Website / App Privacy Policies and the GDPR
The GDPR sets out various requirements for privacy notices including that they be “clear and transparent”.
In some cases – e.g., if you want to use contact details for email or other marketing – the GDPR dictates that you have to go further and get appropriate consent from web users at the point where you collect the data. Generally, this must be “unambiguous and involve a clear “affirmative action”, i.e. “opt in”. This is a stricter requirement than before. Careful records must be kept and you must make it as easy for people to withdraw their consent as to give it – relying on an unsubscribe option in a marketing email won’t do! If you don’t get the right consent, then amongst other things you can be sued by data subjects or subject to regulatory enforcement action.
However, in certain cases, where you are promoting only your own goods or services to people who have expressed an interest in them, you may be allowed to use a different legal basis (known as “legitimate interests”) to provide a more relaxed form of notice known as “soft opt in”, which is a half-way house between “opt in” and “opt out”. In fact, it’s more like “opt out” than “opt in”.
If you are collecting “special category data” (such as details of racial or ethnic origin or physical or mental health) or when acquiring any form of personal data from children, you will need to take additional protective steps.
Another factor which lawyers drafting privacy policies need to think about is whether you are transferring personal data outside the UK. This can arise even if say one of your technology providers is storing personal data of your customers (including IP addresses) outside the UK, e.g., your website host, Google Analytics, Mailchimp email services etc. There are various ways round this including export to various countries that are recognised by the UK as providing an adequate level of data protection including the UK European Economic Area, known as the EEA (i.e., the EU plus Iceland, Liechtenstein and Norway) or transfer under contracts which contain certain provisions sanctioned by the Information Commissioner’s Office, the UK data protection regulator.