Why Do I Need A Privacy Statement?

Last updated on

Do you use personal data?

Undoubtedly, you utilize personal data; otherwise, you wouldn’t be delving into this book. If your organization handles personal data for marketing, accounting, HR, or any other purposes, having a privacy policy is essential.

The conventional approach to data protection and informational self-determination suggests that genuine control over one’s data is only achievable when individuals are informed about how their data will be utilized.

In its text, GDPR establishes one of its primary rules in Article 5, following the clarification of the law’s scope and various definitions (, 2016):

  1. Personal data must be:

(a) processed lawfully, fairly, and transparently concerning the data subject (‘lawfulness, fairness, and transparency’).

This very stipulation underscores the necessity for a privacy statement.

Companies, especially when acting as data controllers, bear the responsibility of being transparent about their data practices, necessitating the presence of a privacy statement. This obligation is explicitly outlined in Article 24(2) of the GDPR (, 2016).

This article delves into the realm of automated individual decision-making, which includes profiling. It pertains not only to profiling for marketing purposes, such as automated ad selection, but also to profiling that could significantly impact individuals.

According to Article 24(2), such profiling activities can only be deemed compliant if they adhere to an appropriate data protection policy, which encompasses a privacy statement (, 2016).

Regardless, a privacy statement holds immense importance. GDPR allocates two articles to outline the specific information that must be included in your privacy policy: Article 13 delineates the requirements for scenarios where data is collected directly from consumers, while Article 14 addresses those instances where data is collected indirectly (, 2016).

Who Will Read Your Privacy Statement?

In the realm of food labeling, I, as a customer, often find myself scrutinizing ingredient lists. Have you ever pondered who might be reading your privacy statement?

Customers and potential clients stand out as primary stakeholders with a vested interest in understanding how their data is handled once it enters your possession. Additionally, privacy advocates and consumer protection organizations may thoroughly examine your privacy statement.

Authors and academic researchers specializing in data protection view your privacy statement as a valuable resource, providing insights into how companies utilize personal data. Moreover, regulators, judges, and legal experts involved in cases concerning your company are keenly interested in your privacy notice.

Your corporate reputation is intricately tied to the language of your privacy statement. Both business-to-business and business-to-consumer customers place significant emphasis on your approach to privacy.

Business partners and suppliers frequently conduct formal reviews of your company’s compliance with data protection regulations, often inquiring about your privacy statement as part of their due diligence process.

Regardless of the audience, this review serves as another significant interaction point for various stakeholders, including revenue-generating entities such as customers and partners.

It’s crucial to leave a positive impression of your privacy practices, and your privacy statement might be the first opportunity to do so. As articulated by the ICO, a well-crafted privacy statement “helps build trust, avoids confusion, and sets clear expectations” (ICO, 2023).

How Long Should My Privacy Statement Be?

GDPR requires you to craft a privacy statement that sufficiently explains the collection, use, and storage of data, ensuring transparency. However, it also mandates conciseness, as stipulated in Article 12(1) of GDPR (, 2016). Initially, these two directives may appear contradictory, but EU regulators offer clarifications in their transparency guidelines (Art 29 WP, 2018).

While the aim of a privacy statement is to empower consumers with necessary information for decision-making regarding their personal data, regulators acknowledge the concept of “information fatigue” or “information overload.” This theory posits that humans have a limited capacity to process information.

When inundated with excessive information, individuals tend to either disregard it altogether or make irrational decisions to cope with the psychological burden (Simmel, 1950; Milgram, 1969).

To address this, two strategies emerge, both capable of providing requisite details while mitigating information overload.

Have A Clear Structure

Prior to drafting a privacy notice, compile a comprehensive list of the essential information it must contain. Consider the most effective way to present this information to your customers and other individuals whose data you process in a logical and user-friendly manner.

To achieve this, it can be beneficial to review the privacy statements of prominent consumer brands and governmental organizations. Analyze how these statements are organized and structured, as they are often crafted by experienced in-house legal teams or specialized law firms with expertise in data protection.

Studying exemplary privacy statements can provide valuable insights into what constitutes a well-crafted privacy notice and help you create a similar standard for your organization.

In addition to studying the privacy statements of major consumer brands and governmental organizations, consider examining the privacy policies of your competitors and business partners within your industry.

Consult with your organization’s privacy expert to identify competitors known for their strong data protection practices, or utilize your existing knowledge of industry leaders. Analyze the structure and content of their privacy notices for insights.

Alternatively, you can streamline the process by adopting the structure of established templates such as the ICO’s privacy policy template.

Regardless of the approach you take, prioritize enhancing the readability of your privacy statement by ensuring it follows a clear and logical structure.

Prepare Privacy Notices In Layers

An alternative approach, supported by regulators, is known as the layered approach (Art 29 WP, 2018).

If your privacy notice is going to be online, you can enhance its interactivity by incorporating links. This allows users to click for additional information when desired, or to stick with the concise summary provided at the first level, much like navigating through an online encyclopedia.

By doing this, the main points are streamlined, offering readers a clear overview at the initial layer of the statement.

Regulators suggest that the following details should be readily accessible in the first layers of the privacy notice (Art 29 WP, 2018, p 19, para 36):

  • Purposes of processing
  • Identity of the data controller
  • Description of data subjects’ rights
  • Information on processing that significantly affects data subjects
  • Details on processing that may come as a surprise to them.

When Do I Have To Present The Privacy Statement?

Consumers should be promptly informed about the purpose of data collection, especially regarding marketing intentions.

When gathering data directly from customers, it’s imperative to present the privacy notice at the point of data collection (refer to Article 13(1) GDPR;, 2016).

In cases where data is obtained through licensing from other entities, such as public sources or marketing data providers, Article 14(3)a and b dictate the provision of privacy information as follows (, 2016):

  • Within a reasonable timeframe after acquiring the personal data, but no later than one month, considering the specific processing circumstances.
  • If the personal data are intended for communication with the data subject, the information must be provided at the time of first communication with that individual.
  • If disclosing the data to another party is anticipated, the privacy details should be provided at the time of initial disclosure.

To summarize, for licensed data excluding contact details, the privacy notice must be conveyed within one month.

However, when utilizing contact information such as names, phone numbers, emails, and addresses, the privacy statement must be communicated upon sending the first commercial message.

In practice, companies often include a link to the privacy statement in email messages or print the link on direct mail pieces to meet this requirement.

Original news from SearchEngineJournal