Are your website privacy policies compliant with the GDPR?
Applying the GDPR to Create Compliant Privacy Policies
- Companies should have a lawful basis for processing personal data: The GDPR outlines six lawful circumstances for acquiring personal data: 1) the consumer has provided consent; 2) processing is necessary for the performance of a contract; 3) processing is necessary for compliance with a legal obligation of the data controller; 4) processing is necessary to protect the vital interests of the consumer or of another natural person; 5) processing is necessary for the public interest; and 6) processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party, except where those interests are overridden by the interests of the fundamental rights of the consumer.
- Data Retention: The GDPR limits website operators from retaining data beyond a “reasonable” period of time. A reasonable period of time has yet to be defined and retention periods vary from country to country. Please note that the typical retention period for countries in Europe is from five to ten years for general documents and tax papers.
- Do not use complicated language: Article 12 of the GDPR requires, “using clear and plain language, in particular for any information addressed specifically to a child.” In the pursuit of transparency, the GDPR does not want users to be confused by overly complex legal language.
- Mandatory data sharing: Often the use of personal data is required in order to create a user name and then to gain access to certain parts of a website. Website privacy policies must explain what happens if personal data is not provided by users.
- International privacy laws: To enhance transparency, the GDPR requires businesses to inform their customers of any personal data that will be transferred to a different country or to an international organization.
Rethinking Website Privacy Policies
The foregoing suggestions should be considered when attempting to draft GDPR-compliant privacy policies. Making sure that privacy policies are carefully composed will help prevent GDPR-related exposure and liability in the future.
Given the complexity of the GDPR, companies that control, process, and/or collect data from individuals located in the EU should consult with experienced counsel to ensure that the terms of their respective privacy policies are compliant with the new regulations. If you are interested in learning more about this topic or need assistance with GDPR compliance, please e-mail us at firstname.lastname@example.org, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
This post was originally published on May 1, 2018 and updated on June 29, 2021.