With just a month now until the GDPR comes in to effect, a lot of very small (and some not quite so small) businesses are still finding the prospect of GDPR compliance overwhelming. One aspect of that compliance where I might be able to shine a little light, is the website privacy policy. Once again, I am merely sharing my thoughts here, based on my own research and interpretation of the GDPR, so please do not take these words as any form of legal advice.

Very simple websites

Many of the websites I work with are very simple in their functionality. They are essentially brochure websites, very much like this one, with perhaps at most a contact form as the only vehicle for handling personal data. In many cases these micro businesses are barely in profit and in no position to employ professional help to assure them that their website is “compliant”. The owners of websites such as these are understandably confused and alarmed by the technical terms ringing in their ears and the threat of astronomical fines for non-compliance. If that sounds like you, my advice (were you to ask it) would be above all, not to panic. If you fall in to this category, in GDPR terms, where you are handling personal data at all, it is likely to be in a way that exposes the data subjects (your website visitors) to very low risk. Frankly if you were to choose to ignore the whole thing, the consequences would be…null. In my opinion. But since you ask, I would not advise you to ignore the whole thing. By taking a little time to create a simple privacy policy, you will achieve a few things:

  • That warm, fuzzy feeling from having Dealt With It!
  • Demonstrate to clients and, who knows, maybe even the data protection police, that you take privacy seriously, have some awareness of the laws, and have made an effort to comply.
  • Going through the process will make you more aware of your own practices and may even reveal that you were processing data in ways you were not aware of.

Copycat

I do not believe in copying verbatim, the privacy policies of other websites. Firstly of course, that is plagiarism, and secondly, it’s highly unlikely that the privacy policy of another website will be a perfect fit for yours. That said, taking inspiration from other people’s well written privacy policies is a great idea. I wouldn’t suggest for a moment that my own privacy policy is a good example, but feel free to use parts of it, preferably reworded, if you would like to.

Anatomy of a basic privacy policy

  1. State the identity of the data controller –  This is a legal entity and should include a registration number where appropriate – in the case of a company, the data controller will be the company. More likely, you are an individual and should state your name. Do not hide behind your business name though unless it is a company in the legal sense.
  2. State how you can be contacted – A link to your contact page or email address is adequate if you don’t want to disclose your telephone number or address.
  3. State how (if) you collect personal data on your website – If you do not collect any personal data in any way shape or form, just say so. If you have a contact form, try to understand what happens to the data when the submit button is clicked. If your website is self-hosted (you have your own hosting package, perhaps with a WordPress website on it), there’s every chance the data is sent straight to you via email. If you have a hosted website with Squarespace or Wix for example, or use a hosted form such as Jotform, ask them for advice as they may process that data before sending it on to you. If this is the case, just arm yourself with the information and state it in simple terms in your privacy policy.
  4. State what you do with that data and why – Very likely it sits in your email archives. Perhaps indefinitely? Just state that you collect whatever you collect (name and email address perhaps) in order to reply to their enquiry. If you want to be all legal about it, your legal basis for doing this is probably legitimate interest*. You may also want to state how long you keep the data before destroying it.
  5. Cookies State very simply what a cookie is (see my policy for suggestions). Try to find out if your website is setting cookies, what they are and what they are for, and list them.** State very simply how cookies can be controlled by the user in their browser (see my policy for suggestions).
  6. Users’ rights under GDPR These are extensive, so my preference is to provide a very brief synopsis, accompanied by a link to more information, and information about how to contact me should they wish to exercise those rights (see my policy for help). This section really is a formality. With a super simple website that does not collect personal data, nobody is going to be exercising those rights!

* You do NOT need a checkbox to record consent on your contact form if all it is used for is to send you a message. If you want to get people to subscribe to your mailing list at the same time, or plan to use their submitted data in any other way, that’s another matter entirely.

**Cookies

This is the trickiest bit for most. I covered cookies in some depth in my previous post, so have a look there if you’re ready to grasp the nettle on this one! If that all sounds too terrifying though, it’s still worth trying to find out what cookies your website uses, and the free Cookiebot tool is very easy. Don’t be alarmed when the result comes back saying NON COMPLIANT – they want you to buy their services. What’s especially helpful about the Cookiebot test is that they categorise the cookies for you.

  • If your site sets no cookies – great – say so!
  • If there are cookies in the “statistics” category, just state that the website uses cookies to provide you with statistical information about how it is being used.
  • If there are cookies listed in the marketing category (apart from Google Analytics), you really ought to dig a little deeper, try to understand where these are coming from and clearly state in your cookies section how your visitors may be being tracked and by whom. Likely candidates are Facebook (do you have a pixel installed?), Google (in various guises), AddToAny and ShareThis (social sharing), etc. Do attempt also to provide links to information about how to manage these cookies. In most cases, the companies in question will have information available for you to link to.

Cookie notification banners & consent

If after using Cookiebot’s free audit tool, it turns out that your website does use cookies, of the sort that require consent (that’s pretty much all except those in the necessary category), you do have an obligation to make people aware of the fact and, technically, to gain their consent before placing those cookies. Now, none of this is actually a new requirement under the GDPR. The EU “cookie law” came in in 2011, at which point, we all started seeing the infuriating and now ubiquitous cookie popup banners everywhere.

A note on consent as applied to cookies

At present, in some EU states (e.g. France and The Netherlands), you are required, not just to notify users of the cookies you use, and to assume their implicit consent from their continued use of your website, but in fact to obtain their explicit consent, through an affirmative action (scroll, button click, etc) before placing the cookies on their browsing device. Under GDPR you are also supposed to retain a record of that consent. This is technically a very difficult thing to achieve, and is typically what is provided by the commercial vendors of cookie consent solutions, such as Cookiebot, OneTrust, etc. The same functionality is also available for free from Civic Cookie Control. It’s worth noting that in very few cases (in France at least) is this actually implemented correctly. Yet despite being more than capable of implementing a super-compliant solution like this, and despite being of rather a conservative nature in these regards, after much research and reflection, I have chosen not to do so on the sites that I maintain. This is partly because I find them to be intrusive to users and to have a detrimental impact on the usefulness of whatever services are setting the cookies, and partly because I have a suspicion that within a year they will be redundant.

If, at this point, you have not implemented any sort of mechanism to notify your visitors of your use of cookies, and if, at this point, it feels like something that would be very difficult to achieve, you might want to sit tight for a bit. At some point next year (2019), the various EU state-specific cookie laws will all be replaced with the uniformly applied, revised e-Privacy Directive, and it looks likely that at last a workable solution might be achieved with the responsibility for cookie management passing from individual website owners, to the browser vendors (Chrome, Firefox, etc). If that turns out not to be the case, at least hopefully the dust will have settled and there will be much greater clarity on our obligations as regards cookie consent.

In conclusion

I hope this slightly irreverent but hopefully pragmatic approach has provided some achievable steps to help you to feel more in control and less daunted by GDPR as applied to your ultra simple website. If your website is not quite so simple however, or if you would like assistance to identify the cookies used by your website, as well as any other potential areas of concern: contact me for a quote.