Skip to content

Introduction

Consumers are increasingly concerned about how companies collect and use their personal data, and they’re even willing to change their spending habits because of it. Meanwhile, data protection authorities are ramping up enforcement of privacy laws.

This has led to renewed focus on privacy by design, a framework that enables organizations to deliver better and more trusted user experiences long term, achieve and maintain privacy compliance, and ensure the critical flow of data to drive revenue.

First introduced in the 1990s, the concept of privacy by design” gained significant attention with the EU’s key data protection legislation, the GDPR, where it is the basis of Art. 25. The core principle is that privacy should be built into companies’ processes, products, and services at every stage of development, from conception through implementation to usage.

In other words, privacy should be a central consideration right from the design stage, rather than being thought about and added retroactively when companies get worried about privacy compliance.

We explore what privacy by design is, why it’s important, and how you can build its core principles effectively into your business.

What is privacy by design?

Privacy by design is a concept that advocates for user privacy and data protection compliance to be embedded into just about all ways companies function and deliver products and services, including directly into the design specifications of technologies, business practices, and physical infrastructures.

As a framework for privacy protection, it requires thinking about and implementing privacy measures right from the onset of projects that involve the processing of personal data, from planning and design through to deployment, maintenance, and updates.

How is privacy by design implemented?

Building privacy by design into processes like software development seems obvious, but it can be equally important to include it in projects like user persona development. During this process, you should ask yourself questions like:

Privacy by design should be integrated into numerous aspects of projects and operations and not limited to website cookie use or designing forms or databases. This helps you achieve better UX and privacy compliance and update rollouts.

Outside of active building, as with software development, privacy by design also needs to be included in day to day operations like customer support, advertising, and partnership building.

Why is privacy by design important?

Privacy by design enables businesses to build data protection practices into product offerings, which is part of what makes it so important. This helps safeguard potentially sensitive user information and helps ensure regulatory compliance in a way that’s streamlined, scalable, and fully aligned with other areas of the business.

Here are six key reasons privacy by design is so important for businesses.

1. App monetization and privacy go hand in hand

More and more, large advertisers will rarely invest in publishers that fail to collect consent strings in accordance with the latest privacy principles. Even programmatic advertising, the most lucrative way to use real-time data, requires consent from end users. Publishers that want access to premium ad inventory need to prove they collect valid consent.

Data privacy is an increasingly relevant topic to app developers, with three key driving factors:

  1. Regulatory bodies are pushing for stronger regulation in the app industry.
  2. Premium advertisers increasingly won’t buy inventory where consent hasn’t been collected in a compliant manner.
  3. App developers and companies are realizing that their current business model isn’t sustainable or scalable without a privacy strategy from the start of application development.

Getting consent without disrupting the user experience (UX) is also crucial. This is particularly important for mobile games and applications developers since these users have smaller screens and tend to be more impatient compared to those using desktop web browsers, for example.

As such, core data privacy features should blend seamlessly with your app’s design and functionality and not negatively affect performance to avoid interfering with UX.

2. Get your project off on the right foot

Design conception is where privacy by design takes center stage. Developers must align data collection to the specific purpose the data is needed for, and then communicate that purpose to mobile app and website users. This helps ensure that data controllers, including joint controllers, implement appropriate technical and organizational measures so that data processing complies with relevant regulations.

Art. 5 GDPR states the principles for lawful processing of personal data:

(i) Lawfulness, fairness, and transparency
(ii) Purpose limitation
(iii) Data minimization
(iv) Accuracy
(v) Storage limitation
(v) Integrity and confidentiality
(vi) Accountability (must be observed in the design and implementation of these systems)

3. It helps you establish a strong brand reputation

81 percent of adults in the US are concerned about how companies use the personal data they collect, according to a 2023 Pew Research report.

According to the Global System for Mobile Communications Association (GSMA), “Even applications that legitimately access and use personal information may fail to meet the privacy expectation of users and undermine their confidence and trust in organizations and the wider mobile ecosystem.”

So what happens when businesses invest in data privacy and users trust that their data is used legally and ethically? The results are clear. In the Cisco 2024 Data Privacy Benchmark Study, 80 percent of businesses reported increased customer loyalty as a result of their investment in privacy.

The return on that investment typically ranged from 60 to 100 percent. In other words, prioritizing transparency and user privacy means higher customer lifetime value (CLV).

4. Liability can be an organizational hurdle

Data privacy liability broadly falls on the company in general, but it can also fall on specific departments. According to the GDPR, if you play a role in determining “the purpose or means” of data processing, you are a joint responsible party (data controller) for the data processed by any third party.

For example, if your website or app has monetization functionality, analytics, or reporting SDKs, you can be held accountable for a lack of sufficient user consent. This makes clear accountability essential for developers.

5. It helps you grow with a global outlook in mind

Online, your customers and users can be located pretty much anywhere. Publishers must ensure global privacy compliance on their websites and/or mobile applications if they collect personal data from users in jurisdictions protected by privacy regulations, which at this point is most of them.

This refers to processing financial transactions, collecting email addresses at account signup, settings cookies, and transmitting data to other apps.

The GDPR applies to websites and mobile apps that collect and process the personal data of EU citizens. It doesn’t matter if your business is based outside of the EU — if you process data from EU residents, the GDPR still applies to you.

Many other global data privacy laws are also extraterritorial in this way, so it’s important to be familiar with the laws of regions where you do business, and to know where your audience and customers are.

6. You likely collect vast amounts of data

If you think you don’t need to develop a privacy strategy simply because your app doesn’t use cookies (or you think it doesn’t), think again.

According to a Trinity College Dublin study, a significant amount of user data is transmitted to third parties without any option to opt-out, largely as a result of pre-installed apps like Google, Facebook, and LinkedIn.

On the positive side, the vast amounts of data gathered can provide a lucrative revenue stream. On the negative side, the information collected by cookies, trackers, and third-party SDKs will gradually become of little to no use if valid consent isn’t collected and signaled to important partners and vendors, especially as global privacy regulations become more stringent.

What are the 7 privacy by design principles?

Privacy by design has seven generally accepted foundational principles. Following them will help you achieve a design that’s enjoyable for the user while prioritizing privacy.

The 7 privacy by design principles

Principle 1: Proactive not reactive; preventative not remedial

Anticipate and prevent privacy-invasive events before they happen. Don’t wait for privacy risks to materialize, and don’t offer remedies for resolving privacy infractions once they’ve occurred. Rather, prevent them from occurring in the first place.

Principle 2: Privacy as the default setting

Deliver the maximum degree of privacy by ensuring that the minimum amount of personal data is collected and that it is automatically protected in any IT system or business practice. An individual’s privacy should be protected even if they do nothing to ensure it, as it’s built into the system by default.

Principle 3: Privacy embedded into design

Embed privacy into the design and architecture of IT systems, website and app functions, and business practices rather than bolting it on after the fact. Make privacy an essential component of the core functionality being delivered, integral to the system without diminishing functionality.

Principle 4: Full functionality — positive-sum, not zero-sum

Accommodate all legitimate interests and objectives in a “win–win” manner. Don’t make unnecessary trade-offs because of dated beliefs or practices. Achieve goals with privacy, not in spite of it. Avoid false dichotomies like privacy vs. security, and demonstrate that it’s possible and desirable to have both.

Principle 5: End-to-end security — full lifecycle protection

Embed privacy long before data is collected, and manage it securely throughout the entire lifecycle of the data. Strong security measures are essential from start to finish, so ensure that all data is securely retained only as long as needed and securely destroyed or anonymized in a timely manner at the end of the process.

