An organization must have a privacy policy to be compliant with 10DLC regulations. It can be beneficial to post a separate, unique privacy policy specifically dealing with 10DLC requirements, if you can do this.
We know that our customers, being legal practices and law firms, already operate under strict attorney-client privilege regulations - that are more powerful and supercede other privacy agreements - so your existing practice may meet these requirements. You can use this, if the requirements noted below are met.
Ideally, this is available on your website. However, we know most of our customers make their privacy policy clear as part of the intake policy. You can post an image of your existing agreement online (on a cloud service like Google Drive - just make sure to set it as 'visible to anyone with the link'), if you do not have this already present on your website, or copy-paste the text into a sharable document. Just provide that 'share' link in the registration form.
Alternately, you can quickly write up a 10DLC-specific privacy policy, and either post that to your website, or share it via a cloud-document service.
We've provided an excellent and 10DLC-successful example in an article here.
You can use this as a template to rapidly add a 10DLC-compliant privacy policy to your process!
Of course, we recommend crafting your own personalized privacy policy, but we understand that input from online resources may be useful to quickly complete this step of the process.
Ensure that your Privacy Policy Complies with 10DLC Standards
If you are going to edit or add to your existing privacy policy, first, make sure that it is comprehensive and addresses these key points:
- The type of information your organization collects
- How your organization collects that information from users
- How your organization uses and shares any information collected
- Explain how your organization protects user data
Next, ensure that your privacy policy covers these crucial aspects:
- Ensure that your privacy policy clearly states that the phone numbers you collect and the consent you received will not be shared with 3rd party providers.
- If your privacy policy does mention that you share data with third parties, you must make a carve out/exclusion for sharing phone numbers and opt-in consent that you collect from your consumers. Please ensure your privacy policy is amended to reflect this before campaign submission.
For example:
No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. - It can be beneficial to specifically note how your contacts can opt-out, using the STOP reply keyword (an example is below).
If you share information with service providers (such as Corvum or Clio) this is a good way to handle that in your privacy policy:
We will not share, sell, or disclose your information to third parties except:
a. Service Providers: We may share your information with trusted third-party service providers that assist us in operating our SMS services. These parties are required to maintain the confidentiality and security of your information.
b. Legal Requirements: We may disclose your information if required by law or in response to a legal request, such as a subpoena, court order, or government demand.
Explicitly State that Your Organization Does Not Share Information
Carriers closely scrutinize any language that might be interpreted as sharing information with third parties for marketing purposes. Your privacy policy can state that it shares personal information strictly for the purposes of conducting essential business operations, but it should explicitly mention that personal information will otherwise not be shared with third parties without the consent of the user or unless legally required. To address these concerns, we recommend ensuring that the language of your policy reflects these sentiments.
A generated policy will contain separate sections for each topic of your policy. There will typically be a section regarding when information is shared with others. We recommend asserting your commitment to not sharing information without consent or legal obligation with the following language at the beginning of this section:
"[Your organization] maintains strict privacy policies to protect the personal information of our users obtained for text message communications. This information is never sold, rented, released, or traded to others without prior consent or legal obligation. Any sharing of information with third parties is solely for the purpose of fulfilling the organization's obligations to the user. We guarantee that it will never be shared with third parties for marketing purposes." |
Next, review any bullets in the section about sharing information for anything that is inconsistent with the requirements mentioned so far. Mentions of marketing can lead to the rejection of the use case, so these should be reworded or removed.
Opt-Out instructions
Your privacy policy can also include instructions on how to opt out of further text communications.
Corvum will automatically handle Opt-in, Opt-out, STOP, and HELP processes for you.
We recommend adding the following language to an appropriate section within your privacy policy:
"Here is an example of our text message Opt-Out message: If you are receiving text messages from us and wish to stop receiving them, simply respond with either “STOP” or “UNSUBSCRIBE” to the number from which you received the message. Once we receive your message, you will no longer receive further text messages from us." |
Comments
0 comments
Article is closed for comments.