Colorado Privacy Law Heads to Governor’s Desk for Signature- Klein Moynihan Turco LLP

8 Tips for GDPR Compliant Privacy Policies

Consumer inboxes have been flooded lately with privacy policy update notices. This is, in large measure, the result of the new General Data Protection Regulation (“GDPR”) that was implemented by the European Union (“EU”). The GDPR went into effect on May 25, 2018.  Any person or entity, that holds or uses the personal data of EU residents, needs to be compliant with the GDPR in order to avoid significant fines.  It is important to note, as stated in our previous GDPR blog, that the GDPR’s regulations cover both “data controllers” (organizations that determine the purpose and means of processing personal data) and “data processors” (third parties who collect, store and maintain user information on behalf of data controllers).

Are your website privacy policies compliant with the GDPR?

Applying the GDPR to Create Compliant Privacy Policies

Per applicable law, any online operator that collects, uses and/or shares personal information must post a privacy policy on its website homepage. The EU’s goal in enacting the GDPR is to improve upon existing laws to better promote transparency, informed consent and accountability when it comes to personal data collection, storage and use. Here are some tips for ensuring that your privacy policy is GDPR compliant:

  • Companies should have a lawful basis for processing personal data: The GDPR outlines six lawful circumstances for acquiring personal data: 1) the consumer has provided consent; 2) processing is necessary for the performance of a contract; 3) processing is necessary for compliance with a legal obligation of the data controller; 4) processing is necessary to protect the vital interests of the consumer or of another natural person; 5) processing is necessary for the public interest; and 6) processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party, except where those interests are overridden by the interests of the fundamental rights of the consumer.
  • Data Retention: The GDPR limits website operators from retaining data beyond a “reasonable” period of time. A reasonable period of time has yet to be defined and retention periods vary from country to country. Please note that the typical retention period for countries in Europe is from five to ten years for general documents and tax papers.
  • Contact information for the data controller and data processor: Articles 13 & 14 of the GDPR require that the identities and contact details of the data controller and data processor be readily disclosed. In many instances, the data controller may be the business itself, which is likely already disclosed in the website operator’s privacy policy under business contact information.
  • Employ a clickwrap agreement: The GDPR does not require that privacy policies be “click-to-agree” or “clickwrap agreements,” but best practices suggest that this is the appropriate method to prove that a given privacy policy was reviewed and agreed to by site visitors. Because the GDPR was put in place to create an environment where users are informed as to how their personal data is used, collected, and stored, requiring users to take an affirmative step to accept privacy policies is a must.
  • Do not use complicated language: Article 12 of the GDPR requires, “using clear and plain language, in particular for any information addressed specifically to a child.” In the pursuit of transparency, the GDPR does not want users to be confused by overly complex legal language.
  • Mandatory data sharing: Often the use of personal data is required in order to create a user name and then to gain access to certain parts of a website. Website privacy policies must explain what happens if personal data is not provided by users.
  • International privacy laws: To enhance transparency, the GDPR requires businesses to inform their customers of any personal data that will be transferred to a different country or to an international organization.
  • Inform users of their eight rights: The GDPR provides users with eight fundamental rights with respect to how websites collect, store and use their data. Please note that the rights do not have to receive their own sections within a privacy policy, but they should be clearly defined within the agreement. There rights include: 1) the right to be informed; 2) the right of access; 3) the right of rectification; 4) the right to erasure; 5) the right to restrict processing; 6) the right to data portability; 7) the right to object; and 8) the right of automated decision-making in profiling.

Rethinking Website Privacy Policies

The foregoing suggestions should be considered when attempting to draft GDPR-compliant privacy policies. Making sure that privacy policies are carefully composed will help prevent GDPR-related exposure and liability in the future.

Given the complexity of the GDPR, companies that control, process, and/or collect data from individuals located in the EU should consult with experienced counsel to ensure that the terms of their respective privacy policies are compliant with the new regulations.  If you are interested in learning more about this topic or need assistance with GDPR compliance, please e-mail us at, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney.  Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.  

Attorney Advertising

This post was originally published on May 1, 2018 and updated on June 29, 2021.

Photo by FLY:D on Unsplash

Related Blog Posts:

Why Your Sweepstakes Promotion Needs a Privacy Policy

How Does The CPRA Compare To The GDPR? Ask A CPRA Lawyer

Federal Privacy Law: One National Standard


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

data CIPA law Swigert law consumer protection data on cumputer screen

Swigart Law Group CIPA Demands

Readers of this blog likely know about the wave of consumer privacy litigation directed at online companies’ collection of consumer data. A litany of these

Read More »