Principle 6: Visibility and transparency — keep it open

Assure all stakeholders that all business practices and technology involved operate according to stated objectives and contractual requirements, subject to independent verification. Component parts and operations should be visible and transparent to users and providers alike as much as possible.

Principle 7: Respect for user privacy — keep it user-centric

Architects and operators are required to prioritize the interests of individuals by offering strong privacy defaults, providing appropriate notice, and ensuring user-friendly options are available.

How to implement privacy by design on websites and apps

To implement privacy by design, organizations that collect and process personal data via websites or apps should abide by the following best practices. These recommendations parallel the “principles relating to processing of personal data” in Art. 5 GDPR.

The principles relating to processing of personal data

Data minimization

Collect only the personal data that’s necessary for the specific, stated purpose. This helps to reduce the risk and potential harm from unauthorized access in the event of a breach. Users are also more likely to trust organizations that only ask for data that’s necessary to provide the experience, product, or service they offer.

Transparency

Provide clear and easily accessible information about the types of personal data being collected, why it’s being collected, and who will have access to it, among other relevant information.

While some privacy laws don’t require consent prior to personal data collection, such as US-based laws like the California Consumer Privacy Act (CCPA), all of them require you to notify users of relevant information via a privacy policy, consent banner, or combination of solutions.

It’s also necessary to ensure this information is kept up to date — for instance when there are changes in regulations or the technologies your site or app uses. To avoid noncompliance, it’s best to automate these functions with a consent management solution.

Security

Implement appropriate physical, technical, and organizational measures to protect personal data from unauthorized access, theft, modification, or destruction.

After all, it’s safer to prevent violations than to deal with their consequences. Repairing your company’s legal status, finances, and reputation is always much more challenging than preventing security incidents in the first place.

User control

Ensure users can control the collection and use of their personal data, ideally at a granular level. For example, provide options to opt out of data collection or sale and the ability to request corrections or deletion.

Many privacy laws actually require these functions and outline them as consumers’ rights, but it’s better to go beyond the basic legal requirements and put users in control. This can also include going further and asking customers for their preferences so that communications, offers, and data used for personalization, etc. is explicitly provided by them, so of optimal quality and fully consented.

This promotes trust and willingness for your customers to provide more data over the long term. However, ensure you present all options equally to avoid dark patterns or other manipulative practices.

Privacy by default

Build privacy into the design and default settings of your products and services. For example, use privacy-enhancing technologies, such as encryption and pseudonymization by default.

Additionally, consult qualified legal counsel and/or data privacy experts to fully understand your ongoing responsibilities under relevant data privacy laws for the regions where you do business, and what you can do to stay compliant throughout the user and data journey.

Read about privacy-enhancing technologies now

Third-party relationships

Evaluate the privacy practices of third-party service providers, such as analytics and advertising companies, and ensure that appropriate contracts and agreements are in place to protect personal data. Also regularly audit data collection practices as the tools used by third parties and the data they collect change over time.

Under most privacy laws, the data controller — not the processor (e.g. the advertising partner) — is legally responsible for data protection and held liable if there is a violation.

Regular review

Regularly review and assess the current legal landscape of relevant regulations, as well as privacy impacts of products, services, and processes, to ensure that privacy by design remains an ongoing focal point. Audit data operations, employee access, and training competence regularly as well so your people are as secure as your technical systems.

It’s generally best practice to review privacy practices and notifications every six to 12 months, and some laws actually require you to do so.

Using a consent management platform (CMP) enables you to regularly analyze user interactions, scan for the cookies and other trackers in use, and update your data processing information. This helps optimize messaging and UX and ensures users are informed, privacy is protected, and consent rates are maximized.

Privacy by design and marketing

A 2022 Google/Ipsos report found that a positive privacy experience for users increases brand preference by 43 percent. As marketers want to build great customer relationships, adding privacy by design into their strategies and operations is an effective way to do so while still getting the business-critical data they need to run those operations effectively.

Privacy by design can significantly impact marketing operations by shifting data strategies away from third-party data toward more controlled and targeted methods of collecting and using higher quality personal data, such as first-party and zero-party data.

This approach is crucial for popular marketing functions like preference management and server-side tagging, where user consent is vital throughout the data lifecycle.

The GDPR and privacy by design

The GDPR’s requirements are fairly extensive, making privacy a vital consideration in all aspects of process, product, and service design involving personal data. Art. 25 GDPR specifically addresses privacy by design and by default.

According to the GDPR, data controllers are responsible for managing risk and ensuring data protection from development through to daily operations.

US privacy laws and privacy by design

The CCPA and other laws require businesses to implement reasonable security measures to protect personal information and to consider privacy risks when developing and implementing new products and services.

Industry-specific federal laws also address data privacy and security, like the Federal Trade Commission’s Gramm–Leach–Bliley Act, which applies to financial institutions, and the Health Insurance Portability and Accountability Act (HIPAA), which covers healthcare.

There’s not yet a comprehensive federal privacy law in the US that requires privacy by design across all industries, so interpretation and implementation will likely vary for the foreseeable future. However, increased scrutiny and enforcement by data protection agencies may lead to standardization.

How does privacy by design protect data and user privacy?

The core purpose of privacy by design is to protect user data and privacy, while still providing great user experience, with an emphasis that both privacy and security are achievable and desirable.

Privacy by design anticipates and helps prevent data breaches and helps ensure personal information is automatically protected. This approach shifts responsibility for privacy protection away from users and reduces risks.

Transparency remains a central value, as users are kept notified about privacy and data use at all stages and retain control.

Entities that access personal data hold responsibility and liability for their actions and for any third-party entities that access the data. If anything goes wrong, they face a loss of trust, reputational damage, fines, and other penalties — even if they didn’t directly cause the issue.

Privacy by design helps guarantee that data and privacy are protected automatically, as these protections are designed and built into all systems from the start. This helps ensure strong security throughout the entire data lifecycle, eliminating weak points where data privacy measures might otherwise be “bolted on” as an afterthought.

Consent management solutions offer a smart and reliable way to implement privacy by design at the point of personal data collection. A tool like Usercentrics CMP enables you to notify users about data collection and its purposes. It also securely records and stores consent preferences, as required by regulations or best practices, and enables seamless signaling of consent information via the Google Consent Mode integration.

This not only helps ensure privacy compliance but also keeps a detailed trail of consent requests, which can be used in the event of regulatory inquiry. These tools also enable users to update or revoke their consent choices at any point in the future.

Usercentrics helps facilitate privacy by design by enabling businesses to gauge, track and control which third-party sites are loading cookies to collect user data. By demonstrating respect for user privacy and consent, our software can help increase trust and user engagement and establish long-term customer relationships. Speak to a Usercentrics expert today.

Learn more

Given the continued expansion of global privacy laws, many companies are choosing to take a proactive and privacy-first approach. According to the International Association of Privacy Professionals, 64 percent of consumers place more trust in companies that provide clear information about their privacy policies. That’s why privacy notices are indispensable tools for maintaining this transparency and trust.

But there’s confusion around the term, what it encompasses, and the purpose of privacy notices. Let’s talk about what they include, how to create one, where to place it, how implementing one can protect user data, and help website owners uphold legal standards.

What is a privacy notice?

Let’s start with the basics. A privacy notice is a legal document that website owners publish, e.g. on their websites for the benefit of website visitors and to meet privacy regulation requirements. The purpose of a privacy notice is to explain to website visitors how you collect their information, what is done with it, who may have access to it, and what their rights are, like how they can opt-out. It must be kept up to date as a company’s data processing services and relevant laws change.

Privacy notices serve as a crucial tool for transparency and building trust between organizations and individuals.

