Privacy notices in three simple steps
What is a privacy notice?
The data protection framework requires you to give people some key information about who you are, what you are doing with their data, how long you are going to be doing it, and what rights they have. This set of information is often communicated in a "privacy notice".
In this blogpost, I'll cover:
- what you need to put into your privacy notice
- how you need to do it
- when you need to provide this information
What: putting the right information in your notice
I read a lot of privacy notices (one of the hazards of being a geeky lawyer, I guess), and I'm amazed by the number which do not contain all the required information.
So what has to go in a privacy notice?
You've got to include a core set of information in your privacy notice. Although the GDPR suggests that some of this might be optional, regulatory guidance shows a strong preference for including everything listed in the GDPR unless you've got a really good reason not to do so.
If reading the GDPR itself is not for you (understandable), then at least take a look at the very handy checklist on the ICO's website.
This checklist sets out what needs to go into a notice.
But I don't have that kind of information to hand
If you do not have an accurate, and regularly updated, record of processing, this is the time to get that sorted.
Once you know what you are doing with data, and why you are doing it, you'll find it much easier to prepare, and update, your privacy notice.
The ICO has prepared template records of processing, which you can complete.
One of the things you'll need to work out is the period for which you are going to be keeping hold of personal data — the "retention period".
How: implementing your notice correctly
Make it readable
How you have implemented your privacy notice is just as important as what is in it — the legal framework covers both the how and the what.
The legal requirement is that your notice must provide the required information:
in a concise, transparent, intelligible and easily accessible form, using clear and plain language
Simple, short sentences. Plain, easy-to-understand, language. Be clear, and avoid things like 'we may do [whatever it is that you might do]' unless you can show why that's unavoidable.
(Lawyers are especially bad at this, sad to say — but #NotAllLawyers.)
The bar is even higher if you are writing for children. If you are, you need to think carefully about how you communicate the information in a way which children of whatever age you think are likely to be reading it will understand. Think about even simpler language, icons and graphics, and other ways of breaking down what you have to say.
Ensure it is easily accessible with layers and "just in time" transparency
If someone has to go looking for this information, you've got it wrong.
Layering, or "just in time" transparency, sounds fancier (and harder) than it is. All it means is that you show people relevant information at the appropriate point, and signal where they can find out more.
This is particularly relevant when you are collecting someone's data. For example, if you have a contact form, tell people right above the "submit" button what you are going to do with their information, and include a link to your privacy notice, to get more information.
We don't have a contact form on our site, but we do include our contact details. We say this at the bottom of the contact section:
We'll never spam you or sell your information. Ever. More info here.
A simple, contextually-relevant statement, designed to assuage the common concern that someone will email and then be deluged with marketing or have their email address sold on and on, with a link where they can read more information if they want to do so. It is left implied that we will process their data for the purpose of responding to their communication, but that could be stated expressly if you wanted.
You can adapt this approach for both online and offline use. For example, if you have a paper instruction sheet telling someone how to configure their new piece of kit, you can include relevant information at the pertinent point in the instructions, with a signpost to your full privacy notice.
Use summaries, hyperlinks, bullet points, and a table of contents
Make it easy for someone to jump to the section they want, rather than having to scroll down screens and screens full of text to work out how to get in touch with you, or to see for how long you are holding their data.
Here, for example, is the very beginning of our privacy notice for clients (and, in the real thing, these points link to the main sections of the notice):
- We keep to a minimum the information we hold about you
- We use your data to provide our services to you, respond to your enquiries, manage our relationship with you, meet our legal obligations, and improve our website
- We delete your data when it is no longer needed for these things
- Generally, we do not give your information to third parties, but there are some exceptions
- You have lots of privacy rights
- We take security seriously
- We record calls
- We are happy to answer your questions about any of this
Translate it if you are targeting people who speak other languages
If you are targeting your activity to people who speak other languages, you need to make your privacy information available in those languages.
Regulatory guidance suggests that you might be targeting if you:
operate a website in the language in question and/or offer specific country options and/or facilitate the payment for goods or services in the currency of a particular member state.
In other words:
- if your website is available in multiple languages, offer your privacy information in those languages too
- if you sell a French version of your service, or state that you provide services to people in France, have a French version of your notice
- if you advertise specifically to people who speak other languages (e.g. adverts in Polish, or using online targeting to reach Polish speakers), have a Polish version
- if you use country-specific top-level domains (e.g. .fr or .de), you will probably be seen as targeting people in those countries
- if you feature testimonials from someone showing as being in Spain, prepare a Spanish version of the notice (or ditch that testimonial)
- if you geo-target using your website, such that specific offers appear when someone from a different country visits your site, have a privacy notice for each geo-targeting variant
Factors unlikely to count as targeting:
- mere availability of your website, or the ability for someone who speaks another language to purchase from you. These are passive things, not active steps you have taken
- some case law suggests that putting your phone number with an international dialling code (e.g. +442035197984) shows an intent to target overseas business. Since it is not clear that you are targeting any one country in particular, and since it would be unreasonable to conclude that this means you need a privacy notice in every language spoken around the world, it seems unlikely to me that this, alone, would be sufficient. But it might be a factor in an otherwise edge-case scenario.
It's a notice, not a contract
The aim of your privacy notice (aside from simply complying with the law) is to ensure that the people about whom you are processing personal data know what you are doing, and why.
It's a notice. Possibly even a bit of a warning. But it's not a contract.
So what does that mean?
- You don't need someone to "agree" to it, or sign it, or confirm that they have read it.
- It doesn't need to read like a contract and, frankly, it shouldn't. I've yet to see a privacy notice formulated as a contract which I'd regard as intelligible or easily accessible, and they are normally loaded with things like "by reading this notice, you are consenting to..." or similar — language which might work in a contractual setting, but which doesn't work from a GDPR point of view.
When: communicating it at the right time
If you obtain data from someone directly
If you are collecting data from someone directly (such as a contact form, or a cookie), you've got to make your privacy notice available "at the time when personal data are obtained".
It's no good to collect data from them and then email them a copy of your privacy notice — you're too late. Use layering, or just in time transparency, to show them the right information at the right point.
If you obtain data indirectly
If you obtain data about someone indirectly — perhaps you're buying it from someone else — and they don't already have all the required information, you need to communicate your privacy notice to the people to whom the data relate:
- within a reasonable period of time, and at the latest within one month of obtaining their data; or
- if you communicate with them, at the latest at the time of the first communication; or
- if you are planning on selling or giving away their data, at the latest when the personal data are first disclosed
So you have a maximum of one month from the point at which you obtain the data, and potentially a shorter window if that is "reasonable" or if you are communicating with them or giving out their data.
If you cannot do this — if it would be impossible, or involve a disproportionate effort — you are required to take "appropriate measures", which expressly includes "making the information publicly available". You'll need to think carefully before relying on this, and be sure you can justify your decision, if you have a means of contacting data subjects directly.
Aaargh. This is just to complicated
If you find this complicated, there's a strong chance you are over-thinking it. At its heart, it's a simple obligation.
Of course, if you are not sure what you are doing with personal data, then that's a lot harder — so fix that bit first.
And if what you are doing is particularly complex, or if it's not something a data subject would expect (which might mean you have bigger problems), then that too can be trickier.