If you have a website that collects personal data such as names, emails, phone numbers or IP addresses, you may have read online that you need a GDPR Privacy Policy. A GDPR Privacy Policy is best defined as a document that explains your privacy practices and includes all of the disclosures required by the General Data Protection Regulation (GDPR). In fact, GDPR is one of the most highly enforced privacy laws in the world, with even small businesses being fined for non-compliance, so if GDPR applies to you, then it is very important that your Privacy Policy contains all of the required disclosures to help avoid such fines. In this article, we will discuss GDPR Privacy Policies, including who needs one, what it should contain, and where to obtain one to protect your business.
Table of Contents
Who needs a GDPR Privacy Policy?
GDPR is a privacy law that was enacted in 2018 to protect the privacy of residents of the European Union by providing them with privacy rights and by requiring businesses to follow certain requirements when collecting, using and sharing personal data, including the requirement to have a compliant Privacy Policy. While simply having a website that could be accidentally accessed by someone in the European Union does not make a business subject to GDPR, GDPR does have a broad reach in the sense that your business does not need to be located in one of the European Union countries for the law to apply to you.
GDPR will apply to you if you:
- Are located in the European Union;
- Offer goods or services to European Union residents (regardless of your location);
- Monitor the behavior of European Union residents (regardless of your location).
It is important to note that having a website that could be accessed in the European Union is not sufficient to establish the offering of goods or services. However, if your website accepts payments in Euros, you act on purchase orders from the European Union, your website is displayed in one of the European Union languages (e.g. French), or you mention customers from the European Union on your website, then you are probably offering goods or services to European Union residents and thus GDPR applies to you.
In addition, if you monitor the behavior of European Union residents through features such as behavioral advertisements, online tracking through the use of cookies or analytics, or create market surveys and other behavioral studies based on individual profiles, then GDPR applies to you as well.
If GDPR applies to you, then you will be subject to its requirement of having a comprehensive Privacy Policy that contains all of the disclosures required by this law.
What disclosures does a GDPR Privacy Policy need to contain?
Once you have determined that GDPR does apply to you, you will need to obtain a Privacy Policy that contains all of the information required by this privacy law in order to avoid non-compliance fines. A GDPR Privacy Policy must include the following information:
- Your name and contact information;
- What personal data you collect;
- Purposes for which you will be using the personal data;
- Whether you will use personal data for direct marketing purposes;
- Whether you share personal data. If you do share personal data, you will also need to list the categories of third parties with whom such data is shared;
- The legal bases under which you process personal data;
- The privacy rights provided to individuals;
- How individuals can exercise their privacy rights;
- The fact that individuals can file a complaint regarding the processing of their personal data;
- How long you store personal data;
- Information regarding automated decision making, if you engage in such processing;
- Information regarding profiling, if you engage in such processing;
- Where you will process personal data, including whether personal data will be transferred outside of the European Union;
- If you have a Data Protection Officer, you will need to list their contact details; and
- Whether your website uses cookies and other tracking technologies.
Your GDPR Privacy Policy will also need to contain accurate information regarding how you actually process the personal data that you collect. To comply with GDPR, it is not sufficient to state general information. Instead, your Privacy Policy must be specific to your actual privacy and business practices.
Does a GDPR Privacy Policy cover other privacy laws?
Since GDPR is a comprehensive privacy law that leads to a Privacy Policy that contains a lot of information, it is tempting to assume that if you have a GDPR Privacy Policy that you are covered for every other privacy law as well. However, that is simply not the case. Each privacy law has its own set of unique disclosures that it requires Privacy Policies to make. While some of these disclosures overlap, others do not. For example, the California Online Privacy and Protection Act (CalOPPA) requires Privacy Policies to disclose how a website responds to Do Not Track signals, a disclosure not required by GDPR. In addition, US privacy laws such as Nevada Revised Statutes Chapter 603A, Connecticut SB6 and the Virginia Consumer Data Protection Act require Privacy Policies to disclose whether personal data will be sold, another disclosure not required by GDPR. Thus, if multiple privacy laws apply to you, your Privacy Policy will need to include all of the disclosures required by those privacy laws and a GDPR Privacy Policy will not be sufficient to prevent non-compliance with other privacy laws.
Does GDPR require a cookie consent banner?
In addition to requiring a comprehensive Privacy Policy, GDPR also requires websites that collect cookies to have a cookie consent banner. The purpose of a cookie consent banner under GDPR is to prevent the firing of non-essential cookies until the user consents to such cookies. GDPR requires websites to obtain consent for such cookies, meaning that users must be presented with an option to “accept” and “decline” cookies and such user choice must be respected by the website. In addition, for users who accept cookies, GDPR also requires websites to provide an ability to withdraw that consent at any time.
Where can you obtain a GDPR Privacy Policy?
Now that you know what a GDPR Privacy Policy is, you may be asking where you can obtain one to help protect your website and your business. The first option for obtaining a Privacy Policy is to hire a privacy attorney who knows the requirements of GDPR. A privacy attorney can draft your Privacy Policy and keep it up to date with changes in legislation, guidance, and enforcement actions. Unfortunately, hiring a privacy attorney is expensive and thus may not be a viable option for many small businesses.
Another option for obtaining a GDPR Privacy Policy is to use a Privacy Policy generator such as Termageddon. A good Privacy Policy generator is a tool that asks you a series of questions to first determine what privacy laws apply to you and then additional questions to create the disclosures required by that law. Privacy Policy generators also update their clients’ policies for changes in legislation. The one con to using a Privacy Policy generator is that, since they are a tool, they cannot provide you with legal advice. However, Privacy Policy generators are a much more cost effective solution for compliance that can still fit the needs of your business.