What’s the difference between a privacy notice vs a privacy policy?

Privacy notices and privacy policies are often used interchangeably but may need to serve different purposes and audiences. For example, laws will often reference a privacy notice, but many websites link a privacy policy in the footer.

One needs to be an external document aimed at informing individuals about how an organization collects, uses, and protects their personal data. It’s typically found on websites or apps and is designed to fulfill legal transparency requirements under data protection laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA).

There is also a separate need for an internal document outlining an organization’s overall privacy and data protection approach. It provides detailed guidelines for employees on handling personal data responsibly and serves as a governance tool.

Privacy policies are, typically, more detailed and comprehensive legal documents.

There is a legal requirement to inform website visitors (data subjects) about data use and their rights, but also for companies to maintain internal compliance and consistency in data handling practices. You may find the former called a privacy notice and the latter a privacy policy, or vice versa.

There is no mandated term website owners must use according to various laws like the GDPR and the CPRA. As long as you use the word “privacy” in your links and document title, the important part is the document’s comprehensive and up-to-date content.

The different types of privacy notices

Privacy notices can be categorized into different types based on their timing, purpose, and target audience. The primary types of privacy notices include:

It’s worth noting that these categories are not officially mandated. Instead, they represent best practices for ensuring transparency and compliance with various data protection laws. How you notify users about data privacy will vary depending on what your business does and what laws are relevant.

Website owners should choose the appropriate type of privacy notice based on the context in which personal data is collected and processed, as well as the specific needs of their audience. Prioritizing user experience is also a best practice.

Where to place a privacy notice?

A privacy notice should be placed in several strategic locations on a website to ensure it is easily accessible and noticeable to users. Here are the key places to include a privacy notice:

What should a privacy notice include?

Although a privacy notice sounds complex, it doesn’t have to be. However, it does require certain expertise to ensure it’s legally compliant, and certain components need to be included.

Having these elements present in a privacy notice helps to ensure that individuals are fully informed about how their personal data and cookies are being used and can exercise their rights under data protection laws.

Generate your privacy notice

Example of a privacy notice

Website owners have to include a certain amount of information in their privacy notice, which varies depending on relevant laws, their business operations, and other considerations. There are multiple ways of arranging this information, from one lengthy document to organized pull-down sections. Cookie use can also be included in the privacy notice, or provided in a separate document, for example.

Let’s take a look at an example so website owners can better understand how to categorize and organize all the necessary information.

Usercentrics’ privacy policy has an easy-to-navigate structure based on a pull-down menu, so visitors can quickly scan for specific information, and then access sections of interest.

It lists important details like the kinds of data collected, user rights, cookie policies, and how to make a data request. It also discusses third-party services and personally identifiable information that might be shared with them. Usercentrics does business around the world, and website visitors can also be global, so the company has responsibilities under multiple privacy regulations, like the GDPR and CPRA.

The information displayed in each menu item is carefully organized with bullet points and short paragraphs so that you’re able to understand the policy without feeling overwhelmed.

The importance of including a privacy notice on your website

At its core, a privacy notice enables websites to be compliant with global privacy laws while protecting a user’s data and privacy preferences, demonstrating respect for their privacy. However, privacy notices are essential for several reasons beyond this.

Regulatory compliance

Data protection laws, such as the GDPR and CPRA, vary around the world, but all of them mandate the provision of various information via privacy notices. Organizations are required to disclose specific details about their data processing activities and keep the information up to date over time, enabling ongoing compliance with legal obligations and avoiding potential fines for noncompliance.

User rights

Privacy notices empower users by informing them of their rights regarding their personal data. For instance, under the GDPR, individuals have rights regarding their personal data, like access, rectification, and erasure. Privacy notices provide the necessary information for users to exercise these rights, like who to contact and via what mechanism. If a company does not comply with a user’s rights request, the privacy notice also needs to provide information about how they can appeal the decision to another authority.

Transparency

Privacy notices are crucial for maintaining transparency between organizations and individuals. They clearly inform users about what personal data is being collected, why it is collected, how it will be used, and who it will be shared with. They need to be presented in simple language that’s not overly legal or technical. This helps users understand the data practices of the organization, such as how such practices affect the user personally. And enables them to make informed decisions about their interactions with the company.

Trust and accountability

By providing clear and accurate privacy notices, organizations can build and maintain trust with their website visitors, and bolster their brand reputation, which can affect relations with partners, investors, and others as well. These notices are legal documents and are often seen as contractual promises, making website owners accountable for adhering to their stated data practices and meeting the requirements of relevant laws.

Privacy notices and global regulations

Privacy notices have significant legal implications and are often mandated by various data protection laws around the world. While a company can take a DIY approach to building and maintaining a privacy notice, getting qualified input from legal counsel or a privacy expert is important to ensure the right information is included in the right way.

This is important to remember as there are several privacy policy generators available, which can be a good starting point, but which need customization to enable valid compliance. Additionally, companies may need privacy policies that address compliance requirements of multiple global privacy laws.

To avoid hefty fines and legal action, here’s what you need to know about privacy notices and various global data privacy laws.

How to create a GDPR-compliant privacy notice

According to Art. 13 GDPR, it’s a requirement for “information to be provided where personal data are collected from the data subject.” Art. 12 GDPR highlights how businesses must notify the data subject of any information about the processing of their data and the rights available to them. This is considered to be the privacy notice requirement under GDPR.

To create a GDPR-compliant privacy notice, start by using clear and simple language that is easy for website visitors to understand. The notice should explain how website owners collect, use, store, and protect personal data.

Begin the notice with an introduction that states the purpose of the document and includes the date it takes effect. Ideally also include the effective date of the previous version, and a link to it. Clearly identify the company and provide contact details for key roles like a Data Protection Officer. This role is required under some laws or business operational circumstances, but optional under others.

In the main body of the document, describe what types of personal data the website collects and why it is needed. Explain how this information will be used, what sources it’s coming from, and list any third parties the company may share data with, including processors, like advertising partners. Be sure to mention how long the data is kept, how it is dealt with once it’s no longer needed, and what rights individuals have regarding their information, such as the right to access or delete it. Include easily accessible contact information to make inquiries or exercise user rights.

Lastly, make the privacy notice easily accessible by placing a clear link to it on the website, such as in the footer. In addition, link to it wherever data is collected, such as signup forms or checkout pages. Remember to keep the privacy notice up to date and inform users of any changes. This includes when the tools and systems a company uses — which use personal data for analysis or to deliver products or services — change, including cookies on the website.

By following these guidelines, website owners can create a privacy notice that not only complies with the GDPR, but also builds trust with their users by being transparent about their data practices.

 

Read about email marketing privacy policy now

How to create a CPRA-compliant privacy notice

Among other data privacy state laws in the United States, the CPRA grants California residents certain rights regarding their personal information, including the right to know what personal information is collected about them and the right to opt out of the sale or sharing of their personal information, or its use for targeted advertising or profiling. Organizations that fall under the scope of the CPRA must provide privacy notices that comply with the requirements of the law.

To create a CPRA-compliant privacy notice, begin by clearly explaining what personal information the business collects from consumers, including any sensitive data. It’s important to be specific about the categories of data gathered and the reasons for collection. It’s a good idea to be clear about when prior consent is required before data processing starts — for sensitive data or that belonging to children — and when it isn’t — in most cases, companies only need to enable users to opt out of data processing.

The notice should then outline how consumers can exercise their rights under the CPRA. This includes the right to correct inaccurate personal information, opt out of data sharing, and limit the use of sensitive data. Clear instructions for submitting requests related to these rights should be provided.

