This guide was written in plain language, aimed at regular everyday readers. No fancy legalese, so dive in and enjoy the read.
It won’t give you all the answers but will show you why a company processes personal data, what they process, and with whom they share it.
The General Data Protection Regulation (GDPR) of the EU, on the other hand, does not explicitly require one. Still, it requires businesses to provide users with information on their data operations under the transparency and accountability principles.
Unlike the CCPA, it is not explicit about the information that users should provide. Still, it is sprinkled with many requirements regarding the information a business must deliver to users about transparency and accountability.
Related: GDPR fines list
You have to tell your users who you are—no need to get into too much detail or write too much prose. Providing your business name, address, and state or country of incorporation would be enough.
If you run a business or a simple blog as an individual, your name and location or email address would be enough.
Related guide: Data subjects’ rights under GDPR
Categories of personal data can be a person’s name, alias, home address, email address, ZIP code, phone number, ID number, passport number, Social Security Number, etc.
Personal data under the GDPR also includes health data, information about private life, IP address, political views, religious views, or any other information that could be directly or indirectly linked to an individual. Therefore, anything can be a category of personal data as long as it can by itself or in combination with other data identify a person.
Here you should describe the methods of data processing. In most cases, either:
Transparency under the GDPR means you must disclose to users why you need their data processed. Purposes of processing may include:
You likely use third-party tools to collect and process data, such as Google Analytics, Facebook Pixel, Hotjar, Mailchimp, and others. To process your users’ data with these tools, you must disclose that personal data to them.
GDPR calls users data subjects. When you collect the personal data of a user, they become your data subject.
Data controllers, the business that collects data and has it processed on their behalf, owe data subjects certain rights. These rights include the right to be informed of the processing, the right to have data deleted, objection to processing, and so on.
If you must comply with multiple data protection laws at once, then you have to list all the rights that each statute grants to data subjects.
For example, compliance with the CCPA requires providing information on the sales of personal information. It is unique for the CCPA and is not required by the GDPR, LGPD, PIPEDA, or other laws.
So, if you need to comply with the CCPA and all other elements, you need to add those specific to this law.
Related guide: CCPA Compliance
In most cases, providing an email address would be enough. Some businesses may also offer a contact form, a phone number, or any other means for exercising these rights.
Data transfers to third countries are arguably the trickiest issue for businesses that must comply with the GDPR. Transfers within the Union and to adequate countries are free, but any other transfer requires additional transfer tools and possibly protection measures.
No matter how and where you handle personal data, users have the right to know whether it is transferred to third countries and, if so, where it is being sent.
If you knowingly collect and process children’s data, that must be included in this document.
If you have a Data Protection Officer or legal representative in the EU, their name and contact information go here. Otherwise, any means of contact with you would be enough to include in this section.
We assume that you never bother reading privacy policies and always accept cookies.
Companies that are serious about GDPR compliance and compliance with any other data protection law have comprehensive privacy policies.
Such websites are rare, though. Most online businesses collect lots of data, including data they are unaware they collect and process.
If you notice a bunch of social media widgets on a website, that’s usually a sign of data collection.
If you are not sure what the website you visit does about your personal information, scan it for free on WebCookies.org and get the answers you need.
The scan report will also tell you with whom they share your data. An online business can’t do everything alone, so they outsource many processes to third parties, i.e., SAAS companies who manage some operations on their behalf.
In many cases, outsourcing involves sharing of users’ data. For example, sharing the IP address with Google Analytics, email addresses with Mailchimp, and so on.
It is written in plain language, is easy to navigate, and easy to understand. It signals that the company wants to be transparent with the users.
The section on data processing purposes unveils the motives behind personal data processing. Businesses must tell users what makes them want to collect and process data.
The most common purposes for data processing include, but are not limited to:
Provide you with products or services. They sell something, and you must provide your data, such as personal name, email address, home address, postal code, or other data they need to deliver the product or service. The execution of a contract is a lawful basis for data processing under the GDPR and doesn’t require additional consent.
Marketing/Advertising Purposes. When a business collects and processes personal data for marketing purposes, they target customers based on the data they share with third-party services.
Examples of such services are social networks. They all provide advertisers with tracking pixels. These pixels track the web pages you visit online, match that activity with the data you have shared with them through your social media profile, and serve your profile as a potential buyer to the business.
