Issue #132
That dreaded privacy policy and GDPR
OK, so we’ve been talking about this exciting, enthralling and downright SEXY topic of… the General Data Protection Regulation (or GDPR).
I know, I know. Contain yourself.
So, we know that two important things here are:
- Getting consent.
- Spelling things out in your privacy policy.
But… how?
First of all, it bears repeating. But, I ain’t a lawyer. 🙂 What I’m spelling out here about the GDPR is my interpretation of things. I could be wrong about some stuff. Consider this… entertainment. OK?
Alright.
It has become standard practice that a site privacy policy looks like a bunch of legal mumbo-jumbo. It is long and it’s boring, and it is stuffed down there in the bottom of the site behind a tiny link. Then, merely having that there is enough. Right?
Well, with the GDPR (and honestly, just being a cool marketer), we want to revisit these things so that the privacy policy is actually readable. In other words, make it plain-spoken and easy to understand for the average person.
Econsultancy has an excellent article which includes 7 questions you need to answer on your privacy policy:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
And then you proceed to answer these questions in a way which is easy to understand.
Some things I would cover in your privacy policy would be:
- Information you collect
- How it is stored
- What you do with it.
- Any third parties that would get it, too.
- What cookies/tracking are going on
- Who your “data protection officer” is (probably just you)
- How to contact you
These are some guidelines. I know everybody would like a template for such a thing, but I’ll leave that to you to search for. I don’t want to get into that territory because, again, I’m not a lawyer.
One other thing that could be a cool touch is to couple your written privacy policy with a video which goes over the big idea. Again, just beint upfront and accessible with your peeps.
If you want to check out my own privacy policy, click here. Yes, I have made some changes to it to try to make it more GDPR-compliant. You can view it as an example, but I am not holding it out as any kind of an ideal. It’s just what I have at this moment.
Now, as for those consents, what do you do?
In most cases, a quick checkbox on the form which says they are OK with their data being collected will suffice.
It gets more complicated if you’re doing multiple things with that same data. If you are, you might have to have more granular checkboxes (aka more than one) for them to agree to several different things at once. For instance, if you were collecting email address and mobile phone number and were intending to communicate to them with both SMS and email, you’d probably need to have a checkbox for each.
With these shorter descriptions on forms, you can link to your privacy policy for more detailed information. There’s no need to have a full privacy document as part of a simple registration form, necessarily.
As time goes on here, we’re going to see more “real world” application of this stuff…. especially after May 25th. So, the confusions that are natural in all this will begin to get ironed out as we see other sites comply.
More coming up. In fact, I think this topic might extend into part of next week here on the Daily.
– David