NEWS

MailUp officially welcomes Contactlab to the Growens group

READ THE NEWS

What does privacy policy mean?

11 November 2021Reading time: 6 min.

What’s meant by privacy policy? Why must each website have information that clearly illustrates how user data are collected, used, and managed. What are the penalties in case of failure to comply with the GDPR?

Blog and website managers are becoming obsessed with GDPR compliance and the need to draft their own privacy policy. Now, why is it necessary to draft a document that clearly illustrates how data are collected and managed? Above all, what must it contain?

Users happen to leave their personal data like names, surnames, and addresses on the Internet, along with many other pieces of information that identify them and track their web behavior. In recent years, the legislator has paid particular attention to behavioral data collection for profiling purposes by websites. Hence, their use is now allowed only after the user’s informed consent. The European Parliament has regulated the matter with the General Data Protection Regulation (GDPR 2016/679) which, among other things, obliges all website operators to draft a privacy policy

What’s a privacy policy?

The legislator established the protection of users’ online privacy as the primary objective for every blog or website manager.

The privacy policy is the document that every website must draft to specify how personal data are managed. The information must be as detailed as possible and clearly illustrate how visitors’ personal data will be processed and managed so that users can freely express their explicit and informed consent. Foremost, in fact, personal data include cookies used by Google Analytics to track visitor behavior.

As mentioned, the obligation to draw up a privacy policy for all websites stems from the EU regulation. Below, find out what it is and what it establishes.

What is GDPR?

The General Data Protection Regulation 2016/679 (a.k.a. GDPR) governs and harmonizes all European laws on the subject through 99 articles and 173 “recitals”. Every State of the Union must, therefore, implement it without margins of freedom. The Regulation was published in the Official Journal of the European Union on May 4, 2016 and entered into force on May 25, 2018. Since this date, GDPR compliance has thus become mandatory for all EU states. 

The regulation establishes that data must be processed exclusively after the informed consent of the interested party who must know how they’re collected and used, as well as the possible risks associated with their processing. It’s not just a matter of right to the protection of personal data, which has already been established by Directive 95/46. Rather, it entails a proprietary vision of data where informative self-determination is the cardinal principle

Hence the relevance of every website manager having a clear and comprehensive document on the privacy policy of their site

Characteristics of the privacy policy

The information is meant to inform the user about the purposes and methods of data processing carried out by the owner. Therefore, it must be clear, exhaustive, and as detailed as possible. It must be divided into paragraphs indicating the controller of the data processing, the user’s rights, the type of data processed, their conservation, the place and purpose of the processing, the cookies issued by the site, and the links to external content (plus ways to change settings).

Ensuring transparency and correctness of the processing, from collection to management, is a duty of the data controller who must also demonstrate that he/she can do so at any time. 

Essentially, the privacy policy must indicate:

  • the data controller and the data protection officer
  • the personal data subject to processing
  • place and purpose of the processing
  • legal basis for processing
  • the recipients 
  • transfers of personal data (especially if to non-EU countries)
  • methods and period of conservation
  • rights of the data subject
  • complaint procedure
  • cookies involved
  • links to external content
  • how to change settings

In the case of e-commerce sites, the GDPR expressly provides that each owner is responsible for the processing and must demonstrate its security to the control body through the processing records. 

Who should draft the privacy policy?

The privacy policy information should be drafted by the Data Controller, that is, the legal representative of the website. In fact, this figure is obliged to establish the purposes and means of data collection and processing. The Data Controller can also delegate a close associate, a.k.a. a Privacy Manager, as long as the document clearly states his/her identity. 

The information must be as relevant as possible to the specific case, i.e. customized on the website and not “copied”. This is why it’s advisable to rely on professionals regarding the subject.

Privacy policy duty

The privacy policy is an indispensable document for every website. It’s a duty and not a choice because the processing of visitor data is both professionally key and expressly regulated. Collecting, storing, and analyzing information is a vital activity for a web marketer. In fact, it allows for designing and implementing extremely personalized and, therefore, effective campaigns. But it’s equally important to do so in full compliance with the privacy rules.

Until a few years ago, the perspective of obligations regarding personal data was that of collection abuse. Today, it’s rather about the obligation to manage privacy and process a record system that’s regularly updated and compliant with the GDPR. 

This is the logic of accountability, i.e. the correct organization and mandatory traceability of the tracking activities. Anyone who fails to ensure proper data collection and management incurs penalties (regardless of abuse).

Fines: what happens if a site doesn’t have a privacy policy?

The user who considers his/her own privacy right violated shall transmit a request for immediate cessation of the unlawful behavior to the data controller. If the answer does not arrive within 30 days or if the interested party considers it insufficient, then he/she can send an appeal, a complaint, or a report to the Guarantor. 

The GDPR even provides penalties of up to 20 million euros in case of personal data breach. In order to verify compliance with the legislation, it has created the figure of the Data Protection Officer (DPO)

Sanctions are divided into two brackets. They’re triggered according to the severity of the misconduct:

  • the first reaches up to a maximum of 10 million euros or 2% of turnover if this is higher;
  • the second up to a maximum of 20 million or 4% of turnover.

In the event that the violation has also damaged the data subject, then a compensation must be included.

Privacy policy templates and examples

Draft an effective privacy policy by just relying on legal requirements. For a website privacy policy, the GDPR template offers detailed information. Indeed, avoid any “bureaucratese”. Be simple and direct. The information can be published on the website with a link to the home page.

You must customize the privacy policy to the specifics of the website. Avoid any copy/paste from other sites. You may want to rely on some CSMs.

Create your privacy policy with WordPress

WordPress is probably one of the most popular Content Management Systems (CMS), which also offers support for creating privacy policies. In fact, in the menu’s Privacy section, you’ll find a standard website privacy policy template that can be modified and customized. The CMS offers detailed guidelines for drafting valid privacy policies with numerous dedicated plugins. This, however, can’t ensure a 100% correct privacy policy, nor guarantee against the risk of sanctions. 

Privacy and Cookie Policy

Cookies are often mentioned in the context of personal data. What are cookies on websites?

In short, they can be represented as small text files saved in the browser while visiting the site. They are divided into two types:

  • first-party cookies, which are stored on the domain browsed by the user
  • third-party cookies, which are stored on another domain

Third-party cookies make it possible to track the behavior of a user on the web, so his/her habits and interests. 

On the privacy side, the spotlight is precisely on third-party cookies. This has prompted major browsers like Firefox, Edge, and Safari to abandon them, while Google Chrome has proposed a gradual process of elimination, ending in 2023. 

The privacy policy must always indicate the cookies it conveys and how to disable it. 

The Guarantor has specified that the cookie section must be an integral part of the privacy policy and not a separate document. If it’s on a different page, then it must contain the link to the Information.

If in this transition period from now to 2023 data are collected from third parties, then the privacy policy must indicate:

  • the categories of personal data being processed
  • the personal data source

Finally, the privacy policy can be updated, both because the Data Controller can change and the website may implement new technology. For this reason, users are invited to visit it periodically.

To conclude, we can’t underestimate the importance of adhering to the European regulation on privacy — nor panic.      

This article was written by

Paola Alunni

Paola Alunni

Professional journalist, she has written about politics and justice for Giuffré, Sole24ore and for Italian press agencies, then she has dedicated herself to institutional communication for the Presidency of the Council of Ministers. For some years he has dedicated himself to web content and SEO copywriting, coordinating a copywriter platform.

Related articles