Consumer inboxes have been flooded lately with privacy policy update notices. This is, in large measure, the result of the new General Data Protection Regulation ("GDPR") that was implemented by the European Union ("EU"). The GDPR goes into effect on May 25, 2018.  Any person or entity, that holds or uses the personal data of EU residents, needs to be compliant with the GDPR in order to avoid significant fines.  It is important to note, as stated in our previous GDPR blog, that the GDPR's regulations cover both "data controllers" (organizations that determine the purpose and means of processing personal data) and "data processors" (third parties who collect, store and maintain user information on behalf of data controllers). As the May 25th deadline rapidly approaches, businesses must ask:

Are our website privacy policies compliant with the GDPR?

Tips for GDPR Compliant Privacy Policies

Per applicable law, any online operator that collects, uses and/or shares personal information must post a privacy policy on its website homepage. The EU's goal in enacting the GDPR is to improve upon existing laws to better promote transparency, informed consent and accountability when it comes to personal data collection, storage and use. Here are some tips for ensuring that your privacy policy is GDPR compliant:

  • Companies should have a lawful basis for processing personal data: The GDPR outlines six lawful circumstances for acquiring personal data: 1) the consumer has provided consent; 2) processing is necessary for the performance of a contract; 3) processing is necessary for compliance with a legal obligation of the data controller; 4) processing is necessary to protect the vital interests of the consumer or of another natural person; 5) processing is necessary for the public interest; and 6) processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party, except where those interests are overridden by the interests of the fundamental rights of the consumer.
  • Data Retention: The GDPR limits website operators from retaining data beyond a "reasonable" period of time. A reasonable period of time has yet to be defined and retention periods vary from country to country. Please note that the typical retention period for countries in Europe is from five to ten years for general documents and tax papers.
  • Contact information for the data controller and data processor: Articles 13 & 14 of the GDPR require that the identities and contact details of the data controller and data processor be readily disclosed. In many instances, the data controller may be the business itself, which is likely already disclosed in the website operator's privacy policy under business contact information.
  • Employ a clickwrap agreement: The GDPR does not require that privacy policies be "click-to-agree" or "clickwrap agreements," but best practices suggest that this is the appropriate method to prove that a given privacy policy was reviewed and agreed to by site visitors. Because the GDPR was put in place to create an environment where users are informed as to how their personal data is used, collected, and stored, requiring users to take an affirmative step to accept privacy policies is a must.
  • Do not use complicated language: Article 12 of the GDPR requires, "using clear and plain language, in particular for any information addressed specifically to a child." In the pursuit of transparency, the GDPR does not want users to be confused by overly complex legal language.
  • Mandatory data sharing: Often the use of personal data is required in order to create a user name and then to gain access to certain parts of a website. Website privacy policies must explain what happens if personal data is not provided by users.
  • International privacy laws: To enhance transparency, the GDPR requires businesses to inform their customers of any personal data that will be transferred to a different country or to an international organization.
  • Inform users of their eight rights: The GDPR provides users with eight fundamental rights with respect to how websites collect, store and use their data. Please note that the rights do not have to receive their own sections within a privacy policy, but they should be clearly defined within the agreement. There rights include: 1) the right to be informed; 2) the right of access; 3) the right of rectification; 4) the right to erasure; 5) the right to restrict processing; 6) the right to data portability; 7) the right to object; and 8) the right of automated decision-making in profiling.

Rethinking Website Privacy Policies

The foregoing suggestions should be considered when attempting to draft GDPR-compliant privacy policies. Making sure that privacy policies are carefully composed before the May 25, 2018 effective date, will help prevent GDPR-related exposure and liability in the future.

Given the complexity of the GDPR, companies that control, process, and/or collect data from individuals located in the EU should consult with experienced counsel to ensure that the terms of their respective privacy policies are compliant with the new regulations. 

GDPR: The EU's New Data Protection Law

Why Your Sweepstakes Promotion Needs a Privacy Policy

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.