U.S. privacy law is based on the principles of notice and consent – for instance, under FTC and state consumer protection laws, consumers given fair notice and the opportunity to consent generally cannot complain about the use of their data.
But as we have noted in prior posts, the E.U.’s General Data Protection Regulation (“GDPR”), which will become effective May 25 of this year, is more comprehensive than any U.S. privacy law in most respects. It treats personal data (defined broadly) as belonging to the person identified by the data, or “data subject.” The company collecting the data has a limited license to use that data in legitimate ways – as described in one article, a company can only use the data in ways that “wouldn’t surprise them or make them uncomfortable.”
It is unsurprising, then, that under the GDPR, the specific concepts of fair notice and consent are also more robust than in the U.S. This post will give an overview of the notice requirements under the GDPR, and a future post will explore the consent requirements.
Use of personal data under the GDPR must be “fair and lawful” – in other words, individuals must receive clear and transparent notice of both (1) the ways in which, and (2) the purposes for which their data will be used.
Transparency is key to giving effective notice under the GDPR. To be transparent, the notice must:
- Be concise, intelligible and easily accessible
- Use clear and plain language
- Be in writing or other accepted means
- Be provided free of charge
Seems simple, right? In practice, it involves careful assessment and consideration.
Lawyers often like to think their language is concise and intelligent; however, in the context of the GDPR, this translates to communicating succinctly to avoid information fatigue. When presented online, the notice should be easy to find on the website, easily navigable within the privacy policy, and easy to see on the page. And users should be directed to the relevant information, for example, by using natural language FAQs or an interactive interface such as pop-ups or a chat function. To show that the information is intelligible, a company can even engage a user panel to gauge how understandable the information is to the actual audience reading it.
Clear and plain language means using concrete wording and simple sentence structures. It also means giving detailed explanations rather than vague descriptions to explain how data is used –beyond describing a generic purpose for using the data (generic purposes include “developing new services” and “offering personalized services”, because they do not describe what the services are, how the data will develop them, what is involved in the personalization, etc.).
The “in writing” requirement is easy, but what are the “other means?” These means can include a privacy statement on a website, pop-up notices, hover notices, videos, voice alerts, infographics, flowcharts, or even oral communication when requested by the user. And free means free. The notice cannot require payment or condition consent on the purchase of products or services.
But wait, there’s more… In addition to meeting the transparency criteria outlined above, there are specific content requirements, including the following:
- Identity and contact information of the company collecting the data
- The purpose and legal basis for processing the data (processing essentially means any use of the data)
- The recipients of the information
- Details of any transfers of the information to another country outside of the E.U.
- The storage period for how long the data will be retained
- The individual’s rights to the data (access, rectification, erasure, restriction on processing, objection to processing, portability)
- How consent to process information can be withdrawn
- What information, if any, is required to be provided, and what happens if that information is not provided
- Whether the data will be profiled or automatically processed
For more information, you can read the Data Protection Working Party Guidelines on Transparency under Regulation 2016/679. If you have a shorter attention span, suffice it to say that it is much harder to give effective notice under the GDPR than under most U.S. privacy laws. And if your company processes the personal data of individuals within the E.U. – whether they are your customers, your clients’ customers, or your own employees – you have until May 25 to get on top of the notice and other requirements of the GDPR.