Writing your website’s privacy policy
Your website’s privacy policy comes under GDPR, which stands for the General Data Protection Regulation. The regulation became enforcible on 25th May 2018 and has implications for all website owners. In brief, every website must have a page setting out their organisation’s privacy policy. This page must feature prominently on their website.
The penalties for non-compliance are reportedly astronomical. However, cince GDPR affects all businesses from large multinationals to SMEs, our advice to small businesses is don’t panic. It’s more important to think it through.
And we’ll put our disclaimer right here: we are not lawyers. The purpose of this article is to give guidance only . If you are unsure about anything, you must check the ICO website and/or seek legal advice.
Does Applegreen have one?
Yes, it’s here. But one thing was made clear to us at a recent WordPress conference: you can’t copy it. Every policy must be based on a business or organisation’s unique circumstances.
We attended several talks on GDPR at this conference and have distilled the information for our clients and visitors. We are endebted to the speakers Toyin Agunbiade and Heather Burns and to the many writers and bloggers who have helped clarify points of detail.
It was also emphasised that you should have a privacy policy even if you don’t collect any data on anyone. You must use your policy to state the fact.
The rights of individuals
The GDPR builds on an existing EU directive that was passed into UK law as the Data Protection Act 1998. It aims to protect the rights of EU and UK nationals, wherever their data are stored, where transactions are conducted within the jurisdiction of the EU and UK. GDPR will continue to apply after Brexit.
It confers on people the following rights over their data:
- To be informed (companies have to respond within 30 days)
- To have access to what data companies have on them
- To rectify their data
- To erase it and be forgotten
- To restrict the processing of their data
- Portability: they can request that the data they have given to a particular company be returned to them in a form that is directly usable by another company — this usually means a csv or an Excel file
- To opt out of automatic decision making, for example, Netflix suggests programmes to watch based on those you have already seen, and you many not wish this.
The days of automatic opt-ins are over. If you have a box which clients can tick to receive your newsletter when they buy from you, this box must be unticked by default. Ideally you must offer a double opt-in. This is when the ticking of the newletter box triggers an email enabling the client to confirm they didn’t tick by mistake.
The 30-day response time is just that, a response time. You don’t have to solve a particular request within 30 days. But you do have to respond within that time and provide a time frame within which you will have addressed a request.
You must have a lawful basis for keeping data
The main form of lawful basis is explicit consent. For example: a client signed up to your newsletter, on a given date. You may be asked for evidence of both the sign-up and the date.
An alternative lawful basis, important for many website owners, is called implied contract. This is where someone has bought from you, and has given you their details so you can bill them, post to them or email them their purchase for download. Many newsletter lists come from this source, which is legitimate.
Others include legal obligation (eg, an address for delivery of purchased products), vital interests (private information that can save a life), public task (data essential for performing public duties) and a looser category called legitimate interests. To argue legitimate interest you must identify the interest, show that data processing is necessary for it. You must also show that you are balancing your interests against the interests, rights and freedoms of the person whose details you hold.
The use of cookies to collect analytics data from website visitors is a grey area in our opinion, and we are keeping our advice under review. Technically, a person’s IP address counts as personal data. In practice, IP addresses are can only be used to identify a visitor when combined with other online identifiers such as name and email address. Furthermore, such data is normally anomymised and aggregated, and therefore unlikely to count as ‘data’ in the legal sense.
For a full list and description of all the lawful bases for holding data, see the website of the Information Commissioner’s Office.
Writing your own privacy policy
You may not collect any data at all: you still need to say so. But it’s unlikely that you do not keep contact details for your clients somewhere, even if it’s on pieces of paper. If so, you need to declare the fact.
Your website’s privacy policy needs to include the following:
- Who you are and how you can be contacted;
- What personal data you collect;
- Categories of data;
- The consent or legal basis on which you collect it;
- Children: 13 is the age of consent — otherwise, guardians must give consent;
- Who it is shared with: list them by name and link to their privacy policies. If you use a third-party provider to send an email newsletter(such as MailChimp) or integrate a shop on your website (such as WooCommerce), you need to name them;
- How long you plan to retain it. It’s ok to keep it indefinitely, but this has to be stated;
- Where it is stored. Is it on your own computer? backed up to a cloud somehere?
- What rights people have over their data;
- How you protect it in the case of international transfers, eg to countries like the US that don’t have privacy laws;
- Most websites created by us collect anonymised visitor data via analytics cookies. This data cannot be used to identify individual visitors; nevertheless, a mention of analytics should be included in the privacy policy. It may be instructive to visit the ICO’s own privacy policy about their use of cookies;
- What steps you take to protect data from breaches, and what you will do in the case of a suspected breach.
The language and presentation of your website’s privacy policy
Your website’s privacy policy should be written and designed to be read, and not to obfuscate. Consider the following:
- Use plain English, and include plenty of headers and sections to help people navigate and find answers easily;
- Write it in a language that is accessible to children, if your website is for them;
- Write it in a language that is accessible to people with learning difficulties, if your website is for them;
- Consider people for whom English is not their mother tongue;
- It must be readable on mobile devices;
- Give choices and options over the storing of data: remember that it’s a contract;
- Date it, and make clear that is revisited regularly.
In the event of a suspected data breach
A data breach is defined as “the accidental or unlawful destruction, loss, alteration unauthorised disclosure of, or access to, personal data”.
You need to establish the likelihood and severity of the risk topeople’s rights and freedoms.
If it’s likely that there will be a risk, you must notify the ICO within 72 hours, and the data subject immediately.
If it’s unlikely, don’t report it but document and be willing to justify your decision.
Other measures
Your privacy policy should be easy to find from every page of your website. You should also link to it from your Terms & Conditions and also on your contact page.
A few special conditions, affecting other parts of your website:
- If your website is used by children under 13, your contact form should include a tick box for parental consent;
- If your website is absolutely not to be used by children, you should require a declaration of age before entry. See a good example at Johnnie Walker.
WordPress websites
All WordPress installations are different. Nethertheless there is a GDPR core compliance project going on right now.
WordPress will also add tools that will allow website admins to create user-friendly privacy notices. This will help generate a privacy page, but it will still be the admin’s responsibility to review it.
Category: FAQs & Tips
← Previous post: Website design tips
→ Next post: Website accessibility is good for everyone