Details about data retention practices should be included, explaining how long personal information is kept and why. If automated decision-making processes involving personal data are used, this fact should be disclosed along with an explanation of how it works.

The notice should describe any third parties with whom data is shared and for what purposes. If personal information is sold, this should be clearly stated along with an explanation of how consumers can opt out.

All this information should be presented in simple, straightforward language that’s easy for the average person to understand. Headers, bullet points, and short paragraphs can improve readability. The privacy notice should be updated at least annually and displayed prominently on the website, such as in the footer or through a popup banner.

The CPRA requires that companies prominently display a link that reads “Do Not Sell Or Share My Personal Information”, which enables users to opt out of data processing. This link may be directly on a web page or displayed via a consent banner. Linking to the privacy policy from there is also recommended.

Scan now

Use privacy notices to tell the world about your business

Incorporating a well-crafted privacy notice on your website is more than a legal necessity; it’s a commitment to transparency and user trust and a public declaration of your corporate values for respecting privacy.

By clearly communicating how personal data is managed, companies not only comply with regulations like the GDPR and CPRA but also empower individuals to understand and control their information. Building trust in this way helps build engagement long-term and makes customers more comfortable sharing more data, or doing business with a company more often, which benefits revenue.

Ultimately, a privacy notice is a testament to a company’s dedication to protecting its user data, fostering a trustworthy relationship with its audience, and upholding high standards of data integrity and transparency.

Google is phasing out third-party cookies in Chrome, marking a significant shift in the digital marketing landscape. Our in-depth session explores what this means for marketers, advertisers, publishers, and users. We address the challenges ahead and provide actionable solutions.

During this webinar, we cover the impact on personalized advertising, delve into alternative tracking technologies, and share strategies to maintain user privacy while achieving marketing goals.

What You’ll Learn:

Who Should Watch:

Stay ahead of the curve and ensure your marketing efforts succeed in a cookieless future. Register now to watch the recording!

The Andorran Data Protection Agency (APDA) introduced new cookie guidelines that came into effect on January 24, 2024. These guidelines aim to enhance transparency and user control over how cookies are used, ensuring better protection of personal data for individuals interacting with online services in Andorra.

What is the data privacy law in Andorra?

The Andorra Qualified Personal Data Protection Law (LQPD) sets comprehensive guidelines for the protection of personal data within the Principality of Andorra. The regulation, known as Law 29/2021, came into effect on May 17, 2022, and is designed to protect the data of Andorran citizens and enhance privacy standards.

Closely aligned with the European Union’s (EU) General Data Protection Regulation (GDPR), the LQPD incorporates similar principles and requirements to ensure robust data protection. This alignment helps Andorran businesses and organizations meet international data protection standards, particularly those pertaining to transparency, lawful processing, and data minimization.

The LQPD also established the Andorran Data Protection Agency (APDA) as the supervisory authority, which holds significant powers, including overseeing data protection compliance, enforcing regulations, and addressing data protection violations.

Does the GDPR apply to Andorra?

Yes, as the GDPR has extraterritorial application, its provisions apply to Andorran companies that process the personal data of EU residents. This means that if an Andorran business offers goods or services to, collects personal data from, or monitors the behavior of, individuals within the EU, it must comply with GDPR requirements.

However, Andorra is not an EU member country, so the GDPR itself does not apply to the protection of personal data of Andorran residents.

The ePrivacy Directive (also known as the “cookie law”), which addresses privacy issues in electronic communication and the use of cookies to collect personal data in the EU, does not apply to the use of cookies in Andorra.

The APDA has published its own cookie guidelines that are in force as of January 24, 2004 to regulate the use of cookies. Although Andorra isn’t bound by the guidelines of the European Data Protection Board (EDPB), the APDA has incorporated the following directives published by the EDPB in its cookie guidelines:

The Andorran cookie guidelines encompass a broad range of cookies and do not distinguish among the various sources from which they originate. This approach means that the guidelines apply to cookies not only from websites and mobile applications but also from a variety of other internet-connected devices. These devices include smart TVs, video game consoles connected to the internet, voice assistants, Internet of Things (IoT) devices, and vehicles connected to a network.

The Andorran cookie guidelines emphasize the importance of obtaining user consent before activating non-essential cookies. Consent must be freely given, informed, specific, and unambiguous. This means users must be clearly informed about the cookies and their purposes and must provide consent through a clear affirmative action, such as clicking an “I accept” button. Organizations are required to maintain records of users’ consent, including details of how and when it was obtained.

While the guidelines do not explicitly use the term “prior consent,” they require that consent must be obtained before setting cookies. Users must also have the ability to withdraw their consent easily at any time, with the withdrawal process being as straightforward as that for giving consent.

The APDA’s guidelines list three categories of cookies, with the note that a cookie can fall under more than one category:

For persistent cookies, whether third-party or not, the guidelines specifically reference the recommendations of France’s National Commission on Informatics and Liberty (CNIL), limiting the maximum retention time to twenty-five (25) months. This measure helps to ensure that personal data is not stored longer than necessary.

After this period, cookies must be deleted or new consent must be obtained from the user to continue storing them. This 25-month period is quite long compared to retention and deletion requirements of a number of other privacy laws.

Despite requiring a maximum data retention time, the APDA advises data collectors to periodically review the retention time of cookies as part of an ongoing assessment of technical and organizational measures.

Like the GDPR, the LQPD requires data controllers to obtain specific and explicit consent from data subjects to collect their personal data, including data collected through cookies.

For cookie consent to be valid under the APDA’s guidelines, cookie consent banners must meet specific formatting criteria:

The guidelines also stipulate that the information provided to users on the cookie banner must be easily visible, intelligible, and clearly legible. Before obtaining consent, users must be informed of:

Read about optimize cookie banners now

Cookie walls are generally not allowed as they do not provide a genuine alternative to consent. However, there are certain cases where refusal to accept the use of cookies may prevent access to the website or limit the use of its services. In these cases, users must be fully informed of the consequences and be provided an alternative access option without requiring users to accept cookies, which does not necessarily have to be free. These alternative options must be reasonable so that the user isn’t forced to accept cookies.

The APDA’s guidelines outline the necessary information that must be included in a privacy policy to inform users about how their data is obtained and processed. The policy must include:

The guidelines specify the requirements for a legal notice, which must include:

The APDA does not directly impose fines or penalties. However, they reference the legal framework under which such penalties can be enforced. Specifically, the guidelines align with the conditions for consent set out in Articles 7 and 8 of the LQPD. Failure to comply with these conditions can result in financial administrative sanctions ranging from EUR 30,001 to EUR 100,000.

To avoid the legal and financial repercussions of noncompliance, organizations operating within Andorra’s jurisdiction can take certain steps to achieve compliance with the Andorran cookie guidelines.

1. Implement consent mechanisms

Organizations must ensure their methods for obtaining user consent meet stringent legal standards. Consent must be explicit, specific, informed, freely given, and revocable. Consent for different data processing activities must not be bundled, and separate consents should be obtained for distinct operations. Using a consent management platform (CMP) like Usercentrics CMP can help in collecting legally valid, explicit consent as required by the Andorran cookie guidelines and the LQPD.

Start 14-day free trial

2. Display cookie consent banners that follow specifications

When implementing cookie consent banners, organizations must ensure they provide clear and unambiguous choices between accepting and rejecting cookies, giving equal prominence to both options. Notably, the absence of a reject or decline button in the first layer of the cookie banner constitutes a violation of the guidelines. Avoid using pre-checked boxes or design elements that could mislead or confuse users. Organizations are advised to implement a simple mechanism, such as a permanently visible floating button, to enable users to easily withdraw their consent.

