This article is written by Arjun Mohandas, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from Lawsikho.com. Here he discusses “How Should Privacy Policies and Terms and Conditions be Amended Post GDPR”.
Privacy Policies
A privacy policy discloses how a company collects, uses, manages, stores or discloses its user’s data. Privacy policies are mandatory if a business collects personal information from the visitors of its website and application. Many privacy laws throughout the world required companies to share their privacy policies to their customers. So, a privacy policy is essential to comply with various privacy laws followed by different countries. But GDPR has more strict regulations. A privacy policy is an important record for a company under the GDPR. It is the most ideal way to convey the message that a company is serious about the data collected from its users. Hence privacy policies framed by companies to comply with earlier privacy laws are redundant under GDPR. To be GDPR compliant, companies have to make significant changes to their privacy policies according to the requirements prescribed by GDPR.
Essentials of a GDPR Complaint Privacy Policy
GDPR provides various requirements about the information which a company should provide in their privacy policy. Article 14 states that the attention of users should be drawn into privacy policies when they share their personal data. Similarly, Article 15 requires that the privacy policies should be made available to everyone, whose personal data is being processed by the company. A privacy policy must be designed in such a way that it not only considers the customers but also its potential customers and future visitors to its website. A business firm is required to make the following changes or inclusions in its privacy policy to be GDPR compliant.
Introduction
It is favourable to start the privacy policy with a small explanation about the company, its legal name and what it does. The privacy policy should include an effective date from which the policy is in force. If GDPR requires a company to appoint a Data Protection Officer or an EU Representative to assure compliance, then details of such officers should be listed in the privacy policy.
Definitions
Even though privacy policies were made for access to common users, they were filled with legal terminologies which made them difficult to understand and contributed to a lack of interest from customers. However, Article 12 requires privacy policies to be communicated in concise, transparent and easy to access manner. There are instances where the use of complex terms is inevitable. In such cases, privacy policies should include a section to define the meaning of complex terms in a simple manner.
Principles for Data Processing
A data controller, as per Article 5 must comply with six principles, by which personal data should be processed. They are:
-
Lawfulness, Fairness and Transparency
To obey the law in processing data, to be fair with customers data and to open regarding the data protection practices.
-
Purpose Limitation
Data must be processed only for the purpose it’s collected.
-
Data Minimization
Data must be processed only as per the needs.
-
Accuracy
To make sure data held is accurate and adequate
-
Storage Limitation
Data should not be stored for longer periods than required.
-
Integrity and Confidentiality
Data processing should be secured.
The company should show its compliance by relating these principles of GDPR with its specific principles in its privacy policy.
Types of Personal Data Collected and Processed
The definition of personal data under GDPR is:- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
Due to its broad nature, there are chances that a company process a lot of personal data. Personal data can be collected by the company, given by the customer or it can even be collected via various technology such as cookies, log files etc. Hence, a company should be very clear with their privacy policy, in specifying what types of personal data it collects and process. It should also list out how and why such data is used. The GDPR classifies certain a set of data like race, religion, sexual orientation as “special categories of personal data”. They can be processed only under specific circumstances provided under Article 9. Privacy policies should provide information to the users regarding the collection, process and usage of these special categories of personal data.
Legal Basis
According to GDPR, a legal basis is a justifiable reason for a company or a data controller for collecting or processing personal data of an individual. Article 6 states that all personal data processing should occur under one of six lawful bases. They are: –
- Consent
- Contract
- Legal obligations
- Vital Interests
- Public tasks
- Legitimate interests
A company should clearly state in its privacy policy, on which of these bases it is processing the personal data. If the basis is legitimate interest, it should specify what are its legitimate interests. Similarly, if the basis is consent, the privacy policy should refer to the user’s right to withdraw consent. If the basis is a contract, the company should describe what happens to the contract, if there is no personal data provided. It is very important to mention what the legal basis (is or are) and disclose it in the privacy policy.
Retention of Personal Data
A business firm can’t retain personal data to an extent longer than required. The new privacy policy should clearly specify how long the collected personal data will be retained.
Sharing and Transferring of Personal Data
A company can share the personal data if it is transparent in such actions and if there is a legal basis under the GDPR. The privacy policy needs to list details about such transfers. The names of every company with whom a company is sharing the data are not required to be listed. However, terms and conditions in a data processing agreement of some companies like Google require the companies to list their name in the privacy policy.
If a company wishes to transfer the personal data to a non-EU country, details of such transfers should be included in the privacy policy. Personal data can be transferred out of the EU only under certain conditions. The privacy policy should also mention under what conditions such transfers are made.
Data Rights
The GDPR grants each individual 8 rights over their personal data.
- The Right To access
- The Right to be forgotten
- The Right to data portability
- The Right to be Informed
- The Right to restrict processing
- The Right to rectification
- The Right to object
- The Right in relation to automated decision making
The privacy policy should provide information about these individual rights to the users and also provide a method by which they can exercise these rights. It can be by a web form or through an email address. Not all rights apply to every type of business.
The policies should also mention the right of the users to make a complaint to a Data Protection Authority such as “Information Commissioner’s office” in the UK.
Changes to Privacy Policy
A privacy policy should always inform the users of the possibility for changes in its privacy policy. It should also describe how the company will inform the user during such changes.
Displaying the Privacy Policy
A privacy policy is not a contract. A business firm may not find it important, for users to read them like its terms and conditions. But a company should make sure that they are read. For that purpose, privacy policies should be accessible easily. It is always good to draw the attention of users to places where the user data is collected and where consent is obtained. They can also be placed along with other policies such as terms of use and cookies notice. It is also important that the privacy policies are linked to automated emails, sent to the users for direct marketing.
