Is Copying Someone Else’s Privacy Statement Good Enough Post GDPR?
With GDPR compliance now a legal requirement for all organisations, many webmasters are looking for a quick way to get their websites compliant. Is copying someone else’s privacy statement a good way to do this? In this article, we discuss just that.
The purpose of the EU’s General Data Protection Regulation (GDPR) is to provide standardised data protection laws across the EU. In doing so, it protects people’s individual rights to personal data and privacy.
However, while the data protection laws are standardised, the application of these laws differs between organisations. Because of this, your privacy statement has to be specific to you and your processing activity. It cannot be generic under the GDPR.
Copying someone else’s privacy policy
Unless they are copy and pasted, no two privacy polices are the same, just as no two businesses are the same. Every business has its own way of doing things, which is why most take the time to craft a custom privacy policy.
However, copying the bare bones of someone else’s privacy policy is common practice in industries where the players use personal information in the same way. A good example is retail, which is why so many privacy policies look the same across e-commerce. This isn’t limited to unaffiliated businesses either; businesses with a group of companies tend to use one single privacy policy across their websites.
The issue with doing this is it’s easy to copy mistakes. It’s also lazy and introduces the chances of irrelevance and inaccuracies – which goes against the transparency principles of the GDPR. For example, where one website uses Google Analytics another may not. Where one site uses DoubleClick another may not.
Now we know what you’re thinking: what if I proof and edit someone else’s privacy template so the legalese is there but it’s specific to my business?
That might work for complying with the GDPR. But, it isn’t the moral thing to do, and if you copy a custom privacy policy that’s unique to the source, there’s also the legal issue of infringing the source’s copyright. If you do this and the other party finds out, they can get the infringing content removed from Google with a DMCA request. This is a very real prospect. They may even take legal action against you.
So, copying someone else’s privacy policy may land you in legal bother, Is it worth it? No, absolutely not. So, what about templates?
Using a privacy policy generator or template
Generating a privacy policy with an online generator or using a pre-written template means your privacy policy will be exactly the same as thousands of others. You won’t face copyright issues, but the template won’t be great.
The main issue with generators is they are very, very generic. Under the GDPR, you are required by law to be very specific about how and why you collect data. You must also list all the third parties who have access to the data.
The risk you face is non-compliance, very simply. But that’s not to say you will be non-compliant with a generated template. Indeed, you may pass your requirements under the GDPR by using a generic template, but only if your disclosures are detailed, understandable and fully accessible for your users.
Whichever route you go down - copy, generate or create from scratch - you will need to identify the key disclosure requirements your privacy policy needs.
What should my privacy statement include?
Your privacy statement is a public statement of how your organisation applies data protection to its own processing activities. The framework that guides this is the GDPR, so a review of the Regulation’s literature is needed.
Article 13 of the GDPR makes it clear a privacy statement must include the following:
1. The identity and the contact details of the controller and, where applicable, of the controller’s representative;
2. The contact details of the data protection officer, where applicable;
3. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
4. Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
5. The recipients or categories of recipients of the personal data, if any;
6. Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
Your privacy statement must also:
· Confirm whether the information will be transferred to a third country or recipient outside the EEA. If not, no further note needed. If yes, confirm the level of protection the data shall receive in accordance with the third country’s laws;
· Confirm the envisaged time limits for erasure of different categories of personal data or, if not possible, the criteria used to determine this period;
· Disclose where you are relying on the data subjects consent to process their data. For example, by ‘opt-in box’ or by ‘website navigation’;
· Disclose whether the provision of personal data is a statutory or contractual requirement, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
· Disclose the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4);
· The data subjects' rights to complain to the Information Commissioner’s Office (ICO) and how to do this.
As you can see, there are a lot of elements here which are business-specific and therefore cannot be copied from someone else’s privacy notice. When creating yours, you must approach it with a clear understanding of what data you are collecting, how you are collecting it and why you are collecting it. Only with this insight can you create a privacy statement that is accurate and transparent.
How the above information points apply to your privacy policy depends on the type of cookies you use, the type and scope of information you collect and what purpose you use personal data for. If your organisation can’t answer these questions, appointing a DPO (data protection officer) is the logical next step for you.