3. Maintain compliance records

Data controllers must prove that consent was obtained per legal obligations. This involves keeping comprehensive records of when and how consent was given or withdrawn. These records should be easily accessible for audits and updated whenever users modify their consent preferences.

Compliance records should include details such as:

Additionally, retention periods for each data category should be documented, along with descriptions of the security measures in place to protect the data.

4. Create a detailed privacy policy and legal notice

Organizations must publish both a privacy policy and a legal notice that follow the provisions and include all required information as stipulated by the guidelines. Ensure that the privacy policy is updated if there are any changes in purposes, retention periods, categories of data, third-party recipients, or other relevant factors. The privacy policy should be linked to from an easily accessible place, such as the website footer and cookie banner, to ensure users can easily find and review it.

The legal notice must also contain the minimum required information under the guidelines and provide clear links to the privacy policy where relevant.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Sixty-eight percent of consumers are either somewhat or very concerned about their online privacy. This was the finding of the International Association of Privacy Professionals (IAPP) 2023 Privacy and Consumer Trust Report, which surveyed close to 5,000 individuals across 19 countries.

This is why a comprehensive privacy policy is essential for every business with a digital presence. Not only will a clear and detailed privacy policy enable your business to comply with requirements of global data protection regulations, it also fosters trust with your customers.

In this guide, we’ll outline 12 critical steps to crafting an effective privacy policy that meets legal requirements and positions your company as a customer-centric and data-conscious organization.

Do I need a privacy policy on my website?

If your organization collects and processes personal data, including customer names and email addresses, then you need a privacy policy on your website.

“As long as a business processes or handles personal information, they are required to publish a public statement on its site to fulfill its duty to inform data subjects. This includes the handling of very common aspects like contact information in contact forms, names, and contact information of the company’s employees. Essentially, this means that almost every company needs to be transparent with this information to fulfill legal obligations and be GDPR-compliant.” — Kevin Larsen, Web Developer at Mediaveien

While data privacy regulations around the world have different requirements regarding legal bases for data processing and data subject rights (of which consent is one option), the vast majority require organizations to notify data subjects about data collection, use, security, and their rights.

As the UK Information Commissioner’s Office states: “data protection is everyone’s responsibility, so every business — however small — needs a privacy policy when processing people’s data.”

The need for a privacy policy is not limited to commercial entities that profit from personal data. Other types of organizations that collect and use personal data include charities, governmental entities, and more. All of these must comply with data privacy laws.

Privacy policies are required by data privacy laws, including the General Data Protection Regulation (GDPR), Brazil’s General Law for the Protection of Personal Data (LGPD), and state-level data privacy laws in the United States, such as the California Consumer Privacy Act (CCPA). They can also be required by specific laws that cover operations where data processing takes place.

For example, as healthcare and financial services deal with sensitive personal data — which require specific safeguards and privacy measures under numerous privacy laws — organizations in these industries must follow strict policies and procedures regarding data use and security. The Health Insurance Portability and Accountability Act (HIPAA) in the United States is an example of this. Data privacy laws will often reference and defer to these laws in their texts.

But creating and maintaining a comprehensive privacy policy is good business practice, even if it wasn’t already a legal requirement. Being clear and transparent about data use and security — and making it easy for people to contact your organization and exercise their rights — strengthens your brand and fosters consumer trust.

Ensuring the privacy policy is up to date is also a natural extension of the kinds of regular reviews companies should undertake regarding data held, technologies in use, processing operations, employee access to data, IT security, and other conditions.

“Any business that gathers private data needs a privacy policy. Without a privacy policy, it’s easy to take a misstep when handling data, which can be catastrophic both from a legal and compliance standpoint as well as a reputational one.

Businesses and websites that publish a privacy policy alongside their privacy notice add an extra layer of transparency. By providing full details of how they handle private data they build trust with their clients and prospects from the first digital connection.”Geoffrey Bourne, co-founder at Ayrshare

Read about email marketing privacy policy now

 

What information must a privacy policy include?

While privacy policy requirements are fairly standard among data privacy regulations, organizations should be familiar with the specific requirements in laws relevant to them.

Generally, your privacy policy must be easily accessible and use plain language. It should include:

Read next: Data privacy regulation in 2024: what we’re watching

How to write a privacy policy

Depending on the kind of business you run and the data protection regulations you need to abide by, your privacy policy will need to meet specific criteria.

While this is not a comprehensive overview for every type of business — nor a substitute for legal counsel — we’ll unpack the foundational steps you’ll need to take to write a privacy policy that will enable you to meet compliance requirements and keep it up to date.

“First, consider the essential data you will collect and how it will be used. Next, review the requirements to remain compliant. Remember, different regions have specific rules, and it’s essential to factor these in to be fully compliant. If sharing data with a third party, understand how they will use or share that data.” Geoffrey Bourne, co-founder at Ayrshare

1. Familiarize yourself with the data privacy laws that affect you

When setting out to write a privacy policy, start by identifying which data privacy laws apply to your business, taking into account both where you operate and the locations of your customers.

Familiarize yourself with relevant laws — like the GDPR in the EU or the CCPA in California — since they dictate what your privacy policy must include. Understanding these requirements is essential for drafting a policy that not only complies with legal standards but also clearly communicates users’ rights.

It’s also important to be familiar with the requirements of additional laws that may not directly cover data privacy, but have important data privacy components. For example, the Digital Markets Act (DMA) in Europe, which has requirements that the law’s designated gatekeepers are also passing along to their customers (which number in the millions as the gatekeepers are influential global digital platforms). Other relevant laws could include the aforementioned HIPAA or the Children’s Online Privacy Protection Act (COPPA) in the United States.

Read about email marketing privacy policy now.

2. Outline what personal information is collected

Your privacy policy needs to outline the types of personal information your business collects. This includes direct identifiers like names, phone numbers, and email addresses, as well as indirect data such as IP addresses, browsing activities, and payment details. Essentially, make a note of any collected data that can identify an individual, either alone or in combination with other data points.

Additionally, it’s crucial to be aware of sensitive personal information and what specific kinds of information relevant laws categorize as such. For example, the California Privacy Rights Act (CPRA) includes a category of “Sensitive Personal Information” (SPI), which is more strongly regulated.

Some of the information included under SPI is about ethnic backgrounds, religious beliefs, sexual orientation, and health and healthcare. These kinds of sensitive data can cause harm if misused and therefore require more in-depth protection measures and limits on their use.

3. Detail how you collect personal data

Next, your privacy policy should provide a transparent explanation of how your organization collects personal data.

This includes data gathered directly from users — such as when they explicitly opt in to data collection by filling out forms — as well data that’s collected through cookies and trackers that store browsing behaviors and preferences.

Detailing these methods in your privacy policy will help to ensure users are informed about what data is being collected and how.

4. Explain how the personal information is used

Your privacy policy should outline why you’re collecting personal data and how it will be used. Your specific reason could range from providing products or services and personalizing your website user experience to delivering targeted ads or creating user profiles.

Personal data should only ever be used for the declared purposes. If there’s a change in purpose or an additional use is proposed, you will need to obtain new consent from the users.

This is why it’s also important to regularly check your website for the data processing services in use, as they change over time. Also, third-party trackers can be nested or hidden and sometimes difficult to detect, but data controllers are responsible for disclosure about them as well.

Your privacy policy should also include a valid legal basis for processing personal data when required, e.g. by laws like the GDPR. Under that regulation there are six valid legal bases for processing user data, as outlined under Art. 6 GDPR.

