27 January 2020
If you've ever tried in vain to find a way to directly contact a business only to discover that they have no contact information listed on their website, then you know how frustrating the experience can be.
It is considered a general customer service best practice for every online business to provide easy-to-access contact details for customers and clients. However, this is not the only reason you should post your business's contact details.
Although not every international privacy regulation requires public contact details, the laws that do exist will likely apply to your business.
Let's take a look at each stipulation and how to satisfy it.
1. List the physical location where consumer data is being stored and processed
This is usually disclosed at the very top of the policy, as demonstrated by Workable:
2. State the contact details of both the data controller and the data processors, if applicable
The data controller and the data processor could be one and the same entity or, in most cases, two different companies. For example, if your business collects personal information directly from customers and uses that same data to send its own marketing messages and advertising, then you are both the data controller and the data processor.
In this case it is only necessary to publish your own contact information as the data controller, as does Workable in this example:
On the other hand, many businesses use third-party services like Google Adwords or Facebook Ads that process customer information in order to provide analytical and advertising services. If this is the case, then you would also be required to list the names and locations of the third-party organizations you contract to process your user data.
3. Post the contact details of the Data Protection Officer, if applicable.
Other entities, like Nestlé, prefer to include a physical mailing address as well:
4. Post the contact details of your European Representative, if applicable
For businesses located outside of the European Union, a European Representative may need to be appointed as a point of contact for EU data subjects and supervisory authorities. This is another requirement that may not apply to every non-EU based business.
In general, if your business only does occasional processing of EU user data, and doesn't deal with sensitive or crime-related categories of data, your business probably won't need one.
Here's how Product Hunt lists both a physical and email address for its EU representative:
Like the GDPR, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) applies to any company that processes the personal information of Canadian residents. In regard to business contact information, PIPEDA only dictates two requirements.
The California Online Privacy Protection Act (CalOPPA) is a California state law that applies to any company that collects personal information from California residents. Since most companies that do business in the United States have at least a few California residents as customers, this law will apply to most companies.
The only requirement that CalOPPA designates regarding contact information is the following:
Businesses must post a clear explanation of how users can request amendments to any personal data that is collected.
This can be achieved by providing users with an online portal to view, change, or delete their personal information, or by providing an email address or contact form to make such requests.
Apple has both:
As you can see, Apple provides both an online portal so users can access their personal information, as well as a link to a privacy contact form to make direct requests.
So long as you have a process in place for accepting user requests and inform your users how to make the requests, you can choose to use forms, email addresses, user account interfaces or any other method of contact.
Customers are informed about how they may access, change, or delete their personal information:
Next, Living Clean details which data processors it uses and provides a physical address as well as a web link for those processors:
Finally, Living Clean posts contact information for its US-based privacy officer. Since this is a small company that does not process large quantities of EU consumer data or sensitive categories of data, it isn't required to appoint a DPO or EU Representative.
The contact information of the DPO is also listed at the beginning of the policy:
In order to give consumers full access to their personal data, a link to a dedicated contact form is provided:
Finally, Audi lists out each of its data processors, along with links to opt-out or obtain more information:
Location and contact details are included in the policy in a clearly-labeled clause:
Contact information is provided for exercising data subject rights by way of an email address, mailing address and dedicated contact form:
In compliance with the GDPR, Groundspeak supplies full contact information for both their Data Protection Officer and EU Representative:
Although technically a location for data processors should also be provided, Groundspeak does provide a list of data processors as well as links to their respective websites:
By taking the simple steps outlined above, you can meet both legal requirements regarding privacy contact information as well as consumer expectations. The easier you make it for your customers to contact you regarding privacy complaints or requests, the easier it will be to resolve any potential privacy problems before they escalate into legal issues.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.