Consent
Under the GDPR consent needs to freely given and informed. A company cannot legally claim that the user has agreed to its privacy policies and terms if the consent is just assumed, by being active on a website. The consent obtained from the users should be expressly provided, such as ticking an unchecked opt-in box. Pre-checked boxes which use customer inaction to assume consent is not valid under the GDPR. Privacy policies should specify the consent requirements for processing personal data of children. According to Article 8, consent of a parent or a care-taker must be obtained for processing the data of children under 16 years. Consent is also required if a business uses cookies and has EU customers. A cookie consent solution should be implemented before placing the cookies on user devices. The GDPR also requires companies to record the details of the consent collected.
Terms and Conditions
Privacy policies are of great importance to GDPR. They ensure that users of a website are aware of their privacy and individual rights. It is mandatory for a business to ensure that its privacy policies are compliant with GDPR. Terms and conditions are a set of rules and disclaimers that users must abide by while using an app or a website. Terms and conditions and privacy policies are different from each other in nature as well its purpose. Terms and conditions offer more protection to the companies by requiring users to follow certain rules for availing various services provided by the company. It includes various clauses like a limitation of liability, disclaimer of warranties and payment and refund policy which protects the business from various risks. Privacy policies are required by various privacy laws to protect users and ensure proper business practices. Both of these documents serve a different purpose. Terms and conditions for that reason are not made mandatory under GDPR. GDPR is a law concerned with privacy. Terms and conditions are not related to privacy. Hence, GDPR has not affected the terms and conditions of a company directly.
The GDPR does not mention about terms and conditions or any specific clauses to be included in the terms and conditions of a business firm. To be GDPR compliant, a business firm makes changes in privacy policies and business policies. There may be situations when these changes cause inconsistency in the terms and conditions of a company. For instance, GDPR requires certain changes in privacy policies for processing of data related to children, such as children are required to submit parental consent for using a site. This change in privacy policy can also alter the related terms and conditions. GDPR requires children to be 16 years old for providing consent for processing their own data. For that reason, tech giants WhatsApp and Facebook altered its terms in the European region and has raised the minimum age for creating account to 16. Terms and conditions can also contain information about privacy policies which are required to be changed under GDPR. The GDPR does not require consent to be obtained for terms and conditions, unlike the privacy policy. While it’s not required by law, companies often obtain consent for accepting its terms, along with its privacy policy to make their terms more enforceable in the court. The changes in various policies of a business can always indirectly affect the terms and conditions. Hence, for avoiding such inconsistencies companies usually re-review the terms and conditions after making changes in privacy policies and business policies for GDPR compliance.
Changes in Privacy Policies of Tech Giants
Ever since the GDPR came into force, there had been several changes in the policies of various tech giants. The changes range from changes made in obtaining consents to the changes in privacy policies, cookie policies and terms of use. The privacy policies of major tech companies like Google, Facebook, Amazon and others were subjected to changes, for ensuring GDPR compliance. Google has improved the interface of its privacy policy, through demonstration of the policies with the help of pictures and videos. Facebook has completely redesigned its “Download Your Information Tool”, after keeping it the same for the past 8 years. There has been a ton of small changes made to the privacy policies of various sites. But, not much has changed regarding the way these sites use or collect the user’s personal data. Instagram has now started providing a data downloading tool. The comparison of the privacy policies of various tech giants before and after GDPR came it into force is given below.
Privacy Policy Before GDPR
COMPANY |
WORDCOUNT |
|
2722 |
|
5420 |
|
5524 |
Amazon |
2627 |
Wikipedia |
2881 |
Yahoo |
1661 |
|
3764 |
eBay |
5244 |
|
2981 |
Netflix |
3046 |
Privacy Policy After GDPR
COMPANY |
WORDCOUNT |
|
4036 |
|
4233 |
|
3414 |
Amazon |
3837 |
Wikipedia |
5617 |
Yahoo |
2225 |
|
4880 |
eBay |
5666 |
|
4221 |
Netflix |
3417 |
It’s quite clear that the major tech companies had made changes to its word count and reading level. Google’s privacy policy has increased by more than 48 per cent for GDPR compliance. Facebook and Reddit are the only companies which had a decrease in word count post-GDPR. Meanwhile, Wikipedia has increased its word count by 95% for ensuring its GDPR compliance. The Average word count increased is expected to be around 25%. It takes more than 3 hours to read these policies in total.
Conclusion
The GDPR was indeed the biggest regulatory framework introduced for data privacy. GDPR has increased the awareness of data protection and privacy. Many large and small businesses were forced to be GDPR compliant, for continuing its smooth flow of business, especially in the European Union. As a result, privacy policies and business policies also had an impact. These changes in privacy policies were made mandatory to ensure the privacy of personal data. Despite the changes in privacy policies of various tech giants, it is questionable how effective it had been for users for protecting their privacy. A lot of consent fatigue was faced by users in providing their consent to several policies from various companies. The GDPR provides various rights for users to protect their personal data. But these rights have to be informed to the users through the privacy policies and terms of a company. The users get tired by reading the policies and terms of different sites. It takes an average 15 minutes to go through the terms and policies of each website or an application, a user uses daily. Large businesses have also succeeded in utilising this consent fatigue to their advantage. Most of the companies have increased the word-count in their privacy policies. As a result, the reading time, as well as reading levels, are also increased, which annoys users. They find it impractical to have an understanding of many privacy policies and terms, they are bombarded with, in daily life usage of various websites and applications. GDPR has resulted in a monumental increase in the number of privacy-related complaints from individuals and data breach reports from companies. But on the other hand, researches state that the investments for start-ups in the European Economic Area have gone down. Big companies like Google, Amazon and Facebook even though being subjected to more stringent privacy policies and requirements, increased their dominance without making significant changes to their practices in personal data collection, usage and handling.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.