The European Union’s General Data Protection Regulation (GDPR) is designed to help EU residents make informed decisions about how their personal data is collected and used.
That’s why a privacy notice is an important way of informing customers how your organization collects and uses their data and a key step in becoming compliant with GDPR.
What is a GDPR privacy notice?
Your privacy notice is an external document that explains to users and customers how your company collects their private personal data, how you process it, who you share it with, and for what purposes.
A privacy notice or some kind of statement that explains an organization’s privacy practices in plain language is required by GDPR. This notice must also give users the option to opt out of processing of personal data.
Since GDPR is primarily concerned with giving consumers greater insights into and control over who is collecting their data and why, this notice must be “easily accessible.” Many organizations put it on their website to comply with this requirement.
GDPR Privacy Notice Requirements
According to GDPR requirements, a privacy notice must be concise, transparent, intelligible, and easily accessible and written in clear and plain language.
A common practice is to link your privacy notice in a highly visible place on your website, like the footer — plus anywhere you collect personal information like names and contact information.
GDPR also includes requirements for what information must be included in a privacy notice. While these vary slightly depending on whether an organization collects its data directly from an individual or receives it as a third party, a privacy notice usually covers:
- Exactly what categories of personal data you’re collecting
- Why you’re collecting personal user data (your legal basis or lawful basis under GDPR)
- How you’re collecting personal data, including whether you’re the data controller or data processor (or both)
- How you will use the personal data you collect (i.e., for marketing purposes), how long it will be kept, and how you’ll dispose of it
- How users can opt-out and/or request erasure of their personal data, including a phone number or address they can use to contact you
GDPR Privacy Notice Guidelines
The European Commission (EC) published some guidelines to help organizations write GDPR-compliant privacy notices. Below are some of those tips:
- Avoid using qualifiers such as “may,” “might,” “some,” and “often”
- Use the active tense
- Use bullet points to highlight important content
- Avoid complex sentence structures
- Avoid legalistic and technical jargon
The EC included some examples of clear language that should be used in a privacy notice, as well as unclear language that should be avoided.
- Clear: “We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in.”
- Unclear: “We may use your personal data to develop new services”
Now let’s take a look at some actual privacy notices that can be found on websites today.
GDPR Privacy Notice Examples
Whenever you’re creating a new policy for your business, it can be especially helpful to see examples of how other organizations have done it. Below we share a few examples of privacy notices you can use as inspiration for writing your own.
The Walt Disney Company
The Walt Disney Company is famous for its level of personalization — whether you’re viewing one of its websites, browsing its streaming platform, or visiting its theme parks. Disney’s ability to create such detailed user experiences is based in large part on their ability to collect relevant data and tailor your experience based on your preferences and past behaviors.
This is all explained in plain language in Disney’s comprehensive privacy notice, which includes sections on the types of personal data they collect and who they share it with. The privacy notice also includes a specific section explaining privacy protections for children and parents’ rights.
Disney also goes the extra mile to make its privacy notice accessible to a general audience by linking legal terms like “data controller” and “personal information” and providing a simple definition.
Whether you just use Google search once in a while or have a whole suite of Google apps and devices in your home, Google’s privacy notice is designed to help all levels of users understand how their personal data is collected and processed.
Privacy policies can be daunting for uninitiated readers, and it’s clear that Google put some careful thought into helping users navigate and understand its privacy notice. It includes a table of contents so that readers can easily jump between sections, and links to other key policies including Google’s Terms of Service.
Google also includes helpful video snippets throughout their privacy notice that quickly explain key concepts like what the privacy notice is, why Google collects user data, and what rights users have over their personal data.
Meta’s Privacy Center is similar to Google’s, with a Table of Contents for easy navigation and explanatory videos sprinkled throughout the page. Like Disney, it also includes pop-up links that answer key questions and explain core data privacy concepts in layman’s terms.
This layout makes it easier for users to understand Meta’s overall approach to data privacy and quickly find answers to specific questions, while “Learn more” links let interested readers dive deeper into the specifics of Meta’s privacy practices.
One thing Meta does particularly well is they include specific “Take control” callouts that make it easy for users to exercise their data privacy rights.