Using cookies or a pixel that could match you with more data points is part of the processing data for marketing purposes because the information is used for marketing products and services.
Analytics purposes. Virtually every website on the internet uses some analytics tool, such as Google Analytics, Plausible, Mixpanel, and others. Some of them collect personal data; others do not.
Check out which analytics tool they share data within the section where they disclose the third-party tools they use.
Preferences. Businesses may collect your personal information to adjust the website to your preferences and improve your user experience. This may include accessibility adjustments, language, and others.
These are usually useful cookies that make the user’s life easier, but they collect personal data anyway, so consent is required before using them.
These are the most common processing purposes but not the only ones. Different business activities lead to additional processing purposes, so it is impossible to include them here. However, most of them belong to these categories.
Shopify, for example, uses more descriptive language to describe its purposes.
Instead of analytics, they say “providing reporting and analytics” and “testing out features and additional services.”
Instead of executing a contract, they say “answering questions or providing other types of support” (which is part of the execution of an agreement).
Marketing purposes include “assisting with marketing, advertising, and other communications.”
Having read this, you can understand that they monitor the usage of their website because, like many other large companies, they take user experience seriously and don’t hesitate to use personal data to figure out what a specific user wants from the website.
Also, you could understand that they use tracking tools to serve you with ads with tailored messages that are likely to interest you.
Finally, they have a purpose that serves their legitimate interest (fraud prevention) and some specific to their business (help merchants find and use apps in the app store).
The next you should check out is what the business needs to fulfill these processing purposes.
Fulfilling each purpose requires the processing of a certain category of personal data. So, now you need to see how data processing types relate to the purposes.
If the business collects your email address to send you a newsletter, then such a category of data relates to the purpose. Without the email address, the business could not ship you the newsletter.
If an app requires access to your photos on your smartphone to provide you with image editing services, then that is adequate for processing. But, if they request your geolocation data to provide you with an app to add filter photos, this is an obvious red flag. That app doesn’t need to know where you are at any given moment. They may use the data for something else or sell it for money.
See how Shopify solves the transparency requirement in relation to categories of data:
This table explains what categories of personal data they collect and how they use it.
Some businesses are not as transparent as Shopify, but it doesn’t mean they are not compliant. If you doubt their privacy practices, you can submit a data subject request and have your questions answered.
GDPR forbids businesses from exporting personal data to countries where data protection is below the EU protection levels unless they have a lawful basis for doing so or eventually implementing additional data security measures.
However, you can understand whether the data is being transferred outside of the European Union or not by having a look at the third parties to whom they disclose information.
This image shows some of the third parties they use for data processing. Many of them (and all of those on the image) are headquartered in the United States, making them subject to the US laws and may mean that the data is being transferred to the US. That makes things tricky regarding the GDPR because such transfer requires supplementary protective measures.
GDPR allows businesses to process data only if they have a lawful basis. The lawful basis listed in Article 6 of the GDPR includes:
The two most common lawful bases are the explicit consent and the execution (performing) of a contract.
Businesses usually obtain consent by using a cookie banner that appears on arrival allowing the user to accept or refuse the cookies by clicking on a button.
You need to ensure that:
Let’s imagine that an online business has collected your email address to deliver a pdf on a subject that interests you. You gave them your email; they sent you the PDF. They also asked if they could send you their weekly newsletter with marketing offers. You ticked the checkbox.
Now they have your email address. You have the PDF and their marketing materials.
They collected and processed your data for executing a contract (sending the pdf) and marketing purposes (mailing the promo newsletter). They do not use the email address for anything else. They use Mailerlite, which is a Lithuanian company with servers in the EU.
This means they have a good purpose for processing the email address, have a lawful basis for doing so, and do not transfer data outside of Europe. That’s compliant with the GDPR and nice privacy practice.
If they upload your email address on the Facebook Lookalike Audience tool and transfer your data to the US… well, that would violate the GDPR and many other similar data protection laws.
If you sign up for Shopify, they will monitor your behavior with Hotjar to see how you use the website and make improvements when they gather enough information about that. They have a useful purpose, a third-party tool to execute on purpose and collect information on your behavior – that is all aligned and a valid privacy practice as long as they obtain your consent for collecting personal information.
If you cannot determine yourself, reach out to a professional.