It should be stated from the outset that I am not a lawyer and this is not legal advice. However, a lot of people will be worried about how the GDPR relates to them in New Zealand and I have been talking to a lawyer in the E.U. who sent me a short checklist for The Privacy Shop (TPS) privacy policy that is worth sharing. It isn’t a complete overview but it’s a good way to take a fresh look at your privacy policy through the eyes of the GDPR. There are a couple of things to remember at the outset. The GDPR only effects you if you are dealing with people in the European Union. It is aimed at protecting peoples data and allowing informed consent for others to use it. Something we don’t currently have in NZ.
So get out your privacy policy, read through it using these points and I will give examples from TPS’s privacy policy to explain.
How does the company obtain personal data?
Your policy needs to explain how you obtain personal data. Do you do it through the website, questionnaires or signing up for emails? Do you do it through cookies or web beacons? Maybe people need to enter data into a registration form to use the site. Maybe it is bought from a third party such as Equifax or gained through the use of a mobile phone app. How you are gathering data needs to be explained in your privacy policy.
For TPS the privacy policy states that,
Your personal data may be collected when you browse or interact with our website” as that is the only way we collect information.
What forms of personal data does the company collect?
You need to rewrite your policy to explain what types of data the company is collecting. Just to serve a website means that you will be collecting IP Address, browser type, operating system and probably referral pages (eg; what website they came from). But if you have a registration page then you might be collecting name, address, age, sex and email address as well. A payment page might collect a credit card number or if they send money to your bank then you would be collecting banking details.
The TPS privacy policy states it collects your name, e-mail address, technical information (such as, IP address, browser type, and other connection data held in our logs) and any other information relating to you that you may provide to us. In fact we only collect a name and email address if people choose to give it when posting a review or sending a product list but, since we might, it all has to go into the policy.
How does the company use personal data?
How do you use the data you gather? Do you use it for advertising, website statistics, selling products, tracking customers, logins, password resets, or selling the data to third parties. This all needs to be declared so people know what is going to happen to the data they provide you. This, and the next point, are what has the larger players on the Internet worried as they feel their relationships will suffer if people find out what is happening to the data they are providing.
TPS found this one quite easy as the data is only used to operate the shop. As such the policy says,
Whether we receive your personal data directly from you or a third-party source, we will only use it to facilitate The Privacy Shop services.
How does the company share personal data?
This also covers third parties who also have access to the data. If you are using a web hosting service, VPS service, etc….they all come under this. If WordPress plugins have access to the data then you should declare that you are sharing data with third parties. Google analytics, payment providers, pictures linked from other servers, font servers…everything. You would be amazed how many services can be used by a website that get over looked. Look at your site using a plugin like Firefox Lightbeam or uBlock Origin and see what is attached and connecting to your users that you may not have thought of. Most people remember Google analytics but might forget that if the website was built on Wix then there will probably be four or more third party servers attached to every person who visits the site.
This was an interesting one for TPS. It isn’t connected to any third party servers but the server is hosted by Linode so they can track all the connections to the server. The server is run by Runcloud so they could have access to the data. It uses Wordfence for security so that will have access to the connections and WP Statistics to view information about visits to the site. Plus emails are sent through Mailgun so they will have access to the email addresses. It also pointed out how much work is left to be done to truly care for customers data on the site. Eventually it will need its own hardware, email server, and secure web server.
Certain service providers that we use to operate our website may also gain access to your personal data.
What steps does the company take to keep personal data secure?
You need to declare how you secure peoples data and this doesn’t just mean encrypting data on the site or hashing IP addresses but also who can read the data. Just employees or is it being broadcast publicly. Do you use a web developer? Will they have access to your customer data and do you have a policy covering that access. If the data is passed on to a third party will it be anonymised? Is the data deleted when a customer leaves? Your data protection strategies have to be explained to the user so they can have confidence, or lack of it, when using the site.
The policy must also describe the users rights regarding personal data (rectification, erasure, restriction, objection, transfer, etc.) including company contact information for data questions.
For instance, TPS has a policy of requesting users use fake names and fake email addresses. It also hashes the IP addresses of users so they can’t be read in WP Statistics and deletes orders and the server logs each month.
Providing your personal data is optional. If you choose not to enter true information, we may be unable to provide some services, such as sending emails.
We will delete your personal data when it is no longer reasonably required. You may request a copy of your personal data and we will correct any errors identified by you. You may also restrict our processing of your personal data. All such requests, or any questions or comments regarding this policy or our handling of your personal data, should be addressed to our contact page.
Consent
Finally the user has to consent to have their data collected and it needs to be in plain language. Everybody will have run across websites asking for consent to use cookies so if you use cookies you need to ask for consent. There are a number of different methods of doing this. WP Statistics has a simple accept/deny pop up that covers itself.
This website stores some user agent data. These data are used to provide a more personalized experience and to track your whereabouts around our website in compliance with the European General Data Protection Regulation. If you decide to opt-out of any future tracking, a cookie will be set up in your browser to remember this choice for one year. I Agree, Deny.
Google recommends something more like,
Can we use your data to tailor ads for you? Our partners will collect data and use cookies for ad personalisation and measurement. Learn how [site name] and our 10 partners collect and use data. Yes/No.
What ever the language used it needs to provide informed consent to the user and there needs to be a record of that consent. Just continuing to browse does not imply consent.
Conclusion
The GDRP has been portrayed in the media as something to be worried about. It isn’t as all it does is clarify what we should all be doing anyway. Taking care of users data and explaining to them what is done with it. It does worry the advertising industry though as they have largely been able to do what they wanted with user data in the past. Currently they are running around trying to cover themselves and find loopholes in the law with tactics such as industry wide consents (one click and you let them all in) and cookie-less tracking solutions. Hopefully this will fail.