Website / App Privacy Policies and the GDPR
If you operate a website or app, a starting point for GDPR compliance is to include a detailed privacy notice or privacy policy which explains in detail what kind of personal data you collect via your website or app, the legal basis for collecting it, how you use it, to whom you send it, how long you keep it etc. (See Cookies and GDPR for information about how the GDPR affects cookies and cookie consent notices.)
The GDPR sets out various requirements for privacy notices including that they be “clear and transparent”.
In some cases – e.g., if you want to use contact details for email or other marketing – the GDPR dictates that you have to go further and get appropriate consent from web users at the point where you collect the data. Generally, this must be “unambiguous and involve a clear “affirmative action”, i.e. “opt in”. This is a stricter requirement than before. Careful records must be kept and you must make it as easy for people to withdraw their consent as to give it – relying on an unsubscribe option in a marketing email won’t do! If you don’t get the right consent, then amongst other things you can be sued by data subjects or subject to regulatory enforcement action.
However, in certain cases, where you are promoting only your own goods or services to people who have expressed an interest in them, you may be allowed to use a different legal basis (known as “legitimate interests”) to provide a more relaxed form of notice known as “soft opt in”, which is a half-way house between “opt in” and “opt out”. In fact, it’s more like “opt out” than “opt in”.
If you are collecting “special category data” (such as details of racial or ethnic origin or physical or mental health) or when acquiring any form of personal data from children, you will need to take additional protective steps.
Another factor which lawyers drafting privacy policies need to think about is whether you are transferring personal data outside the UK. This can arise even if say one of your technology providers is storing personal data of your customers (including IP addresses) outside the UK, e.g., your website host, Google Analytics, Mailchimp email services etc. There are various ways round this including export to various countries that are recognised by the UK as providing an adequate level of data protection including the UK European Economic Area, known as the EEA (i.e., the EU plus Iceland, Liechtenstein and Norway) or transfer under contracts which contain certain provisions sanctioned by the Information Commissioner’s Office, the UK data protection regulator.
The GDPR also requires that your privacy policy tells your users about their various data protection rights, including to access personal information, to rectify mistakes, to delete, restrict or object to its use in certain circumstances, and to “data portability”. You must also inform users as to how they can complain if they’re unhappy with the way that you’re dealing with their personal information. As internet privacy lawyers, we’ll help you minimise the risk that users will have a reason to complain!