Learn more

5. List who the data is shared with

Your privacy policy should disclose the parties with which your organization shares collected personal data, or to which the data may be sold. This includes any third-party data processors, such as marketing agencies, advertising companies, partners, vendors, and even the organizations who will be verifying your compliance.

Your policy should also address how personal data is transferred across geographical borders. Not all countries have equal and sufficient data protection standards, and typically there are agreements for adequacy of such measures before data is transferred internationally.

Given restrictions on international data transfers, you must inform users if data is being sent to a region different from where it was collected, especially if it’s one of these “third countries” with data privacy and protection policies that may not be considered adequate.

The EU, under the GDPR, has stringent requirements for such transfers, ensuring data only moves to regions with acceptable privacy and protection standards. Detailing these practices in your privacy policy will assure users that their information is handled legally and responsibly.

“The privacy policy must cover your own internal handling as well as those of third parties. Finally, consider the language you use. Over convoluted language can make the policy unclear to the public, instead use language that is easily understood by those who will ultimately read it.” Geoffrey Bourne, co-founder at Ayrshare

6. Tell users how personal information is protected

Describe what your business is doing to protect customer data. Use this section to detail security practices that prevent the unauthorized access, disclosure, alteration, or destruction of personal data.

Common security measures include data encryption, multi-factor authentication, and the use of reputable third-party data security service providers. It’s also important to specify how long collected data is stored and the reason for this duration.

Your privacy policy should also describe how your business will respond to a data breach, with specific procedures and processes. This should include how you would notify affected individuals and regulatory authorities, per applicable laws, and the steps you’ll take to mitigate the overall impact.

7. Explain how users can opt out

Your privacy policy should clearly explain how users can revoke any permissions they previously granted. Specifics of this right vary across laws, but data subjects typically have the right to refuse or revoke consent or opt out of data processing for at least some data types and processing functions.

This can include opting out of data collection, processing, or sharing activities, even if they were initially agreed to. It can also include specific processing, like targeted advertising or profiling, or the use of the data in automated decision-making (e.g. using AI tools). Make sure that you provide detailed instructions on how users can do this, whether it’s through account settings, a consent banner, contacting customer support, or using specific tools like email unsubscribe links.

8. Include a specific period of time for which you will retain data

In your privacy policy, clearly state how long user data will be stored. This will depend on the purpose of data collection, as well as any relevant privacy laws.

Although the GDPR doesn’t include specific retention periods for different types of data, it requires data to be kept for only as long as necessary, i.e. to fulfill the processing purpose. As such, your privacy policy should clarify that your business will store user data only for the period needed to fulfill its purpose, in full compliance with legal obligations.

It should also state that, after this period, stored consumer data must then be securely deleted or anonymized. It’s also important to note that it’s possible that new consent may have to be obtained for processing the data while it’s still in use, depending on the relevant law.

9. Detail a dispute resolution process

Your privacy policy should have a clause that outlines how users can raise any concerns about how their personal data is handled.

Include the contact information of your designated Data Protection Officer (legally required in some cases, and just recommended in others), or the relevant department, as well as a feedback form where they can provide information directly.

Also include steps for submitting a complaint or appealing a decision by the company, e.g. refusal to act on a data subject request, along with a short explanation of how such disputes are typically resolved.

For example, your dispute resolution process might start with a consumer contacting your DPO via email. The company then reviews the complaint, aiming to resolve the issue within a specific timeframe, such as 30 days. If the dispute isn’t resolved internally within that time, users can then escalate their complaint to a relevant data protection authority.

10. Include privacy requirements for children

A section on child data privacy is required by regulations such as the Children’s Online Privacy Protection Act (COPPA) in the United States, and similar laws in other regions.

This clause should clearly state your practices regarding the collection, use, and disclosure of personal information from children under the age of 13 (or another age threshold depending on the country).

Note that under many laws, personal data belonging to children is automatically categorized as sensitive, and thus subject to the same stringent access requirements and protections.

You should also mention parental rights, including how parents or legal guardians can review their child’s information, request to have it deleted, and refuse any further collection or utilization.

Under some laws, like India’s Digital Personal Data Protection Act (DPDP Act) the rights and functions of legal guardians apply on behalf of people with disabilities who need representation as well.

11. Communicate users’ rights regarding personal information

Make sure that your privacy policy clearly describes the rights that users have regarding their personal information, which may vary by jurisdiction and are subject to change.

Under the GDPR, for instance, consent must be explicitly obtained before data collection, if user consent is the legal basis for processing that data. Conversely, the state-level privacy laws in the United States, such as the CCPA, do not require prior consent. Instead, users have the option to opt out at any point, though they may only be able to opt out of certain uses, and not all processing.

Users’ rights often include the right to access data, to request corrections or deletions, to data portability, and to opt out of data processing activities. Data protection laws also require that users who exercise their privacy rights are not discriminated against in any way.

12. Provide administrative information

Finally, your privacy policy should include key administrative details, like contact information and version history.

Your contact details and contact mechanism should be convenient and accessible to the average person, so ideally provide a mix of digital and physical contact methods if relevant to your company’s operations, like email address, web form, phone number, postal address, etc. There is also software available to automate data subject contacts, especially for data access requests.

Your administrative information should also describe when the privacy policy was last reviewed and updated, clearly showing what those updates were and when they were made.

To ensure transparency, it’s a good idea to include links to archived versions of the privacy policy. While sometimes a legal requirement, this also gives users the opportunity to see how the policy has evolved over time.

Use a privacy policy generator to stay compliant

Following these 12 steps will help you to produce a clear and compliant privacy policy. However, writing and updating it takes time and effort, especially as global regulations change, new laws are passed, and the technologies and service providers that companies use evolve.

To better manage this, many companies use privacy policy templates and generators to streamline and automate many parts of the creation process.

In addition to saving time, privacy policy generators enable you to create privacy policies that comply with major data protection laws like the GDPR, CCPA, and more, and stay up to date with changes and new regulations.

Privacy policy information for different platforms

Different organizations and platforms request and use personal data for different purposes. For example, an ecommerce website will have different tools and data collection purposes than a charity newsletter. How users are tracked in an app can also differ from cookie and tracker use in a web browser.

These platforms, including smart devices like connected TVs, must all communicate with users about data collection and use. There are tools that enable cross-device consent management to streamline these functions.

Privacy policy information for websites

Websites have unique data collection methods, such as cookies and other tracking technologies, which need to be communicated in a privacy policy, in addition to the more general information outlined above. Website-specific privacy policy information includes:

Understanding the relevant data privacy laws for your specific organization is crucial. It’s also important to conduct regular data audits to clarify what data your website collects and how, and to ensure the privacy policy is accurate, up to date and compliant.

SCAN WEBSITE NOW
Guy holding a magnifying glass

Privacy policy information for apps

Data protection authorities are increasingly cracking down on mobile applications, many of which have a poor track record with data privacy compliance.

In addition to the requirements outlined above, app-specific privacy policy information should also be included, like:

Where should a privacy policy be located?

Privacy policies tend to be long documents, so they’re often located on a dedicated web page or app screen. Links to this page should be accessible from elsewhere, such as the website header or footer, or mobile app settings.

Privacy information is often legally required at certain points on a website or app. For instance, a privacy notice should appear at the point of data collection, such as when the website or app first loads or when the user is about to complete a specific action. When a consent banner is in use, typically it will include a visible link to the privacy policy.

Other relevant points where privacy information should generally be present or accessible include:

Implementing a compliant privacy policy

When creating and updating a privacy policy and/or privacy notifications, consult qualified legal counsel or an internal privacy expert, like a DPO (if one is required).

