oh, I said that I need dog food, or I'm looking for a vacation, or I'm looking for a, I don't know. I think the big thing is like a restaurant or somewhere to go to, and you look it up on one device and all of a sudden, it's across all devices and across all platforms. Right, you see it on Facebook, you see it on Twitter, you see it on TikTok or whatever. You see that, and the reason why is those cookies have captured the information and shared that across all the platforms. So what's key is to make sure that you understand how your cookies are being used and, like Don said, you may want your, you may want your information used to get information for that.

Rob 11:57

If you're shopping for something or you're on a vacation or something. I don't know Depends how you want that, but having those cookie policies is critical. You gotta have them on your website and you have to have. You have to make sure people are aware of how that data is being used.

Dawn 12:17

Also learned a fun trick from a website developer is and you folks may know this. But if you go on a website and you click on the lock, the padlock if you will, you can click on that and it actually brings up a menu and you can go cookies and site data and you can go and see. You know what, what your cookie situation is. The cookie situation.

Dawn 12:44

Yeah, this is funny. I had a customer that says, oh, we don't do any cookies, and I literally showed really, here you go. And they were like oh, I had no idea, it's because people don't understand what cookies are other than the delicious cookies that we go eat.

Dawn 13:00

So, it, it's, it's, it's educating yourself and that's why we're here too is educate, to educate y'all. But, um, yeah, it'll tell you, it'll go in and it'll talk to you at cookies and site data. So it'll, it'll, it'll tell you all that there and it's just, it's super interesting. So, yeah, click on in the, in the bar, um click on the uh, click on the padlock I guess the lock padlock.

Rob 13:22

Yeah, I don't know why I'm I know the padlock.

Dawn 13:26

Anyway, just a little side note there, but Yep.

Rob 13:29

Yeah, that is key. Um, that's the cookie functions, the legal compliance pieces in there as well. It's right. You know, international laws, um, were mandated to informing users about cookie usage and what that looks like. So you've got to tell your customers where you're using the data and how you're using it and and what that looks like.

Dawn 13:46

Right, absolutely, yep, yep.

Rob 13:48

Now, how do we craft the cookie policy? Don, You've been working on this quite a bit and we've kind of tagged team a lot of this. You have to kind of dive in and understand what a cookie policy looks like. Um. So what we do at Van Rijn is we'll take, we'll take. You know, the information depends on. We first start with where. Where in the world, if you will? Are you grabbing the data Right? So, are you? Are you gathering data from folks in the EU?

Dawn 14:16

Are you?

Rob 14:16

getting the data just in the state of California, or maybe Texas or New York or Florida, maybe Canada, maybe APAC. You know where are you getting the data. So you first understand the type of data you're gathering and then you understand the where the residents reside of the of that data, right? So if it's in the EU, then basically you're going to be focused on GDPR, which is going to be key.

Dawn 14:39

Yep.

Rob 14:40

So you have to then craft the policy to be specific to GDPR and GDPR is probably the I would say that in CCPA and CPRA are some of the best guidelines on cookies and you have to explicitly opt in or opt out, which is good A lot of websites just say whatever, opt in everything because they want to track everything.

Dawn 15:00

Yep.

Rob 15:00

And that's not what we want to do.

Dawn 15:02

Yep, Yep, absolutely so you know, speaking of GDPR, DPAs, what is a DPA?

Rob 15:11

Oh, moving right along into DPAs.

Dawn 15:13

It's a data processing agreement. So again, our customers that are HIPAA, that they know that there is something called a BAA, which is a business associate agreement.

Rob 15:24

Yep.

Dawn 15:25

This is an agreement between yourself, who Yourself may be a BA, a BAA, or you may be a provider with a BAA, a business associate. So, working with a business associate, your data is going back and forth, right, somehow, some way encrypted, right. And so what's happening is you come to an agreement. If one entity has a breach or the other has a breach, everyone knows how to handle it. Everyone knows who's got what, whose responsibility is what. So it's an agreement regarding that data that you're both handling. So a DPA is very similar to that, but it's for customers that you work within the EU or the UK, and it's really it calls out instead of a business associate. It's your controller, and then you're a data processor and then they have data sub-processors. So it's a similar agreement, but I will tell you it's so much more involved.

Rob 16:27

Yeah, it's very deep, very detailed.

Dawn 16:29

You're calling out. You know your technical safeguards, your operational technical safeguards you're calling out. You know how you're transferring this data like where are your servers at? Where are you processing it? Who's sub-processing it? What's your list of sub-processors? Getting the point where some customers are actually putting their DPA on their website next to their privacy policy because people want to know well, who do they work with, who are they?

Dawn 16:56

who else is processing it besides them? This is becoming really big. So you know it, and I would think most people honestly are working with some sort of you know, eu or UK customers. There's so much global work that so many of our customers do. And California, actually California has a DPA. So because CP, CPA, CPRA was. Cpra was, you know, was copied basically, as you know, from GDPR.

Dawn 17:31

I mean it was basically like here this is the great you know framework and we're gonna. We're gonna do that too, so you know. The other thing I want to make a comment of, and this is, if my one customer is listening to this, they'll know who they are but is, when you're working with these agreements or policies and you're working with an attorney, I would say a good first step would be hi, mr or Mrs Attorney, do you have a template that you prefer we use for either of these policies? I'll tell you why. We went back and forth, and back and forth and basically, at the end of the day, a week later, a week and a half later I think the attorney says well, I have this template, you know, basically okay, so we could have just started with that.

Dawn 18:26

So just learning and again, that's just learning to ask should we use a template that you prefer in regards to this? So that's always a good thing to ask up front, but there is a lot of work, collaboration with documents like this. It's not just a blanket document. Sure, there is items that you need to make sure you include in the framework but it is very detailed.

Dawn 18:51

So again, it is recommended that you have an attorney. Look at it. You've got a good grasp on what it says, what you need to say, because it's going to be out there on your website and you do not want to get caught with saying that you're doing one thing and not doing it, or vice versa.

Rob 19:13

So the key too is you got to have your policies. So don't just ask for a template and then just craft stuff. You have to have the policies already created and make sure that things are there and are put together and then if someone, depending on the customer, if they would like to use their framework, then you can import those details in. But I always recommend is show that here is the crafted policy show when it was approved and show when it was created.

Rob 19:44

You're created and approved, I should say. So. That's what I always focus on and make sure we know what's going on there.

Dawn 19:50

Absolutely. Yep, Good stuff. It's a lot of detail work, but we can help you walk you through that. It's really really important.

Rob 19:59

Yeah, these are just three of hundreds of policies you need, but privacy policies, cookie policies and DPAs are key for the success of your business. So if you have questions on that, obviously reach out to us at helloadvanoritecompliancecom, or if there's anybody that would like to subscribe and like the podcast and share this with others that may find some fun things of DPAs, privacy Policy, cookies, let's say, homecoming Moms and anything else that we like to randomly talk about sometimes. So very good. What else Don any parting ideas?

Dawn 20:36

No just.

Rob 20:37

No, she's got nothing, kids.

Dawn 20:40

Just something that you've said is stay privacy focused. I think that is really key right now is it's data privacy. Doesn't matter what kind of data it is Healthcare data, obviously, very important Data your email, your phone number, all the data that's out there that Google has, or will have at some point. Yeah, stay really vigilant and in your privacy, data privacy, procedures and policies and your posture Really stay focused, have that really good posture.

Dawn 21:24

It's a really really good one for your privacy. So it's just very important right now. It is a hot button and just make sure you have what you need on your website.

Rob 21:33

That's it Awesome. That's the pod. All right, all right, until next week, bye-bye.