Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
Data sharing practices change all the time.
For example, say you decide to add a form to your website that asks customers for their phone number and home address. In contrast, all you had asked from them previously was their first name and email address. And, at the same time, you need to switch from one email autoresponder to another.
Or, suppose you have a texting app and you've decided to give users the ability to text businesses directly from it, but you're also going to store all those chats on a third-party server (similar to the controversial move made by WhatsApp, initially intended for implementation on February 8, 2021 and then delayed to May 15, 2021).
Another instance might be a case where one company is interested in collaboration and innovation to bring about new technology or other products and services, so it partners with a third party to either obtain or provide data so that it can achieve goals it never could by itself. However, then the third-party was acquired by yet another company.
In all these instances, data sharing practices changed to one degree or another.
As privacy and data protection laws increasingly gain traction worldwide, it's crucial to understand how to keep your company compliant in terms of data sharing and what to do if your data sharing practices change. We'll help you do just that.
Data sharing still doesn't have a definition, which is accepted everywhere. That might sound odd because significant privacy and data protection laws, such as Europe's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA), have principles and guidelines concerning data sharing.
For this article's purposes, we'll use the term "data sharing" in the context of commercial business and how the strictest laws concerning data protection use it.
In this context, data sharing generally means "personal data" and how your business discloses or uses that information to, and in connection with, third-parties that aren't a part of your company.
Examples of data sharing in this respect might be:
Finally, keep in mind that there are three main classifications of shared data. They are:
When sharing data with any third party, the following must be kept in mind at all times and strictly adhered to if you wish to be compliant with laws such as the GDPR and CCPA:
Keep in mind that it's a best practice to put a data-sharing agreement in place between your company and any third-party with whom you intend to share data.
Because data sharing agreements may be used often, depending on your company's needs, you may also wish to have templates drawn up that can be customized as necessary.
A good reason for sharing data isn't just "because you feel like it" or "because you know you'll profit from it." No, a good reason for sharing data must have a legal basis.
Legal grounds for sharing data include:
Before sharing data, it's best to obtain explicit consent from those you are collecting data from.
Further, telling your customers upfront and in clear language that you are collecting data, the purposes for which you are collecting it, how long you plan to keep it, how you plan to keep it safe, and with whom you plan to share it is a necessity.
Remember that while the GDPR and CCPA may not cover all geographic regions where you do business, both laws are now being used as the proverbial gold standard for privacy and data protection (which cover data sharing practices).
Many nations and states are in the process of passing legislation that borrows heavily from them.
Then you'll want to notify your customers of all relevant changes you've made. We'll go over specifics below.
Here's the notification WhatsApp sent out through its messaging system:
Other agreements that might be affected include:
You should also gain new consent for the changes you plan to make. This shows respect for your customers and allows them to either opt-out of further data collection or to delete their account with you entirely if they don't agree with your changes.
There are a couple of ways to give notice to your customers. They are:
While you could limit providing notice to only one of the methods mentioned above, it's a best practice to use both in conjunction with each other.
You can effectively share changes to your data sharing practices through email. In fact, email notifications are considered more effective than the other two methods we'll share below because people use their email just about every day.
Thus, your customers have a much higher chance of seeing and reading your notification. This is in contrast to a popup notification on your website, which some customers may rarely visit.
To be effective, your email notification should include four things:
Another method of letting your customers know that you're implementing changes to your data sharing policy is through the use of a conspicuous popup notice. Ideally, you'll place this popup on your company website's main page, and you'll use it to help gain explicit consent.
In the popup notice, you'll want to include the following:
Here's a popup Twitter used when it changed how it shared data:
General principles to keep in mind when notifying customers of changes to your business practices include:
There are some situations in which you'll need to do a bit more than what's outlined above in terms of what to do when your data sharing practices change. For example, how you handle data sharing may change significantly when going through an acquisition or a merger.
During a change in the organizational structure of any kind, you may find that you'll have to transfer data to a different person or organization. Therefore, you'll need to consider sharing data as part of the overall due diligence you must conduct when taking on a new organization and its commitments.
Part of carrying out that due diligence requires that you establish the purposes for which data was collected initially, gaining a clear understanding of the lawful basis for sharing that data, and whether these will change in any way following the acquisition or merger.
As noted previously, if you find that any changes are made to your data sharing practices, you'll have to inform those who have given their personal data about them. Furthermore, it is your responsibility to make sure that data shared is secured correctly and that you document all shared data.
As suggested above, you may find that you'll have to transfer data to a different person or organization during an acquisition or merger.
In the event this happens, you'll need to:
Following an acquisition or merger, it may be hard to manage any data that's shared. Difficulty managing the data may especially be the case when the organizations in question attempt to integrate different systems or are using other databases.
You will want to ensure that you:
Whether you ever need to change your data sharing practices or not, you should always keep the following foremost in your mind regarding your policies on the matter.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022