Lessons From Preparing A Website Privacy Policy For GDPR
by Ascedia - June 20, 2018 - 5 minute read
Since May 2018, brands have been scrambling to ensure that their websites comply with the EU’s General Data Protection Regulation.
As you may know, under GDPR, data collection through pseudonymization and anonymization are acceptable and permitted, but only if your Privacy Policy is updated to reflect both Tracking and Cookie information.
Our website needed an update for May 2018. To prepare for GDPR, we modified our privacy policy to reflect transparency in our data collection and processing practices (see for yourself).
Let's walk through what we did and how you can adjust your privacy policy for compliance.
GDPR Requirements for GDPR Compliance
GDPR places equal liability on data controllers (the organization that owns the data) and data processors (outside organizations that help manage that data). Organizations must inform customers of their rights under GDPR, informing them of the purpose and method of data collection, including instructions on how to opt out of data collection.
Both groups need to make sure the policy is short and to the point. The privacy policy must have three basic elements: it must be concise and easily accessible, it must be written clearly in plain language that even a child could understand, and it must be free of charge.
Components of a GDPR Compliance Privacy Policy
To write a good privacy policy, you’ll need to explain the use of the data you’re collecting. This explanation is crucial. You must also describe what you are going to do with the data once you collect it. Explain your use of cookies. Be transparent about sharing data with third parties. State with whom you will be sharing data you collect and for what purpose.
Explain the rights of the individual. You are required to explain what privacy rights your visitors have. Their rights include the following:
- They can request that their data be deleted or corrected.
- They can access the data a company has about them.
- They can request that their data be transferred to another party.
- They must give consent for their data to be used.
To help guide your privacy policy, you must inform individuals on 4 different levels. To inform users of data collection, include these four components in your websites Privacy Policy:
- An appropriate description of how you're using data collected online.
- A message about how you or third-party vendors use the data you collect.
- A message about how you or third-party vendors use cookies and data collection.
- Information about how your visitors can opt out of data collection.
Writing the Privacy Policy
The following is how to rewrite your Privacy Policy to reflect the many third-party tools used in data collection (you will want to do this for each third-party tracking or data collection tool you used, as well as a general message about privacy/cookies):
General Statement
General statements should include overall data policies. How is this data primarily used? More importantly, how is it stored? Make sure users know if their information is being shared with third parties or if your tracking anonymizes their identity.
Give users an overview of select services you may be using – for example, Google Analytics. Google Analytics is probably something you have installed on your website. When you use third parties such as this, it’s also important to include sections outlining specifically what each service is used for in data collection.
Google Analytics
Let users know the website uses Google Analytics, which is primarily for tracking and measuring website traffic. Google Analytics anonymizes identity, so no personally identifiable information is stored on the platform. Be sure to include this disclaimer in the policy, too.
Let your users know you are monitoring traffic to make website enhancements and user experience improvements. Remind them their information won’t be shared unless explicitly stated.
You will also need to include a way for users to opt out of Google Analytics tracking. Follow this link to get a tool to allow your browser to do so.
Google AdWords - Targeting and Remarketing
If you are using Google AdWords for remarketing or targeting, which extends to Google Analytics as well, you need to write a special disclaimer for what type of data collection and process you are conducting. Whether you are remarketing to an audience defined by website tracking, or you’re using the behavioral targeting through the display and video advertising, you need to let users know specifically what you are doing with the audience segment.
Again, include an opt-out for users. Users may opt out of third-party vendor use of cookies by visiting the Network Advertising Initiative Opt-Out Page.
If you are using Facebook Pixel to track or target, via a Business Page or Ad Account, you will need to include a special section about the social network. Follow the same format as Google Analytics and Google AdWords, because Facebook tracking and targeting essentially share the same data collection process.
If you have integrated your site with Facebook (regarding advanced features such as adding the login to your website, or other developmental options), you will need to include a special section on how you have installed this technology on your website. For example, if you're using the Facebook Login package, you’ll need to let users know how you have set up the integration.
With most third-party tools you need to include an opt-out component. To opt out of Facebook Pixel tracking and data collection, follow this link to change the settings in your Facebook profile.
Crazy Egg
Crazy Egg is a popular tool many websites use to gauge user experience. This tool has a very specific tracking technology that must be addressed in the language of your privacy policy. Be sure to include what you are tracking, what you are using the information for, and how you plan to make improvements to the website based on the data granted from this platform.
This reminder may be getting repetitive, but do not forget the opt-out component. To opt out of Crazy Egg, follow the instructions to remove yourself from the data collection process.
As with Facebook, conversion tracking and ad targeting/remarketing are possible through Twitter. Just like other social media sites, format this section of the privacy policy similarly and be specific with the details.
Again, please do not forget an opt-out! To opt out, you can adjust your privacy settings for tailored advertisements. Twitter also supports “Do Not Track” (DNT). If you have activated this option in your browser, Twitter will not receive any browser-related information.
Don't Become Complicit With Compliance!
If you are drafting a new privacy policy to adjust to the data compliance standard of this modern age, the most important thing you can do to protect yourself is to consult legal counsel about the language. These professionals are truly the best source to gain insights into how to write a privacy policy for any legal standard.
Use these guidelines to generate a decent starting point for your document and have a legal professional or your company’s attorney review the literature. If you get stuck writing, look around at similar brands in your industry who have adopted new policy statements. This will help you conceptualize how to form this essential piece for your website. It’s time to get compliant.