Blog

GDPR – The Reason for All the Recent Privacy Policy Emails and What it Means for New Websites

Author

Amanda Levin

Date

May 24, 2018

In the past week, you may have noticed a flood of privacy policy updates invading your email inbox. Companies have been scrambling this week to update their privacy policies and terms of service documents to get ready for the European Union’s new General Data Protection Regulations (GDPR) that take effect this Friday, May 25.

What is the GDPR?

The GDPR, passed in 2016, is a set of rules enabled by the EU that aim to give European internet users more control over the information they submit online and how it is used. The core pieces of these rules include:

Notification: There will be a 72 hour window where companies will need to notify regulators of breaches where a data breach is likely to “result in a risk for the rights and freedoms of individuals.”
Access: Individuals can ask for confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. They can also request a copy of the personal data in an electronic format at no cost.
The right to be forgotten: Individuals can ask for any PII (Personally Identifiable Information) about them to be erased and for third parties that have access to that data to stop using it. In other words, consent to collect and use data can be revoked.
Portability: If an individual receives their data from one entity, they can pass it to another.
Privacy by design: There is now a legal obligation to build systems with privacy as a core design element.
Data protection officers: Entities that collect, store and use PII will need to appoint Data Protection Officers – these can be internal or external personnel – who will manage the processes associated with compliance with the GDPR.

(source: LifeHacker: What Is The GDPR And Why Should You Care?)

How does the GDPR affect US companies?

The GDPR applies to any company that is storing the personal data of EU citizens regardless of where in the world they are located. Since the internet is a global technology, this basically means that most websites in the world that store the personal information of their users have to comply with these regulations. Failure to comply with the GDPR will start with a warning for the first violation, but repeating violations can result in periodic data protection audits and heavy fines.

What does this have to do with privacy policies?

The GDPR’s idea of consent is a lot stricter than previous regulations, which means companies will need ask for permission to collect your data more often. You will be seeing “I accept the terms and conditions” popups very frequently from now on.

Do I need a privacy policy on my website?

The short answer is yes. If you collect personal information from your website visitors then you need to have a privacy policy posted on your website. Personal information which includes names, email addresses, phone numbers from contact forms, chat widgets, and website analytics.

How do I get a privacy policy?

You can get started writing out a privacy policy yourself. Make sure that your privacy policy includes the following:

What Personal Information is Collected
How it is Stored
Whether personal information is shared with 3rd parties
(For Example, MailChimp or Google Analytics)
Any Third Party Advertisers on your site and links to their websites.

You might also consider adding a cookie policy to your site and Limitation of Liability Clause. You can visit other websites to get an idea of what you should say in the policy, but also try to keep your terms simple so that a user can easily understand it.

Have an attorney help with or proof your privacy policy to make sure you have all your bases covered.