Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Third-Party Risk Privacy: Understanding Policies, Notices and Consent

6 min read
Featured Image

In the absence of federal privacy legislation, several individual states have signed their own comprehensive laws, including California, Colorado, Utah and Virginia. Aside from keeping up on emerging new privacy legislation, it can be challenging to understand the language found within these laws as well as how your vendors are remaining compliant with privacy expectations.


Two common requirements seen in privacy laws are the concepts of privacy notices and consent gathering. Notice and consent are closely related but serve distinct purposes. In this blog we’ll explain the purpose of each and provide some guidance on evidence to look for in vendor documentation. We’ll also provide some practical next steps for vendor assessments.

Difference Between a Privacy Notice vs. Privacy Policy

A privacy notice can be synonymous with a privacy policy, although the two are supposed to serve different purposes in an ideal world. Let’s discuss further.

Privacy notice is often confused with the term privacy policy. This is exacerbated by the fact that many privacy laws don’t require the actual use of the term “notice” when referring to the mechanism an organization uses to provide consumer-facing information about their privacy practices. You may be thinking, “If most privacy laws don’t care if you use ‘notice’ vs. ‘policy’, why are you bothering to explain the difference?” That’s a valid question. The short answer is that some laws, such as China’s Personal Information Protection Law (PIPL), DO require specific privacy notices. PIPL requires that companies “…shall truthfully, accurately, and completely inform the individual…in an eye catching manner and with clear and understandable language…” (PIPL 17). The differences between a privacy policy and privacy notice is explained in more depth in the follow sections.

Privacy Policies - The Purpose

A privacy policy should be thought of as the “by lawyers, for lawyers” document that dictates what an organization is legally required to do (and/or has voluntarily committed to doing) and the actions that must be taken to comply. It’s generally complicated and difficult to read due to the legal language used and is rarely helpful for a lay person in determining what an organization is doing with their data.

One study a few years ago stated that it would take the average American consumer over 200 hours to read all the privacy policies they would come across in an average year, and another found that the reading comprehension level required by some of the policies was greater than that required to read Stephen Hawking’s A Brief History of Time. Some of you must read these policies regularly as part of your job, so you know how dense and hard to decipher these documents can be.

A good privacy policy should function primarily as an internal-facing document that allows individuals within a company to understand the obligations of the organization to safeguard data as well as to identify ways the organization can improve their overall privacy posture.

Privacy Notices – The Expectation

As opposed to the lengthy and complex privacy policies, privacy notices should be short, clear and easily understandable by anyone. Notices should explain in plain language an organization’s data practices and other privacy-related information. Your vendors should have privacy notices implemented into their practices.

These notices can be delivered to users at different points during their use of a product/service, depending on the organization’s user experience design (UX) choices and applicable laws. Some laws require that a privacy notice be provided to a consumer at the point that data is collected, while others only require that an explanation of data practices be available to users if they want it.

For example, a privacy notice around the purpose for which a user’s email address is collected would be better shown when a user is prompted to enter their email address into a web form, instead of as part of a dense policy or end user license agreement (EULA).

Privacy Notices – The Reality

While the above example of a just-in-time privacy notice would be an ideal way to show the reason a company needs a user’s email address, reality doesn’t match this “privacy nirvana.”

The reason for this gap between privacy professionals’ ideal world and the real one comes down to compliance obligations and budget, in most cases. Because the penalties for non-compliance with privacy laws is steep, organizations need to ensure that their legal obligations are met within their privacy policies. Because re-designing UX (and lawyers) is expensive, many organizations stop after developing privacy policies that meet legal requirements.

Reviewing a Vendor Privacy Policy or Privacy Notice

A privacy policy or policy notice should, depending on applicable laws and regulations, document:

  • What data is being collected
  • What that data will be used for
  • Who that data will be accessible to (including third-party vendors)
  • How data will be kept secure
  • What the rights are of the data subject (consumer) under applicable privacy laws and/or an organization’s privacy framework
  • How to exercise those rights (one of which is withdrawing consent, discussed below)

vendor documentation

The Basics of Consent

Consent is a mechanism by which companies can demonstrate that an individual has given permission to collect/process their data. General Data Protection Regulation (GDPR) includes consent among the list of legitimate bases for processing while other laws have different requirements. Consent should only be considered valid if an individual can reasonably be expected to understand the reason for collection (as spelled out in a privacy notice/policy).

Consent in the context of privacy is essentially permission directly from an individual to collect or use their personal information. Logically, permission should be revocable, which manifests itself in privacy laws as some form of “opt-out” clause, meaning an individual who provides consent must be able to withdraw that consent. Keep in mind, not only does your organization need to consider consent, but you must verify your vendors have consent processes in place to that comply with GDPR and other privacy law and regulation requirements if they will be collecting data on behalf of your organization.

Consent to process data is NOT required by all privacy laws prior to collecting/processing data. Here are two examples that differ on this requirement:

  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires that organizations collect “meaningful consent” from individuals prior to processing their data.
  • The EU’s General Data Protection Regulation (GDPR) on the other hand, lists consent as just one of the legitimate bases for processing, but it isn’t the only valid reason a company can use to process an individual’s data. However, when consent is used as a basis for processing, there are strict criteria that must be adhered to for the consent to be considered valid.

To be valid, consent needs to be a freely given, specific, informed and unambiguous indication of an individual’s agreement. This means consent should pertain to a single data practice rather than be bundled together with consent for multiple data practices. (An Introduction to Privacy for Technology Professionals section 5.4.1.2)

What consent mechanisms look like in the real world can vary, but a common one is a checkbox next to a form stating, for example, “By checking this box you are allowing us to use this email address for marketing purposes.”

Consent can also be documented through the requirement of a user to accept the terms of service or privacy policy before use, although these mechanisms are frequently too dense and complicated to be useful to individuals, which casts doubt on whether the consent could be considered “freely given, specific, informed, and unambiguous.”

Using Your Understanding of Notices and Consent in Vendor Assessments

Now that you have a better understanding of notices and consent, it’s important to know how to use this information in your vendor assessments.

Here’s some general guidance:

  • When assessing whether a vendor has provided a privacy notice to consumers, it’s acceptable at this time to look for a privacy policy on their website. However, that criteria may be adjusted to include screenshots of applicable public-facing privacy notices as proof.
  • It may be helpful to review the privacy policy for any mention of consent, but the main areas that you will find evidence for this will be within questionnaire responses (e.g. SIG 2022 question P.3 and child-questions address choice and consent). Consent is harder to quantify, as it’s not always required that a company obtain explicit proof of consent prior to processing, and the consent mechanism can vary depending on the product.

Third-party privacy expectations need to be set. As new regulations are expected to emerge, it’s important to ensure that your organization and its vendors remain educated and compliant.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo