Sure enough, there’s no such thing as a GDPR patrol but lately, concerns about the whole privacy policy thing have been growing just like this angst in the middle of a Pink Floyd song. These days, a letter from some respectable online newspaper or your favorite mobile application containing a request to agree to getting newsletters or a privacy policy update notice does not come as a surprise. While non-lawyers keep wondering why they started getting loads of spam lately, lawyers keep looking for bugs in freshly produced privacy policies. They perform GDPR compliance checks and tease those who have not passed their own internal checks. This mockery gives way to throes of creating when a lawyer actually gets a task to draft a privacy policy for a client. Here, we offer some reflections on our experience.  


Escaping from the GDPR patrol

Numerous Ukraine-based companies offer their goods and services to the EU-based users or, more importantly, they monitor their users’ online behavior within their corporate marketing models. Consequently, obtaining a consent to data processing and communicating data processing terms and conditions using privacy policies has become an important GDPR compliance indicator for these Ukrainian companies. It is important since users and controlling authorities can easily identify it. In addition, the procedures of informing users and getting them agree to data processing are exactly what you have to check and bring in line with the GDPR.

How to produce a good privacy policy

There is this fantastic word in modern English ‘gobbledygook’, which means a language full of complicated and unintelligible words that make it hard to understand. When it comes to informing on personal data use, lawyers should avoid gobbledygook unless they fancy the idea of getting penalties. Therefore, make sure that the document you’ve produced does not look like gobbledygook and make someone read it to check whether or not your reader falls asleep while going through it. You may as well use some tricks that will make your reader smile:-)


This guy is reading a smart privacy policy

The other day, a guy who works for one of the biggest corporations in Ukraine (according to Forbes) told me that one of the Germany-based companies that belonged within the corporate structure, had received a notice requiring to revise their privacy policy and terms and conditions since those available on their corporate website are way too long and are full of meaningless information.

This story is a great example of how approaches to drafting legal papers for users and consumers are changing because of the GDPR. Just to be clear, all the strictest rules contained in the GDPR were taken from the German personal data protection laws. While drafting my legal papers, I try to use refined legal language. So, getting a notice like that would totally freak me out and make me ask myself existential questions like what’s the use of being a lawyer when one of my best legal texts turned out to be a failure. However, now I am coming to believe that leaving this gobbledygook thing behind creates perfect conditions for professional growth and legal writing skills upgrade.

Although the lawyers who produced the GDPR actually failed to avoid gobbledygook, this directive explicitly states that any information contained in a privacy policy should be concise, transparent, easily accessible and intelligible. That is, it should be written in clear and plain language.

In addition, the GDPR encourages data processing rules visualizing, which means you can make your privacy policy available in a form of a video of a comic strip. It is going to be a little bit more expensive yet awesome solution.

Right before I started to write this text, I had read the article about this year’s Pulitzer Prize winners in Editorial Cartooning for telling the stories of Syrian refugees in the USA during Trump’s presidency. I was not aware that one can win a Pulitzer Prize for something like that. Sure thing, making a graphic narrative about refugees seems to be easier than producing graphics for something like “This privacy policy constitutes an integral part of an agreement between the parties; by ticking ‘Agree’, you accept the terms and conditions of this Privacy Policy.” However, you can do it using visualizing and language (even if it is with a touch of legal language).

To make this visualizing thing work, you will have to hire designers, artists, and cameramen. If you do not go for this and hire only a lawyer, you should think how to make this fossilized legal language simple and readable. Our team has already worked out privacy policies in compliance with the GDPR for our clients. From our own experience, reducing the word count is not an easy task. First of all, you want to include every single requirement contained in Article 13 and other articles of the GDPR. Second of all, making a document intelligible means rewriting it in plain language, which does not necessarily mean making it shorter. And finally, taming this legal snobbery takes much effort as well. I mean, sometimes it seems that cutting down on red tape will make a paperless valuable in your fellow lawyers’ and clients’ opinion.

To make a privacy policy less boring, we use examples and comparisons. The other day, I included this paragraph about cookies and behavioral targeting in a privacy policy I was drafting: “Cookies as well allow us to use the information collected using these cookies to show you the advertising. How does it work? For example, it is quite possible that today you are going to see some office chair advertising on our website, even if you don’t remember you were actually looking for a comfy office chair a week ago. Cookies are small pieces of a code that installed on your computer when you were searching for a chair, remembered this information and directed it to a server when you visited our website; and this website showed the advertising that fits with your needs.

Therefore, leaving complex definitions behind and using comparisons is a great tool for a lawyer who wants the text to be easily readable and cause no troubles for the customer.

Privacy policy is not must-have

Actually, this crossline is kind of manipulative. But still, it is not misleading. Actually, the GDPR does not require drafting and making available any document referred to as a privacy policy. You can comply with the requirement to inform your users on how their data is being used not only by making available some PDF document containing some clauses your lawyers worked so hard on. For example, if users provide their information in any form, you can use pop-up windows containing information on why certain kinds of personal data are collected and how they will be used. Users can read the rules tickle ‘Agree’ while they are typing their information. This way, you will not scare them off by offering to follow the link and read your endless privacy policy.


