GDPR, like CCPA, requires a privacy notice that explains an organization’s privacy practices in plain language. A common practice is to have this privacy statement publicly available on your website. It must also give users the option to opt out of processing of personal data.
|Who is it for?||Internal document for employees||External document for customers|
|Is it required to comply with GDPR and/or CCPA?||Not required by data privacy laws, but recommended to clarify how employees should handle personal data||Required by GDPR and CCPA|
|What requirements must it follow?||No legal requirements||Must be concise, transparent, intelligible, and easily accessible|
CCPA vs GDPR: Learn the Key Differences in Data Privacy Laws [Infographic]
- What type of data you collect from users, whether it’s contact information, payment information, demographic data, etc.
- Why you collect personal data
- Where you store personal data, for how long, and how you dispose of it
- Whether you share personal data with any third parties, such as service providers, advertising partners, or business affiliates
- How you ensure the data you collect is accurate and sufficiently protected
- How your team should respond in the event of a data breach
- What kinds of rights data subjects have over their personal data and how your team is expected to respond to consumer requests
- Who within the organization is responsible for overseeing data protection
What to include in a GDPR-compliant privacy notice
A typical privacy notice includes a few common elements. It usually covers:
- What categories of personal data you’re collecting
- Why you’re collecting personal user data (your legal basis or lawful basis under GDPR)
- How you’re collecting personal data, including whether you’re the data controller or data processor (or both)
- How you will use the personal data you collect (i.e., for marketing purposes), how long it will be kept, and how you’ll dispose of it
- How users can opt-out and/or request erasure of their personal data, including a phone number or address they can use to contact you
- What rights data subjects have, including right to lodge a complaint with a supervisory authority
- If personal data is transferred to a third country and what safeguards are taken
- If an automated decision-making system exists and information about how it’s been set up and what its significance is
GDPR requirements state that you must explain how you process data in “a concise, transparent, intelligible, and easily accessible form.”
A common practice is to have a privacy notice to be publicly available on your website. You can link your privacy notice in a highly visible place and use clear, direct language. This is typically in the footer of your website, plus anywhere you collect personal information like names and contact information.
What Do You Need to Know about GDPR Compliance Requirements in 2022?
GDPR Privacy Notice Examples
Whenever you’re creating a new policy for your business, it can be especially helpful to see examples of how other organizations have done it. Below we share a few examples of privacy notices you can use as inspiration for writing your own.
Please note that some are referred to as privacy policies but they are public documents that describe the organization’s data processing activities.
1. Moss Adams
Moss Adams provides a clear, comprehensive privacy notice that other organizations can use as inspiration when getting started on their own.
This information is broken down into sections and subsections that use headings and bulleted lists to make it easier to read.
Amazon.com structures its privacy notice like an FAQ page, providing answers to commonly asked questions like “For what purposes does Amazon use your personal information?” and
“What about cookies and other identifiers?” Each question listed at the top of the notices is linked so that users can jump to a specific section, or scroll from the top
Since GDPR, like CCPA, was designed to provide consumers with greater insight into and control over how businesses collect and use their personal information, Amazon dedicates a section of its privacy notice to all the choices consumers have with respect to their information. They can adjust their customer communication preferences, adjust their advertising preferences, edit their browsing history, and more.
3. The Walt Disney Company
The Walt Disney Company is famous for its level of personalization — whether you’re viewing one of its websites, browsing its streaming platform, or visiting its theme parks. Disney’s ability to create such detailed user experiences is based in large part on their ability to collect relevant data and tailor your experience based on your preferences and past behaviors.
This is all explained in plain language in Disney’s comprehensive privacy notice, which includes sections on the types of personal data they collect and who they share it with. The privacy notice also includes a specific section explaining privacy protections for children and parents’ rights.
Disney also goes the extra mile to make its privacy notice accessible to a general audience by linking legal terms like “data controller” and “personal information” and providing a simple definition.
Whether you just use Google search once in a while or have a whole suite of Google apps and devices in your home, Google’s privacy notice is designed to help all levels of users understand how their personal data is collected and processed.
Privacy policies can be daunting for uninitiated readers, and it’s clear that Google put some careful thought into helping users navigate and understand its privacy notice. It includes a table of contents so that readers can easily jump between sections, and links to other key policies including Google’s Terms of Service.
Google also includes helpful video snippets throughout their privacy notice that quickly explain key concepts like what the privacy notice is, why Google collects user data, and what rights users have over their personal data.
Meta’s Privacy Center is similar to Google’s, with a Table of Contents for easy navigation and explanatory videos sprinkled throughout the page. Like Disney, it also includes pop-up links that answer key questions and explain core data privacy concepts in layman’s terms.
This layout makes it easier for users to understand Meta’s overall approach to data privacy and quickly find answers to specific questions, while “Learn more” links let interested readers dive deeper into the specifics of Meta’s privacy practices.
One thing Meta does particularly well is they include specific “Take control” callouts that make it easy for users to exercise their data privacy rights.
Get help verifying and maintaining GDPR compliance
Knowing that your policies and procedures are compliant with GDPR requirements can be tricky, especially when you’re trying to build them from scratch.
With Secureframe, you’ll get access to a library of policy templates that have been vetted by former auditors and compliance experts. You’ll get GDPR training for employees, save time with automated evidence collection, and stay up to date with the latest GDPR requirements. Our team of experts will also notify you of any changes in regulation so you can stay compliant.
To learn more, schedule a demo of our security and compliance automation platform.