From our home address and mobile phone number to our browsing and purchase history – we hand over a great deal of information to websites and it’s not always obvious how much information companies have, and what they do with it. Now more than ever, the onus is on website owners to handle this information responsibly, but to also be transparent about the way they use it.
In fact, transparency is increasingly considered a trust signal for consumers. Consumers value privacy and over the past few years the laws have evolved to favour people’s right to privacy – the introduction of GDPR in 2018 being a prime example.
What is personal information?
Personal information is data that can in itself, or when combined, identify someone. Below is an example, rather than an exhaustive list.
- Email address
- Home address
- Mobile/telephone number
- Browsing activity
- Purchase history
- Payment details
What areas of your website might collect personal data?
- Analytics & Tracking – Google Analytics, Microsoft Clarity, or other tracking software & tools
- Promotions and competitions
- Email newsletter sign-ups
- Contact forms
- Online subscriptions / member account registration
- Comment sections
Whenever a user makes a decision to hand over personal information, you should also display a clear tick box to get their permission to have their details stored by you.
When a customer makes a purchase with you, it’s important not to automatically sign them up to receive your email newsletter or other marketing materials – otherwise this could land you in trouble. They MUST give consent first. You should also make it clear to customers how they can unsubscribe from all non-essential communications, including email newsletters and text messages.
This is what the Information Commissioner’s Office (ICO) has to say on the matter:
- You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
- You must ensure that you do not do anything with the data in breach of any other laws.
- You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
- You must be clear, open and honest with people from the start about how you will use their personal data.
What happens if you breach GDPR?
Every now and again, the national news brandishes a story of a large corporation or organisation breaching privacy laws. Stories such as the ‘Cambridge Analytica’ scandal can make businesses large and small feel a little uneasy and wonder whether their privacy is up to scratch.
Breaches of GDPR have legal implications, including financial penalties and detrimental impacts on reputation – something that businesses should avoid.
The Information Commissioner’s Office (ICO), is the UK’s independent authority set up to uphold information rights in the public interest.
‘The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.’
That being said. you can copy over the bare bones and structure of a policy if the website in question uses personal information in a similar way to you. Just remember to change the company name and details, and anything that doesn’t apply to your site.
- Company details – including official business name, address and contact details
- What personal data you collect
- How you use the data
- How long data is stored
- Where the data is stored
- What rights the customers have over their information
- What information is sent to third parties
- Who has access to the data
- Details of any remarketing tracking
Not sure you’ve got it right?
If you have any doubts about implementing privacy on your website, it can be worth getting a second opinion from a solicitor who specialises in this area of the law. They can review your website to make sure it’s 100% privacy compliant.
How does privacy differ between ecommerce and non-ecommerce websites?
Final thoughts on privacy policies