Website / App Privacy Policies and the GDPR
If you operate a website or app, a starting point for GDPR compliance is to include a detailed privacy notice or privacy policy which explains in detail what kind of personal data you collect via your website or app, the legal basis for collecting it, how you use it, to whom you send it, how long you keep it etc. (See Cookies and GDPR for information about how the GDPR affects cookies and cookie consent notices.)
The GDPR sets out various requirements for privacy notices including that they be “clear and transparent”.
In some cases – e.g. if you want to use contact details for email or other marketing – the GDPR dictates that you have to go further and get appropriate consent from web users at the point where you collect the data. This must be “unambiguous and involve a clear “affirmative action”, i.e. “opt in”. This is a stricter requirement than before. Careful records must be kept and you must make it as easy for people to withdraw their consent as to give it – relying on an unsubscribe option in a marketing email won’t do! If you don’t get the right consent, then amongst other things you can be sued by data subjects or subject to regulatory enforcement action.
You’ll need to take additional protective steps if collecting “special category data” (such as details of racial or ethnic origin or physical or mental health) or when acquiring any form of personal data from children.
Another factor which lawyers drafting privacy policies need to think about is whether you are transferring personal data outside the European Economic Area, known as the EEA (the EU plus Iceland, Liechtenstein and Norway). This can arise even if say one of your technology providers is storing personal data of your customers (including IP addresses) outside the EEA, e.g., your website host, Google Analytics, Mailchimp email services etc. There are various ways round this including export to various countries recognised by the EU as providing an adequate level of data protection, transfer to US companies which have signed up to the “EU / US Privacy Shield” or transfer under contracts which contain certain provisions sanctioned by the EU. Your privacy policy must explain what steps you are taking to protect personal information sent outside the EEA.
The GDPR also requires that your privacy policy tells your users about their various data protection rights, including to access personal information, to rectify mistakes, to delete, restrict or object to its use in certain circumstances, and to “data portability”. You must also inform users as to how they can complain if they’re unhappy with the way that you’re dealing with their personal information. As internet privacy lawyers, we’ll help you minimise the risk that users will have a reason to complain!