New Website - Privacy Policy & GDPR - Help!

[CoffeeBreak]

Hi Everyone,

I have just had a Wordpress website put together and I need some advice on how to finish it correctly so it is compliant.

I need some help with the Privacy Policy and the GDPR compliance.

It is a simple site, but it does have 2 sign ups on it - one for a newsletter and one for more information. The one for more information has a tick box consenting to being sent this information. The one for newsletter sign up goes to a third party which can also easily handle the opt ins / unsubscribes.

As a total newb here, are there any templates / tools I can use (preferably free) that will help me get my site finished with a Privacy Policy and I presume a cookie pop up type thing.

Many thanks in advance for any help! I really need to get this finished and want to make sure I've done it properly

 

[fisicx]

Ask the people who built the site to install a cookie plugin.

If you Google for privacy policies there are loads of templates you can download for free.

You will need to tailor both the above to align with your new site.

I would advise binning the newsletter. And the more info should be on the live site. Unless you are collecting email addresses. If so there are a whole difference set of rule you need to consider as you will now be a data controller with a bunch of additional responsibilities.

 

[CoffeeBreak]

Ask the people who built the site to install a cookie plugin.

If you Google for privacy policies there are loads of templates you can download for free.

You will need to tailor both the above to align with your new site.

I would advise binning the newsletter. And the more info should be on the live site. Unless you are collecting email addresses. If so there are a whole difference set of rule you need to consider as you will now be a data controller with a bunch of additional responsibilities.

Hi, thank you for your reply.

However, we won't be binning our newsletter.

Also, our web developer is not akin with cookies because they're not based in the EU. So I'd love some examples of cookie plugins / recommendations? Not all plugins are created equal - I know that much.

 

[fisicx]

You just need to install different plugins until you find one you like.

I’ve never bothered with cookies. The only ones I set manage login and are essential.

Without knowing what cookies you set it’s not easy to suggest which plugin will be best for you.

 

[CoffeeBreak]

You just need to install different plugins until you find one you like.

I’ve never bothered with cookies. The only ones I set manage login and are essential.

Without knowing what cookies you set it’s not easy to suggest which plugin will be best for you.

Thank you. I have read about a couple of plugins which say they detect any cookies for you and format accordingly. I'm just finding it a bit of a minefield to make sure I do it correctly.

In regards to the Privacy Policies, I'm wading through google ads and all sorts to try and find something of substance. They might all be okay, but it's knowing what to trust is up to date and relevant in the EU.

 

[Shopclicks]

There's a free version of Cookie Yes which does a good job. There are quite a few settings and you need to set up an account with an off-site dashboard. From the dashboard you can scan and categorise your Cookies and customise your opt-in banners.

 

[CoffeeBreak]

Thank you - I'll that out.

 

[fisicx]

… but it's knowing what to trust is up to date and relevant in the EU.

You are overthinking it. Keep
It very simple. Just have an option to accept or reject cookies. EU legislation doesn’t apply if you are trading from the UK.

What sort of site are you having built?

 

[CoffeeBreak]

You are overthinking it. Keep
It very simple. Just have an option to accept or reject cookies. EU legislation doesn’t apply if you are trading from the UK.

What sort of site are you having built?

Thank you - perhaps I am overthinking a bit.
The site is for worldwide interest so includes those in the EU.

 

[fisicx]

Thank you - perhaps I am overthinking a bit.
The site is for worldwide interest so includes those in the EU.

Yes but it’s a UK based site so you only need to comply with UK legislation.

And even then (depending on how your site is configured) may only need a very light touch.

As an example, I have clients all over the world and never had a need for a cookie policy and my privacy policy is two paragraphs.

 

[Shopclicks]

The ICO is the UK's regulatory body for data protection. There are rules applying to cookie usage in force in the UK.

