What Should A Privacy Statement Be Composed Of?

privacy statement gdpr

With Data Privacy Day quickly approaching, it’s that time of the year again to review the privacy statements/policies of your favorite websites. In a perfect world, everyone would read privacy policies in their entirety before agreeing to share their personal information with any website. Recent studies show that close to 75% of Americans feel it is important that companies have “easy-to-understand, accessible information about what personal data is collected about them” and “how it is used and with whom it is shared,” but for most people it’s just not that reasonable to have to read every privacy statement they come across online.

With the GDPR (General Data Protection Regulation) set to be enforced on May 28, current privacy statements may need some fine tuning to keep up with the updated requirements. Now with GDPR, privacy statements are required to provide more clarity than ever before. Privacy statements should be “concise, transparent, intelligible and easily accessible,” written in clear and plain language as if addressed to a child. Access to these statements should also be “free of charge.” So what exactly is a “good” privacy statement composed of?

Let’s first determine what a privacy statement isn’t. A privacy statement or policy is not the same as a terms of service (TOS) agreement, which is simply a set of rules and guidelines that one must abide by in order to use the service. A TOS is not required by law, but having one protects website owners and businesses from potential legal issues involving abuse, intellectual property theft, and so on. A privacy statement on the other hand, may be required by law in some countries and jurisdictions.

In simple terms, a privacy policy is a “statement or a legal document that discloses to the audience that their information is being collected by the website or app.” Even if a website isn’t collecting personally identifiable information (PII) like names, addresses, or credit card numbers, legal experts recommend that every website have a privacy statement regardless. With this in mind, here are some additional pointers for making sure a privacy statement has all the right components, and is in line with the new requirements of GDPR.

A privacy statement should:

  • Explain of what kind of information is being collected, why it’s being collected, and how it’s collected and being used.
  • Describe who is collecting the personal information and who it is being shared with. The “who” part may include affiliate partners of the website.
  • Dispel any concerns that might cause individuals to object or complain by explicitly clarifying the two above.
  • Include the contact details of the data controller and the data protection officer (if applicable).

For more, Article 13 of the GDPR clearly states what kind of information should be included in the privacy statement. It may seem paradoxical that the GDPR increases the amount of information that should be included in privacy statements, but at the same time requires statements to be concise. However, when looking at the bigger picture, it makes sense that the privacy statements be less generic while eliminating unnecessary clutter and instead include only information relevant to users’ privacy concerns.

To learn more, make sure to visit the official website for Day Privacy Day!