| Posted by Miks Ulmanis
Before diving into the details about privacy policy specifics, let's first have a look at why this topic is relevant to businesses today.
You should know by now that there is no such thing as FREE services or products. You either pay your money or you pay with your data.
Not so long ago, the Cambridge Analytica scandal was revealed regarding their misuse of personal data. It's only a question of when someone else will take your data and misuse it or sell it again.
That's the main reason why we are having new regulations now, the most famous being the GDPR. Since misuse of personal data can significantly impact people's lives, regulators are introducing new measures to protect people's personal data rights. Among those measures, one key document that businesses must have is a privacy policy!
The main idea of this article is to explain how a business can protect itself from being fined, at the same time benefiting its users. It also gives a brief overview of how you can get a privacy policy and why you can't copy it from your competitors or use the FREE versions.
When using personal data, you must tell your users what you are using their data for, how you use their data, and what are your users' rights.
You should provide this information in a clear, open, and honest way. It’s best to have this written down in a document called a privacy policy.
Having a privacy policy is required by the GDPR if you use any personal data. If you do not have a privacy policy, you may be fined by data protection authorities and damage your reputation.
Also, many service providers now require that customers must publish a privacy policy. It is a requirement of App Store, Google Play, Google Analytics, Facebook, and many more.
Neither privacy policy nor privacy notice is mentioned as specific terms in the GDPR. In practice, both terms can be used interchangeably.
The main purpose of both documents is to notify individuals how their personal data is used. However, currently, most websites and apps call this document - a privacy policy.
Personal data is information that can identify an individual (natural person). It can be a name, a number, an IP address, a cookie identifier or a person’s business email.
Business data that does not relate to any specific individual (such as email info@website.com) is not personal data.
More examples of what is personal data can be found on the European Commission website.
The GDPR (General Data Protection Regulation) is a law of the European Union, which was put into effect on May 25, 2018. It is safe to say that it is the toughest data protection and security regulation in the world and it applies to all sizes of businesses.
In short, the GDPR regulates how organisations collect, store, share and otherwise use personal data. Having a privacy policy is part of the GDPR requirements.
For your reference, here is the full GDPR text.
First, the GDPR can apply to you if you use personal data and have an establishment in the EEA. An establishment in the EEA can be your company, branch, subsidiary, employee or agent in the EEA. If you use personal data in the context of the activities of such an establishment, the GDPR applies to you.
Second, the GDPR also applies if you are not located in the EEA and use the personal data of individuals in the EEA in relation to:
That means that the GDPR may apply to you even if you are not a European company unless you happen to be a very rare business that does not use the personal data of EEA citizens or residents in the above-described ways.
If you do not have any establishment in the EEA but you have a website or application available to individuals in the EEA, it does not automatically mean that the GDPR applies to you.
However, if you intend to offer products or services to individuals located in the EEA, then the GDPR will apply. For example, if you have launched marketing campaigns directed at an EEA country audience or if you have special contact details for clients from an EEA country.
In such cases, the GDPR will apply irrespective of whether your products or services are free or paid.
The monitoring may take place, e.g., by tracking the individuals on the internet by cookies or through wearable or other smart devices. Here again, an important criterion is whether you specifically intend to monitor the individuals in the EEA. If yes, the GDPR will apply.
If you don't comply with the GDPR, you may face a fine of up to €20 million or 4% of global revenue (whichever is higher), plus any compensation for damages that your users may claim.
The relevant authority will look at various factors to determine the amount of the fine, including how serious and long was the violation, whether the violation was intentional or done by accident and many other factors.
One of the largest fines was imposed against WhatsApp, which received a fine of €225 million on August 20, 2021, because their privacy policy was not clear enough among other reasons.
The requirement of having a privacy policy is not related to revenue. If you use personal data, then you must have a privacy policy.
For example, if you own a blog that uses analytical tools or collects readers' emails, you must have a privacy policy, even if you haven't registered a company and generate no income from the blog.
The good thing for a small business or a blog is that most likely you don't use a lot of data. It should be easy and cheap to generate a custom privacy policy and comply with the applicable laws.
There are many ways to create a privacy policy for your website or app. Here are some options:
For a small business, a great option is to use a privacy policy generator and then check if the result matches the ways you use personal data.
We suggest not using the FREE options! We have checked almost all of them and they are not GDPR-compliant and many are outdated.
Privacy policies are dynamic documents that need to be updated regularly. It is important that you use a generator that follows the latest changes in privacy laws and practices, and allows you to update your policies regularly, such as Ligalio.
Also, make sure to check if you use special category data - then you will have stricter obligations (check for more info on special category data at the end of this article).
It can be quite an extensive list. Below, we have included a few examples that are most common.
The privacy policy is a dynamic document. As soon as you change something about your personal data collection practices or uses, you must update your policy.
In an ideal world, you should update your policy after every change you make regarding personal data practices. However, we suggest reviewing your policy at least every quarter. Definitely make sure to update it in case you make any major changes, such as adding new functionalities to your products or services.
There are types of data that qualify as special category data and need more protection due to their sensitive nature. If you use any special category data, your business will have to comply with additional GDPR obligations.
Special category personal data examples:
Additional care should also be taken when using personal data regarding criminal convictions and offences.
If you use or wish to use any of the data listed above, we strongly advise you to consult with a lawyer regarding GDPR-compliance and creating a privacy policy.
The GDPR does not state where exactly you need to put your privacy policy on your website or app. However, the privacy policy must be always easily visible and accessible to your users.
For websites, the most popular place to put a privacy policy is in the footer. Other places may be checkout pages, sign-up forms and separate banners on a landing page.
For apps, the best places are in-app store listings (which usually link back to the privacy policy on your website), menus within the app, at the bottom of the app's settings section or on the website that promotes your app.
Other Ligalio blog posts you may be interested in:
Is Google Analytics Illegal in the EU?
Google Play Store Privacy Policy Requirements
Article 6 GDPR and How to Apply It
If you need a privacy policy, check out our privacy policy generator! 🚀