Organizations need to be clear and accurate on what data they collect and store, their means of doing so, how that data is used, and who it’s shared with. This is the only way to ensure accurate communication with data subjects and to safeguard their ability to exercise their rights. It also helps to ensure compliance with relevant data privacy regulations.

Keeping your privacy policy sufficiently detailed, compliant, and up to date can be challenging. Thankfully, tools are available to not only generate but also automate the maintenance of privacy policies.

For the best value, look for a tool that integrates with a consent management platform (CMP) to ensure the privacy policy stays accurate and up to date. A CMP like Usercentrics also enables consent collection and management at the point of data collection, which is vital for broad data privacy compliance.

It is additionally time- and resource-saving if the CMP enables regular automated scanning of the website or app to detect all cookies and other trackers currently in use, and updates the privacy policy and other relevant information sources accordingly.

If you have questions or are interested in implementing a compliant privacy policy for your website or app, or need a consent management platform to achieve compliance with privacy laws around the world, talk to one of our experts.

We’re excited to have you join us to explore how the incredible capabilities and features of Usercentrics CMP can benefit your business and its privacy compliance.

Whether you’re a new user getting set up, or looking to refresh your knowledge, this webinar provides an excellent opportunity to learn, ask questions, and connect with our CMP experts.

What you’ll learn

Who can benefit from this webinar?

Unlock the full potential of Usercentrics CMP for both web and apps. This session is tailored for:

Watch now

What is a privacy policy meant to communicate? Most websites and apps collect data from users via cookies and other tracking technologies. These technologies do everything from helping to make websites work correctly, enable ecommerce, and collect visitor statistics and user behavior information. Some of this information can be collected without notifying users, but in most cases, a clear and accessible privacy notice is required.

In this article, we cover everything you need to know about privacy policies, why you need one and how to create a privacy policy for your business.

What is a privacy policy?

A privacy policy is a legal document required by most data privacy laws, which outlines how you process your users’ or customers’ personal data. This includes how you collect, store, use, share and protect personal data and what rights users have with respect to their data.

You need to establish user privacy policies if you collect personal data through your website, mobile app, email newsletter, social media platform or account, TV app, ecommerce platform, smart home device or online marketplace. This is not an exhaustive list, and you may use another medium altogether. Regardless of where you collect personal data from, your privacy policy statement should explain your company’s privacy practices and how they affect users and their data.

Global privacy laws require organizations to clearly communicate specific information about what data is collected, for what purpose, who it may be shared with, and how it is secured. This is what a privacy policy — also called a privacy notice or privacy statement — is for, and is why you need one as part of your data compliance strategy for the GDPR, CCPA, LGPD and other applicable regulations.

Your users and customers should be able to easily find your privacy page or privacy information on your website, app or other platform.

 

Read about email marketing privacy policy now

Privacy policies and understanding personal data and collection

What is personal data?

Most websites and apps collect functional, statistical, or marketing data from visitors via cookies and other tracking technologies. This data is collected whether the user is accessing the website from a laptop, tablet or mobile device.

Read about marketing data management now

Privacy laws typically define this information as the personal data of the users from whom it’s collected via their online activities. Because such data can be used to identify an individual, it is legally protected. Personal data can include information like:

Some personal data can also be classified as “sensitive” if it could be used to inflict harm, such as health information, religious affiliation, sexual orientation, or racial background.

How do I know what cookies my website uses?

Websites and apps use cookies and other tracking technologies for everything from making the website function correctly to enabling ecommerce to gathering marketing data.

Using a scan to audit your website’s cookies is a great first step to understand what personal data you collect and how information about that data and cookie use must be communicated in your website privacy policy.

Download now

Users’ privacy rights

Privacy laws like the GDPR, CCPA or POPIA require that users be notified when their personal information is collected, including, for example, from Art. 13 GDPR:

This information is included in a standard privacy policy and must be specific to each organization depending on their operations, data collected and relevant legal jurisdictions. In many cases, users must also be provided with the option to consent to or decline the collection or sale of their personal information as well as be provided a process to do so. This information should also be part of a legally compliant privacy policy.

Privacy laws typically protect consumers by stipulating that those who decline the collection or processing of their personal information cannot be denied access to products or services, or otherwise discriminated against by a company, for refusing consent for data collection or use.

Read about marketing data mining now

In many jurisdictions, the legal requirements for and contained in a standard privacy policy depend on where users are located and local protection laws. They do not depend on the type or size of business or revenue (with some exceptions, particularly in the United States), if the website is used for ecommerce, or whether or not it requires account creation. If you have EU customers, for example, you need a GDPR-compliant privacy policy statement.

It is important to know what data your website or apps collect, how it’s used, who will have access to it, and what laws are applicable to your company to ensure your privacy policy is complete and accurate. It also needs to be regularly reviewed and updated as operations, technologies and the regulatory landscape change. A privacy policy is a legal document, and as such we recommend working with qualified legal counsel and having a corporate Data Protection Officer.

Failure to comply with privacy policy requirements can contribute to regulatory noncompliance and penalties like heavy fines, prosecution, loss of business licenses, data deletion and reputational damage to the company.

Third-party services and privacy policies

There is a legal requirement that a privacy policy must outline third parties that will have access to or process the data you collect. However, it goes both ways. Many third parties require website and app operators to post a privacy notice if they use the third-party services.

These services can include in-page or in-app advertising, analytics services, ecommerce or app store usage and more. Services from large companies like Apple, Google, Facebook and Amazon are very widely used, and they all require companies that use their services to communicate with customers or users what data they collect, for what purposes, and what is done with it.

Read about email marketing privacy policy now.

Privacy policies under data protection laws in different countries

The European Union’s General Data Protection Regulation (GDPR): The GDPR requires transparency about the collection and use of personal data from EU residents. It necessitates that privacy policies include the types of data collected, purpose(s) for processing, the legal basis for processing, data retention periods, and the rights of individuals concerning their data. It also requires information on data transfers, how users can withdraw consent, and how users can lodge complaints with supervisory authorities.

United Kingdom General Data Protection Regulation (UK GDPR): The UK version of GDPR maintains very similar requirements for privacy policies as the EU GDPR, including having detailed information on data processing activities and data subject rights. Data collectors must proactively make visitors aware of this information, and visitors must have an easy way to access it.

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): The CCPA/CPRA mandates that businesses have a ‘notice at collection’, where they inform California residents about the categories of personal information collected and, if they sell the information, the right to opt -out of its sale. This notice at collection must contain a link to a standard privacy policy that details the business’s data privacy practices and informs consumers of their privacy rights and how to exercise them.

Brazil’s Lei Geral de Proteção de Dados (LGPD): Brazil’s LGPD requires organizations to provide clear and comprehensive information about data collection and usage, which can be done through a privacy policy statement. It must include data subjects’ rights, the purposes for which data is processed, and the duration of its processing, among other requirements.

South Africa’s Protection of Personal Information Act (POPIA): South Africa’s POPIA stipulates that the data collector must document all processing activities and take reasonable steps to notify consumers when collecting personal information. The notification can be done via a privacy policy.

Learn more

Read more about data privacy regulations on our blog.

Why your website needs a privacy policy

A privacy policy for your website is essential for clarity on data handling practices, providing visitors with an understanding of what information is collected and how it is used. With regulations like the GDPR and CCPA setting stringent rules on data privacy, a compliant privacy policy helps avoid substantial fines and legal complications.

In addition to being a legal requirement, a comprehensive privacy policy is also important for your brand and for building user relationships. Consumers are increasingly aware of their online privacy rights and the mass collection of their data. They may not understand adtech in depth, but they should be able to exercise their rights and have confidence in the websites they visit, the apps they use, and the companies they do business with.

