You should know by now that there is no such thing as FREE services or products. You either pay your money or you pay with your data.
Not so long ago, the Cambridge Analytica scandal was revealed regarding their misuse of personal data. It's only a question of when someone else will take your data and misuse it or sell it again.
When using personal data, you must tell your users what you are using their data for, how you use their data, and what are your users' rights.
What Is Personal Data?
Personal data is information that can identify an individual (natural person). It can be a name, a number, an IP address, a cookie identifier or a person’s business email.
Business data that does not relate to any specific individual (such as email email@example.com) is not personal data.
More examples of what is personal data can be found on the European Commission website.
What is the GDPR and Why Is It Relevant?
The GDPR (General Data Protection Regulation) is a law of the European Union, which was put into effect on May 25, 2018. It is safe to say that it is the toughest data protection and security regulation in the world and it applies to all sizes of businesses.
For your reference, here is the full GDPR text.
Does the GDPR Apply to Non-European Companies?
First, the GDPR can apply to you if you use personal data and have an establishment in the EEA. An establishment in the EEA can be your company, branch, subsidiary, employee or agent in the EEA. If you use personal data in the context of the activities of such an establishment, the GDPR applies to you.
Second, the GDPR also applies if you are not located in the EEA and use the personal data of individuals in the EEA in relation to:
- offering products or services (including digital products and services) to them; or
- monitoring their behaviour as their behaviour takes place within the EEA.
That means that the GDPR may apply to you even if you are not a European company unless you happen to be a very rare business that does not use the personal data of EEA citizens or residents in the above-described ways.
Offering Products and Services to Individuals in the EEA
If you do not have any establishment in the EEA but you have a website or application available to individuals in the EEA, it does not automatically mean that the GDPR applies to you.
However, if you intend to offer products or services to individuals located in the EEA, then the GDPR will apply. For example, if you have launched marketing campaigns directed at an EEA country audience or if you have special contact details for clients from an EEA country.
In such cases, the GDPR will apply irrespective of whether your products or services are free or paid.
Monitoring the Behaviour of Individuals in the EEA
The monitoring may take place, e.g., by tracking the individuals on the internet by cookies or through wearable or other smart devices. Here again, an important criterion is whether you specifically intend to monitor the individuals in the EEA. If yes, the GDPR will apply.
What Are The GDPR Fines?
If you don't comply with the GDPR, you may face a fine of up to €20 million or 4% of global revenue (whichever is higher), plus any compensation for damages that your users may claim.
The relevant authority will look at various factors to determine the amount of the fine, including how serious and long was the violation, whether the violation was intentional or done by accident and many other factors.
- Hire a lawyer: the best option, but usually costs the most
- Hire a freelancer: a great option if you can get a data protection specialist for cheap
- Write the policy yourself: Unless you are a lawyer and understand the GDPR, you should avoid doing this
We suggest not using the FREE options! We have checked almost all of them and they are not GDPR-compliant and many are outdated.
Privacy policies are dynamic documents that need to be updated regularly. It is important that you use a generator that follows the latest changes in privacy laws and practices, and allows you to update your policies regularly, such as Ligalio.
Also, make sure to check if you use special category data - then you will have stricter obligations (check for more info on special category data at the end of this article).
It can be quite an extensive list. Below, we have included a few examples that are most common.
- Your identity (such as your business name)
- Your contact details so that your users can reach you in case of any personal data-related questions
- To which particular website, app or activities does the policy apply
- What personal data do you collect about your users
- How do you use the personal data
- Why do you use the personal data
- Legal basis for using personal data
- Your users' rights with respect to their personal data
- Where do you collect users' personal data, in case you do not collect it directly from the users
- How long do you store the personal data
- To whom you may disclose your users' personal data and if you transfer the personal data outside the EEA
- How users can complain in case of concerns about misuse of their personal data
- Your business complies with the law (GDPR) - the main reason why we all must have privacy policies.
- Build trust with your customers - a business that treats users' data with care will generate much more revenue in the long run than a landing page that just cares about a one-off sale and uses customers' data without care. By having a proper policy you also minimise your reputational risk.
- Avoid unexpected fines and legal issues - unless businesses start paying more attention to the protection of their user data, the fines are likely to grow. As of Mar 2022, the total amount of GDPR-related fines has reached €1.61bn.
In an ideal world, you should update your policy after every change you make regarding personal data practices. However, we suggest reviewing your policy at least every quarter. Definitely make sure to update it in case you make any major changes, such as adding new functionalities to your products or services.
Businesses That Should Take Privacy Policies and the GDPR Very Seriously!
There are types of data that qualify as special category data and need more protection due to their sensitive nature. If you use any special category data, your business will have to comply with additional GDPR obligations.
Special category personal data examples:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where used for identification purposes)
- Health data
- Data concerning a person’s sex life
- Data concerning a person’s sexual orientation
Additional care should also be taken when using personal data regarding criminal convictions and offences.
Other Ligalio blog posts you may be interested in:
Is Google Analytics Illegal in the EU?
Article 6 GDPR and How to Apply It