Website / App Privacy Policies and the GDPR
The GDPR sets out various requirements for privacy notices including that they be “clear and transparent”.
In some cases – e.g. if you want to use contact details for email or other marketing – the GDPR dictates that you have to go further and get appropriate consent from web users at the point where you collect the data. This must be “unambiguous and involve a clear “affirmative action”, i.e. “opt in”. This is a stricter requirement than before. Careful records must be kept and you must make it as easy for people to withdraw their consent as to give it – relying on an unsubscribe option in a marketing email won’t do! If you don’t get the right consent, then amongst other things you can be sued by data subjects or subject to regulatory enforcement action.
You’ll need to take additional protective steps if collecting “special category data” (such as details of racial or ethnic origin or physical or mental health) or when acquiring any form of personal data from children.