Website / App Privacy Policies and the GDPR
If you operate a website or app, a starting point for GDPR compliance is to include a detailed privacy notice or privacy policy which explains in detail:
- What kind of personal data you collect via your website or app.
- The legal basis for collecting it.
- How you use it.
- To whom you send it.
- How long you keep it..
The GDPR sets out various requirements for privacy notices including that they be “clear and transparent”.
In some cases – e.g., if you want to use contact details for email or other marketing – the GDPR dictates that you have to go further. Here, you need to get appropriate consent from web users at the point where you collect the data. Generally, this must be “unambiguous and involve a clear “affirmative action”, i.e. “opt in”. This is a stricter requirement than before. You must keep careful records. Also, make it as easy for people to withdraw their consent as to give it. Rlying on an unsubscribe option in a marketing email won’t do! If you don’t get the right consent, then you can be sued by data subjects or subject to regulatory enforcement action.
However, where you are only promoting your own goods or services to people who have expressed an interest, the GDPR may allow you to use a different legal basis – “legitimate interests”. Under this, you need only provide a more relaxed “soft opt in” notice. This is half-way between “opt in” and “opt out”. In fact, it’s more like “opt out” than “opt in”.
If you are collecting “special category data” (e.g., racial or ethnic origin or physical or mental health), you will need to take additional protective steps. Likewise if acquiring personal data from children,
Another factor which lawyers drafting privacy policies need to think about is whether you are transferring personal data outside the UK. Say one of your technology providers is storing personal data of your customers (including IP addresses) outside the UK. Examples: your website host, Google Analytics, Mailchimp email services etc. There are various ways round this including export to various countries that are recognised by the UK as providing an adequate level of data protection (e.g., the EU) or including certain provisions sanctioned by the Information Commissioner’s Office (ICO), the UK data protection regulator.
The GDPR also requires that your privacy policy tells your users about their various data protection rights, including:
- To access personal information.
- To rectify mistakes.
- To delete, restrict or object to its use in certain circumstances.
- Data portability.
- How to complain to the ICO. (As internet privacy lawyers, we’ll help you minimise the risk that users will have a reason to complain!)
See Cookies and GDPR for information about how the GDPR affects cookies and cookie consent notices.