Data privacy is now a big issue and regulated by the General Data Privacy Rules (GDPR) which also affect websites. This article is a run-through on how to construct a website privacy statement with the GDPR in mind.
A website privacy statement used to be based on:
- Data Protection Acts 1988 and 2003 (last amended 2012)
- ePrivacy Regulations 2011 (SI 336/2011) - the so-called "cookie law"
But as of 2018, things they are a-changing.
The Data Protection Acts 1988 and 2003/12 are being replaced by a European Regulation known as the GDPR (General Data Protection Regulation) which will be binding on all European member states, and it will also apply to non European entities doing business in Europe.
A website privacy statement will now be based on:
- • General Data Protection Regulation (https://gdpr-info.eu/)
- ePrivacy Regulations 2018 ? Yet to be agreed
The GDPR will significantly strengthen a consumer's rights around their personal data. It has also expanded personal data to include the collection of IP addresses - a machine identifer that could be used (in conjunction with other data) to personally identify you. An IP address could look like this: 18.104.22.168. If you want to know what yours looks like, then just google: whats my ip?
One thing that hasn't been finalised yet, however is the other half of the Data Privacy duo which is the much anticipated re-write of the ePrivacy Regulation, yet to be finalised. This is tricky because for website owners, the GDPR and ePrivacy kinda go together. Whereas GDPR focusses on personal data, ePrivacy has a lot to do with "cookies", which affect functionality we love to provide on websites like Google Analytics, embedding Youtube videos, showing Facebook feeds and so on. Right now, we don't know whether the powers that be will decide that the cookies dumped onto visitors by these providers will have to be strictly "opt in" (what a pain), or a more relaxed version where we can set them to "on" to begin with, but provide visitors with an option of turning them off, and rejecting these cookies. We are so hoping that the more relaxed side of the argument will win out.
Website Data Privacy Statements and the GDPR
Much of the old legislation still holds, which is helpful. The differences for website privacy statements are that we have to answer the following questions in quite some detail -
Example: We collect personal data from our Contact form, shopping cart, Google Analytics (yes, unless you anonymize the IP address collection first! See https://developers.google.com/analytics/devguides/collection/analyticsjs/ip-anonymization for some help on this.)
Example: We ask for your name, email address, physical address and contact number so that we can provide your with a legal invoice when you shop with us. We request your name and email address for our newsletter signup so that we can send you the newsletter and personalise it with your name. We ask for your name, email and a contact number on our contact form so that we can communicate with you quickly.
Note: quite a lot of shopping cart software collects IP addresses - make sure yours doesn't. Or if does, declare it here!
Example: We routinely delete all emails from our contact form on an annual basis (or whatever). We keep personal data and order transaction details - name, address, email, phone, products purchased, timestamp, amount spent, etc - for 6 years to comply with revenue purposes.
Example: Our newsletter provider, our payment processor, our webhost, our delivery company. These providers are hired by us to provide services and and are not allowed to use your personal data as they are also bound to data protection requirements.
If you want to understand more about their data privacy policies see this link, this link, this link.
Your personal data may also be provided to relevant third parties in the case of our business being sold, merged or made insolvent.
Example: Your personal data is secured using the most up to date and modern technology. Bear in mind that no system is foolproof. If there's ever a breach, and we hope that never happens - you'll be notified by us in 72 hours. (Note: breach notification within 72h is the rule with GDPR - no hiding it anymore)
Same as the old Privacy Statement - do you market directly/indirectly. How they can opt out of marketing. Under the new GDPR, YOU are responsible for the opt-out for any indirect marketing that you engage in. Ouch ouch ouch.
My view is that you should include a statement that your website forms/shoppingcart that they cannot be used by anyone under 16 years of age (or at least not without parental/guardian's permission). The reason for this is that GDPR is tough on those who are obtaining personal data from minors. Ireland has declared the minimum age to be 16. Best avoided. CYA.
Expand this section as necessary, especially if you have a complicated set-up. You have 30 days to comply with any of the requests made below. And you can't charge money for it, unless the requests are ridiculously onerous.
- You have the right to retrieve a copy of your personal data in machine readable format
- You have the right to transfer your data to another provider
- You have the right to request the removal of your data ("right to be forgotten")
- You have the right to request a restriction from processing your data
- You have the right to withdraw your consent to our use of your personal information at any time
- You have the right to have your request dealt in 30 days of receipt
If you wish to exercise your rights please send details of your request to:
Or by post to:
[NAME OF PERSON]
[FULL ADDRESS DETAILS]
In case of a dispute you have the right to contact the Data Protection Authority, please see: https://www.dataprotection.ie