Don’t overuse pop-up windows

I am not going to give any special focus to types the information the GDPR requires to include in a privacy policy. Article 31 makes it clear that you should include the following information: data controller details; legal grounds for data processing (e.g., the consent); rights of data providers (right to access the data, right to cancel the consent to processing, right to file a complaint with a controlling authority at any time, right to get the data in any form that allows  to use it on other online platforms and services (the right to data portability), etc.

Let us focus on the three of those:

Tell what you collect and what for

You should do some research on what kind of data the service is collecting and what for. After that, you have to ask yourself whether you need the complete list of the data collected for your service to work properly, or maybe some data is being collected mechanically and is not actually required to provide services and perform properly. The thing is, the GDPR requires to avoid collecting any unnecessary data. This means that if BlaBlaCar is processing some data about its users’ age and sex, it is quite clear that the company needs to inform its users about people they can share a ride with. If a pizza-delivery service requires such information, the question is, why would they actually need it.

We should as well give our special focus to cookie files, i.e. pieces of a certain code installed on a user’s PC or mobile device when a user goes to this or that website that collects information about a user and passes it to numerous recipients on the Internet. While the 1995 Directive did not even mention cookies, the GDPR, in clause 30 of its preamble, expressly indicates cookies as information that together with other information can help identify a person, and that’s why they can contain personal data.

You can no longer steak to “by using this website you agree that cookies are installed on your device.” Wordings like that no longer serve as legal grounds for using cookies. Therefore, you have an obligation to notify your users about cookies and before using them, you should a get every user explicitly agree to cookies’ installation.

In this case, you’d better tell your users in plain language which cookies you collect on your website and what for, explain that the website does not work without certain cookies, and point out those cookies you collect for advertising or statistical purposes. Every user is able to choose the purpose he or she agrees or does not agree to use cookies. I am going to use our chair example once again. Let us say, a user does not want to see any targeted chair ads. However, this user does not want to log in every time he or she has closed the webpage by accident or on purpose. Different types of cookie files are used to enable different features; a user is entitled to refuse from or agree to use this or that cookies. That’s how the GDPR has it.


We use cookies

The purpose of processing

The requirement to define the purpose of data processing is not anything new. The 1995 Data Protection Directive and even the Ukrainian data protection law (Article 12) put the purpose of processing at the heart of clauses that define the rights and obligations of personal data providers, controllers, and processors.

The GDPR provides some additional options for users whose data is being collected. Most importantly,  users may refuse from this or that purpose without compromising any other purposes of data collection and processing. Here is how it works. If a user has not agreed to data collection for marketing purposes, a service provider may not refuse to deliver the services that were supposed to be rendered in the first place based on data collection. This means that it is prohibited to link the purposes of data collection and create conditions where whether this or that service is going to be provided depends on whether a user has agreed to data processing for this or that particular purpose.

Data recipients

A controller who collects the data and defines purposes and means of processing has an obligation to provide a person who provides his or her data with a list of data recipients or categories of data recipients.

Let us say, a Delaware corporation is a data controller bound by the GDPR. This means that the company has an obligation to inform its customers that their data is being stored on Amazon Web Services servers, that the company uses the relevant CRM system and Chargify to process payments, and that all data is being transferred to Ukraine, where a number of independent contractors get access to such data.  The question is, is it necessary to provide the list of all independent contractors and update this list from time to time?

It seems that a notion of data recipient categories has to do with controller’s employees in the first place since they can access the data while performing their job duties. However, if you point out that a number of Ukraine-based independent contractors have data access under processing agreements that provide data protection, this will do to comply with the GDPR requirements. At least until there will be some clarification statement that will prescribe otherwise.


You’re not required to give a list of all your independent contractors (for now)


If a consent is used as grounds for data processing (more often than not, this is exactly the case), this consent should be explicit and represent an action indicating that a user has given his or her consent. In addition, it should enable the data recipient to provide evidence certifying that the recipient actually obtained the user’s consent. From now on, the popular wording ‘by using the service, you agree to its term and conditions’ is actually out of the law.

Every user has to tick ‘I agree to data processing terms and conditions’. In addition, if your client is going to use this data to reach out to customers with commercial offers or newsletters, it’s better that users agree to things like that. Be aware that it is necessary to inform the users that they can refuse from being reached out to with offers, newsletters, etc.

Another pressing issue for data controller companies is the requirement to get current users agree to data processing once more. The GDPR states that if the terms and conditions of a previous consent comply with the GDPR, there’s no need for another consent. However, when well-known online periodicals and services ask me to renew my consent, I am starting to get this feeling that there are not so many forward-thinking companies that managed to update their policies in accordance with the GDPR. So, lots of companies will actually need to ask their users to tick ‘Agree’ once more.


Holy cow, here’s another request to tick ‘Agree’

So, when drafting a privacy policy that will comply with the GDPR, lawyers should follow these rules:

  • Say ‘No’ to fossilized legalese and gobbledygook;
  • Say ‘Yes’ to plain language and examples. Show the users how exactly their data is being collected and used;
  • Make sure that users are free to choose whether or not they agree to certain kinds of data processing;
  • Make sure that all information contained in Articles 13 and 14 of the GDPR have been communicated to all users.

Sure thing, the GDPR offers a lot more food for thought, but this minimum of requirements is enough to puzzle out privacy policy/notice issues and start dealing with them.