Most companies are aware of the requirement to fulfil information obligations vis-à-vis data subjects whenever they process their personal data. One of the most common ways to fulfil this obligation is the privacy notice on a website. In this article, we explain what you have to take into account when drafting a privacy notice and what you can undertake to make it more user friendly.
What does the GDPR say about the fulfilment of information obligations?
The General Data Protection Regulation (GDPR) stipulates that whenever a controller communicates with a data subject, be it in order to fulfil its information obligations or to respond to a data subject’s request, the information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. In essence, this seemingly complicated provision requires the controller to always keep the recipient of the information in focus. The recipient must be able to easily understand the provided information.
Considering the recipient of the information
Firstly, the controller has to consider the recipient of the information. This might not only have an impact on the communications channel to be used but also on the content of the communication. For example, in a privacy notice for an online IT forum, different terms might be used than in a privacy notice of a senior citizens’ organisation. In addition, the communication channel might differ as well: For IT-savvy recipients, it might be most convenient to obtain information in an electronic format, while for elderly people, such a communication channel might not be considered “easily accessible”.
The GDPR stipulates that companies should exercise particular caution when providing information to children: If a privacy notice is directed to this group, this must be reflected in the language used. Based on this provision, the Dutch data protection authority imposed a fine of EUR 750000 on the social media app TikTok. Popular primarily with children (according to a recent study, the majority of its users are below the age of twelve), TikTok provided an information notice only in English. The Dutch authority reasoned that it cannot be taken for granted that Dutch data subjects in the named age group have a good command of English, let alone the ability to understand legal texts in English. According to the authority, the sole fact that TikTok failed to provide a privacy notice in the local language sufficed to conclude that the information was not provided in a way intelligible to children.
What further steps can controllers take to make privacy notices more understandable?
There is an inherent tension in the GDPR between the requirement to provide comprehensive information about the data processing on the one hand, and the requirement to do it in a concise, transparent, intelligible and easily accessible form on the other. The predecessor of the European Data Protection Board, the Art. 29 Working Party, hence recommended controllers to assess in each specific case the prioritisation of information provided to data subjects and the appropriate methods and levels of detail for conveying the information.
Layered approach
A good example of prioritising information is the so-called layered approach which is relevant especially in the digital environment. Instead of providing a single privacy notice, the controller can divide it into several layers. The first layer should provide the data subject with the basic information about the processing. Furthermore, it should contain information on the processing activities which have the most impact on data subjects and on any processing that might surprise them. It should also contain instructions on where within the layers of the privacy statement the reader can find more detailed information. In this way, the fulfilment of information obligations can be both detailed and easily understandable at the same time. Needless to say, different layers of the privacy notice should be consistent and not provide conflicting information.
Although less common, a layered approach can also be applied in a non-digital environment. For example, if the first point of contact between a data subject and a controller is over the telephone, it might be impractical to provide a full privacy notice over the phone. Hence, by relying on a layered approach, controllers can provide data subjects with the most important information in the phone call itself while providing further, more detailed information in a second layer using a different communication channel. For example, they could send a copy of the privacy policy by e-mail or postal mail, or provide data subjects with a link to a privacy notice published online.
“Push” and “pull” notices
Another possible way of providing information in a more user centric way is by using “push” and “pull” notices. “Push” notices involve the provision of “just-in-time” transparency information. They aim at providing data subjects with relevant information in an ad hoc manner, i.e. at the point in time when this information is most relevant for them.
For example, when purchasing household insurance over the internet, the data subject usually has to provide many different pieces of information. The insurance company could explain why it needs specific pieces of information and use pop-ups to indicate who receives the information that the data subject is entering. This would not only help the data subject understand the processing but also build the data subject’s confidence in the full transparency of the controller.
On the other hand, “pull” notices facilitate access to information by methods such as “learn more” tutorials, in which parts of the privacy notice are explained in an easily understandable way, and privacy dashboards. A privacy dashboard is a single point where a data subject can manage her privacy preferences. It is especially relevant where a data subject uses the same service on several devices, as it enables her to keep an overview of her privacy settings on different devices.
In case a privacy dashboard is used, privacy notices can be personalised for each user. Based on the settings made in a privacy dashboard, the level of transparency of a privacy notice is increased by only showing the information on the processing operations relevant to the specific data subject, rather than providing information on all processing operations of the controller, especially those that are not relevant to the data subject in question.
Conclusion
When drafting a privacy notice, controllers should consider all relevant characteristics of its intended recipients. Once the first draft of the privacy notice is created, e.g. by using our free-of-charge Privacy Policy Generator, the controller should assess whether the information will be understandable for the average member of the intended audience. If necessary, it should take additional steps to make the information more understandable for them, all the more if the notice is directed to children or if the privacy notice is not written in the language commonly used in the country of the affected data subjects.
If a controller decides to employ any of the measures discussed in this article, such as “push” notices, it should be noted that such measures complement rather than substitute a “traditional” privacy notice. Hence, the controller should also publish the entirety of the information in one single place and/or one complete document.