Making it clear what data you collect, how it’s used, who has access to it and how you keep it safe shows users that your company has mature processes in place to respect and safeguard privacy. It shows you respect the people who provide their time, data and money to your company, and that you aren’t just interested in strip mining their information. A clear, up-to-date and easily accessible privacy policy for your website is a great tool for demonstrating your business’s principle of transparency and building user trust.

Read now

About the webinar

Anyone who has ever used ChatGPT can roughly imagine how the world will change in the near future due to technological advancements in artificial intelligence. The rise of the fake web has become a pressing issue in today’s digital landscape. Using modern AI, it is now trivial to spin up 100k fake bot accounts with human-like behavior for less than a penny per account. We are coming to the end of this version of the internet, and it will be replaced by something completely different. It has never been easier to program bots with human-like behavior and buy them on a large scale for little money.

What does the rise of AI-generated content, deep fakes, manipulated social media accounts and the spread of disinformation, mean for your marketing and analytics data?

What you’ll learn

Who can benefit from this webinar?

This webinar can benefit any organization that collects and manages user data for business purposes. The key takeaways are particularly relevant for:

Watch it on demand

This on-demand webinar is now available at no charge to anyone who wants to turn privacy compliance into competitive advantage.

Don’t miss your chance to learn from our experts.

¹the webinar partner is fraud0

Watch now

Summary of the GDPR

The General Data Protection Regulation (GDPR) is the data privacy and protection law for the European Union (EU) and European Economic Area (EEA). It has been in effect since 2018.

The General Data Protection Regulation (GDPR) protects and strengthens the privacy rights of individuals and regulates access to and processing of their personal data. It establishes rules and requirements for organizations that collect, process, store, sell, or share personal data. The GDPR imposes penalties for violations and prohibits organizations from denying consumers rights or discriminating against them for exercising their rights.

Learn more: Overview of the EU’s General Data Protection Regulation (GDPR)

How many principles of GDPR are there? Seven, which are core to the GDPR’s regulation of processing of personal data and found in Art. 5 GDPR.

What are the principles of GDPR?

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitations
  6. Integrity and confidentiality
  7. Accountability

Data privacy compliance is more than just a legal requirement with regulations like the GDPR. It is a way to build trust with customers and increase engagement. It secures brand reputation and can be a competitive advantage.

Lawfulness, fairness, and transparency

Lawfulness means that an organization (the data controller) collecting and using individuals’ personal data has a valid legal reason to do so. There are six legal bases for data processing under the GDPR (Art. 6 GDPR):

Obtaining user consent is one of the most common legal bases. Data protection authorities may challenge an organization on its choice of legal basis, e.g. legitimate interest, and require them to prove the validity of its use.

Fairness means that the organization is transparent with users when requesting access to or processing their personal data. They can’t claim an invalid legal basis, process the data for purposes other than what they have communicated, or continue processing data after the individual has opted out.

Transparency means that the organization clearly communicates what they want to do, how, and why. What data will be processed, for what purpose(s), who may have access to it, how will it be kept secure, and how can individuals exercise their rights.

This information is generally communicated in a privacy policy or notice on an organization’s website or in app settings. A consent management banner can also be used to provide information and request consent for the use of cookies and other trackers on websites and apps.

Learn more: The ultimate guide to app privacy

Purpose limitation

Organizations can only collect and use personal data for the purpose(s) that they have stated. Under the GDPR, if a controller wants to change or add a purpose for data processing, they must notify data subjects, and, if using consent as a legal basis, get consent again for the new purposes.

Individuals must be able to provide or revoke consent at a granular level, so they can consent to some purposes for data processing (e.g. personalized advertising) but not others (statistics). They must also be able to change or revoke their consent at any time, even if they previously granted consent.

Data minimization

Organizations benefit from access to as much data as possible. It helps them know their customers better, improve targeted advertising, send more communications, and make more money. However, under the GDPR organizations can’t just collect and process as much data as they can manage to get, or just start using data they collected for one purpose for a new purpose.

Organizations can only process the amount of data they really need for their stated purpose. So, for example, if you want to sign up someone for an email newsletter, you don’t need their phone number or credit card information.

Accuracy

Organizations have a responsibility to ensure that the data they have collected is accurate and remains up to date. That could be via their own inquiries and efforts, or by responding to and making changes based on a data subject’s request.

If a company has your old email address or old home address in their database, they have a responsibility to get it updated if you are still a customer of theirs or if they have another reason to retain your data.

Storage limitations

Organizations can’t just keep data they have collected forever. They can’t store data longer than they actually need it for their processing purposes.

Secure return or destruction of data must be conducted once it’s no longer required, or when requested by the data subject who provided it. Data processors, those third parties data controllers work with to process data, must also contractually securely return or destroy personal data they have and have been working with.

If you are no longer a customer of a company and don’t want any communications from them, aside from legal requirements for retaining data (e.g. financial records), they have no reason to keep your personal information in their systems.

Integrity and confidentiality

This principle ties in closely with cybersecurity. Integrity means that organizations ensure data is correct, used properly, kept securely, and is not accessible to or able to be stolen, damaged, destroyed, or manipulated by anyone who is not authorized (like when a data breach happens).

Confidentiality means that all personal data that an organization has collected is accessible only to those who absolutely need access to it for the stated purpose of processing. This includes ensuring hackers or other external people can’t access it, but also limiting access by vendors or other third parties an organization works with, as well as internal staff access. Marketing may only need access to some customers’ data for communications or advertising, and finance may need access to different data for payment processing.

Accountability

This principle “binds them all”, so to speak. It means that organizations are responsible to the law and to individuals for the data they collect and use. They have to collect only what they need, for a specific purpose, limit who can access it, and keep it protected. They must clearly communicate to consumers about the use of their data and ensure individuals can exercise their rights (and receive a response in a timely manner).

Being accountable is a legal requirement under the GDPR, with the risk of hefty fines for violations. But it is also a best practice for data privacy more broadly, good user experience, and brand reputation. The majority of consumers today will not do business with a company that they don’t trust or that they don’t think protects their personal information and uses it judiciously.

Data controllers and processors all have responsibilities for accountability, but the data controller has ultimate responsibility for actions of processors they do business with. This is why contracts, data audits, clear instructions, and regular communications are important.

Conclusion and best practices for GDPR compliance

The GDPR is strict, but that’s a good thing for consumers and organizations alike. It sets strong standards for how data is collected and used, and encourages organizations to implement a privacy by design approach to their business operations and data protection. It helps ensure that individuals know their rights and the value of their personal data, and are proactive about who they share it with and why.

Training and communication are key for organizations to not only achieve and maintain GDPR compliance, but to make data privacy a part of every day operations and company culture. Like compliance efforts themselves, training and policy updates should be regular and ongoing. Under the GDPR, regular updates to privacy policies and other relevant documentation, and communication of changes, are required.

GDPR compliance isn’t just for IT departments or Data Protection Officers. It’s important to legal departments, marketing teams, customer support agents, vendors, and partners. Not to mention an organization’s valued customers, app users, website visitors, and others.

Do you have questions about GDPR compliance? Would you like to learn more about implementing a consent management platform? Usercentrics Website Consent Management or Apps Consent Management solution can help your business with achieving privacy compliance and building user trust, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Are the big tech companies doing enough to protect users data? and what can you as a company do to stay ahead of the privacy game? This session gathers the most coveted privacy professionals to discuss just how to make your company privacy ready.

¹the webinar partners are Hunton Andrews Kurth LLP, Barclays group and IAPP