The European Union’s General Data Protection Regulation (GDPR) is designed to help EU residents make informed decisions about how their personal data is collected and used.
That’s why a privacy notice is an important way of informing customers how your organization collects and uses their data and a key step in becoming compliant with GDPR.
What is a GDPR privacy notice?
Your privacy notice is an external document that explains to users and customers how your company collects their private personal data, how you process it, who you share it with, and for what purposes.
A privacy notice or some kind of statement that explains an organization’s privacy practices in plain language is required by GDPR. This notice must also give users the option to opt out of processing of personal data.
Since GDPR is primarily concerned with giving consumers greater insights into and control over who is collecting their data and why, this notice must be “easily accessible.” Many organizations put it on their website to comply with this requirement.
It is important to note that a privacy notice is different from a privacy policy, although those terms are often used interchangeably.
GDPR does not require a formal internal privacy policy that dictates how your team handles personal data. However, it is a good idea to create this type of policy and share it with employees to outline how personal data should be handled and protected to be compliant with GDPR.
GDPR Privacy Notice Requirements
According to GDPR requirements, a privacy notice must be concise, transparent, intelligible, and easily accessible and written in clear and plain language.
A common practice is to link your privacy notice in a highly visible place on your website, like the footer — plus anywhere you collect personal information like names and contact information.
GDPR also includes requirements for what information must be included in a privacy notice. While these vary slightly depending on whether an organization collects its data directly from an individual or receives it as a third party, a privacy notice usually covers:
- Exactly what categories of personal data you’re collecting
- Why you’re collecting personal user data (your legal basis or lawful basis under GDPR)
- How you’re collecting personal data, including whether you’re the data controller or data processor (or both)
- How you will use the personal data you collect (i.e., for marketing purposes), how long it will be kept, and how you’ll dispose of it
- How users can opt-out and/or request erasure of their personal data, including a phone number or address they can use to contact you
GDPR Privacy Notice Guidelines
The European Commission (EC) published some guidelines to help organizations write GDPR-compliant privacy notices. Below are some of those tips:
- Avoid using qualifiers such as “may,” “might,” “some,” and “often”
- Use the active tense
- Use bullet points to highlight important content
- Avoid complex sentence structures
- Avoid legalistic and technical jargon
The EC included some examples of clear language that should be used in a privacy notice, as well as unclear language that should be avoided.
- Clear: “We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in.”
- Unclear: “We may use your personal data to develop new services”
Now let’s take a look at some actual privacy notices that can be found on websites today.
GDPR Privacy Notice Examples
Whenever you’re creating a new policy for your business, it can be especially helpful to see examples of how other organizations have done it. Below we share a few examples of privacy notices you can use as inspiration for writing your own.
The Walt Disney Company
The Walt Disney Company is famous for its level of personalization — whether you’re viewing one of its websites, browsing its streaming platform, or visiting its theme parks. Disney’s ability to create such detailed user experiences is based in large part on their ability to collect relevant data and tailor your experience based on your preferences and past behaviors.
This is all explained in plain language in Disney’s comprehensive privacy notice, which includes sections on the types of personal data they collect and who they share it with. The privacy notice also includes a specific section explaining privacy protections for children and parents’ rights.
Disney also goes the extra mile to make its privacy notice accessible to a general audience by linking legal terms like “data controller” and “personal information” and providing a simple definition.
Whether you just use Google search once in a while or have a whole suite of Google apps and devices in your home, Google’s privacy notice is designed to help all levels of users understand how their personal data is collected and processed.
Privacy policies can be daunting for uninitiated readers, and it’s clear that Google put some careful thought into helping users navigate and understand its privacy notice. It includes a table of contents so that readers can easily jump between sections, and links to other key policies including Google’s Terms of Service.
Google also includes helpful video snippets throughout their privacy notice that quickly explain key concepts like what the privacy notice is, why Google collects user data, and what rights users have over their personal data.
Meta
Meta’s Privacy Center is similar to Google’s, with a Table of Contents for easy navigation and explanatory videos sprinkled throughout the page. Like Disney, it also includes pop-up links that answer key questions and explain core data privacy concepts in layman’s terms.
This layout makes it easier for users to understand Meta’s overall approach to data privacy and quickly find answers to specific questions, while “Learn more” links let interested readers dive deeper into the specifics of Meta’s privacy practices.
One thing Meta does particularly well is they include specific “Take control” callouts that make it easy for users to exercise their data privacy rights.
FAQs
When must you provide the privacy notice?
If your organization falls within the scope of GDPR, you must provide a privacy notice, or some kind of statement that explains your organization’s privacy practices in plain language and gives users the option to opt out of processing of personal data. This information shall be provided in writing or by other means, including by electronic means or orally if requested by the data subject.
Who must receive a privacy notice?
According to GDPR, a privacy notice should be "easily accessible" by any data subject. In order to comply, many organizations publish it on their website.
What does a privacy notice disclose?
A privacy notice discloses how your company collects private personal data, how you process it, who you share it with, and for what purposes. More specifically, if an organization is collecting information from individuals directly, then their notice must disclose:
- The identity and contact details of the organization and, where applicable, its representative and Data Protection Officer
- The legal basis and intended purposes for the data processing
- The legitimate interests of the organization (or third party, where applicable)
- Any recipient or categories of recipients of an individual’s data
- The details regarding any transfer of personal data to a third country or international organization
- The retention period for the data, if possible
- The existence of data subject rights
- The right to withdraw consent at any time (where relevant)
- The right to lodge a complaint with a supervisory authority
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data if so
- The existence of an automated decision-making system
If an organization obtains personal data indirectly, then its privacy notice must disclose all the same information, except for whether the provision of personal data is part of a statutory or contractual requirement or obligation. And instead, it must add the categories of personal data obtained.