Cookies and similar technologies

You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent can be implied, but must be knowingly given.

ico.org.uk

UK data protection is covered by the Data Protection Act 2018

Data Protection Act 2018

www.legislation.gov.uk

 

[ctrlbrk]

Yes but it’s a UK based site so you only need to comply with UK legislation.

Are you saying that US-based sites, e.g. Facebook or Twitter, only need to comply with US legislation?

 

[fisicx]

Are you saying that US-based sites, e.g. Facebook or Twitter, only need to comply with US legislation?

Slightly different. They have location based services so need to comply locally. Which was a whole lot of court cases where they argued against and lost. And still ongoing with regards data location and privacy.

In @CoffeeBreak case they are a UK entity operating wholly in the UK but whom have overseas customers.

 

[ctrlbrk]

Slightly different. They have location based services so need to comply locally.

What's a location based service?

 

[antropy]

Controversial perhaps, but with the UK considering scrapping all the cookie nonsense, and very few companies ever getting into any trouble, I'd consider not bothering with a cookie popup.

Note this isn't legal advice, and I accept no responsibility if you do get in trouble.

Paul.

 

[CoffeeBreak]

Controversial perhaps, but with the UK considering scrapping all the cookie nonsense, and very few companies ever getting into any trouble, I'd consider not bothering with a cookie popup.

Note this isn't legal advice, and I accept no responsibility if you do get in trouble.

Paul.

LOL - thanks Paul

 

[fisicx]

What's a location based service?

One where the services are location dependant.

This is not the same as providing worldwide services.

There are lots of legal actions around this. Too complicated to summarise here.

But the difference is how you conduct your business.

A business operating in the UK jusisdiction only needs to comply with UK law. If your customer is overseas then they need to told this. You don’t need to comply with their local cookie laws.

But as @antropy suggested, it’s not something to worry about. You won’t get fined or go to jail. There are multiple steps the ICO needs to go through before that happens if it ever does.

 

[ctrlbrk]

A business operating in the UK jusisdiction only needs to comply with UK law. If your customer is overseas then they need to told this. You don’t need to comply with their local cookie laws.

Thanks. I'm interested to understand the difference between what you said in this quote above my text and a business that operates also in other jurisdictions.

How do you differentiate between the two?

@CoffeeBreak said

The site is for worldwide interest so includes those in the EU.

So what makes a site UK-based and what doesn't?

 

[fisicx]

Thanks. I'm interested to understand the difference between what you said in this quote above my text and a business that operates also in other jurisdictions.

How do you differentiate between the two?

As far as I can tell it’s about where the data is stored. There used to be this safe harbour agreement but that got junked and big tech now has to store your data locally. This is where local privacy laws apply.

But if you just have a contact form on your UK based site all that data is stored locally so UK laws apply. Unless you use cloud storage in which case there are additional procedures you need to apply as the data controller.

It’s a huge complicated legal minefield that legislation hasn’t caught up yet and those discussing changes to the law are often still years behind where tech is heading.

Just today I was reading about AI powered computers where all your data is analysed somewhere to improve your experience. Which means there is no privacy and zero legislation to control what the manufacturers are doing with your data.

 

[ctrlbrk]

As far as I can tell it’s about where the data is stored. There used to be this safe harbour agreement but that got junked and big tech now has to store your data locally. This is where local privacy laws apply.

But if you just have a contact form on your UK based site all that data is stored locally so UK laws apply. Unless you use cloud storage in which case there are additional procedures you need to apply as the data controller.

This is why I find it confusing - say that @CoffeeBreak has only one website's server and it is hosted in the UK. One would imagine that backups are performed. This day and age you don't perform local backups, you use the cloud. AWS, Azure, Google, etc. but once you say "cloud" you don't know where the data goes.

 

[fisicx]

Yes. But that’s the responsibility of the data controller - to ensure the storage complies.

The actual data is collected in the UK and managed in the UK so the UK data privacy laws apply.

But as I said, it is very complicated and easy to get confused. @CoffeeBreak just needs to ask the ICO for clarification or do as most people do and keep it simple.