How To Write Your Privacy Notice To Win Customers & Influence People

Published on Aug 09, 2021

Marketers will often speak of the four most important pages on a website as being the home, about, blog, and contact pages. According to this article by Neil Patel in Hubspot, these are the core pages that drive the most conversions, and therefore deserve the most attention from an SEO (search engine optimisation) perspective.

Include service or product pages, and you have the who, what, when, where, why, and how of your brand's proposition thoughtfully constructed in a broad and comprehensive digital footprint. All you need now are visitors to come along to consume your highly optimised content and then convert. However, what if something important is still missing?

A Privacy Notice Is More Than a Legal Disclaimer

If you really want to earn customer confidence, you need to go beyond traditional selling tactics. One way to achieve this is to let website visitors know exactly what's going on under the hood. Be transparent about your processing methods and practices by clearly explaining to visitors what you do with their data in order to build genuine trust.

As part of a value exchange, it's common to use consent, contractual and legal purposes. Businesses can also use legitimate interest or performing a public task as their lawful basis for data processing. There is also vital interest, but this should only ever be used in an emergency. Nevertheless, always remember personal data is a precious commodity. It's only natural that the data subject will want to know that their personal information will be well looked after and want reassurances about how it will be used.

It's worth pointing out that a growing number of consumers are aware of the risks surrounding their privacy. The newly published 2021 Annual Tracking Research from the UK Information Commissioner's Office (ICO) found in a survey of 2000 people that 77% say protecting their personal information is essential. Another global Consumer Privacy Survey from Cisco in 2020 identified 48% of respondents do not feel they can adequately protect their data.

When asked why not, 79% said that they couldn't figure out what companies are doing with their data, while 51% said they have to accept data terms to use the service. The survey also revealed 29% indicated themselves as privacy actives who care about their data and are willing to act to protect it. If these figures aren't compelling enough, bear in mind only 3% of UK consumers view our data protection and privacy laws negatively.

While privacy notices have been standard for many years, their value in today's online customer journey is overlooked. Instead, organisations use them as a means to legitimise their data processing practices rather than educating or explaining. They're documents drafted by lawyers for lawyers that pay lip service to the interests of actual data subjects. It's no wonder consumers rarely spend any time reviewing them.

It is precisely for these reasons that there is a competitive advantage to being transparent about how you collect and process personal data. While your competitors are stuck in a regulatory mindset from another time, you can take advantage of one of the many benefits available at the point where website navigation and user interface design facilitate GDPR compliance.

Privacy Notices And The GDPR

Privacy notices are external documents that explain what you do with any personal data that you hold about an individual and why. The UK general data protection regulation (GDPR) contains precise instructions about what should be included and how they must be written. The main objective is to be transparent; this is outlined in the first GDPR principle under Article 5(1), which states:

  • Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

The GDPR provides more precise instructions about how individuals have the right to be informed under Articles 12, 13 and 14.

The provisions refer to all situations that involve providing transparent information and communications, not just privacy notices. The following summary outlines the relevant extracts required to write a privacy notice.

Article 12:

  • Organisations should take all necessary measures to provide any information related to processing personal data about an individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
  • This is particularly important where the information being processed relates to children.
  • Privacy information should be provided in writing or by other means, and where appropriate online.
  • Privacy information must be provided free of charge.
  • Information can be displayed in combination with icons to give an easily visible, intelligible and clearly legible overview of the processing operations.

Articles 13 and 14 provide specific instructions around what information needs to be included within your privacy notice. Article 13 relates to personal data collected from the data subject directly, while Article 14 covers information obtained from a third-party.

Article 13 and 14:

  • Provide the identity and contact information of the (data) controller. Also include the full name, postal address, email address and telephone number of your organisation.
  • International organisations that do not operate from a dedicated subsidiary organisation located within the UK and are not registered with the Information Commissioner's Office (ICO) must also include the contact information for their local representative.
  • Where one is appointed, include the contact information of the DPO.
  • Provide detailed and specific information about what personal data is being processed, for what reasons, and how it was obtained. If not from the data subject directly, include where the data came from and was it a publicly available source. The definition of personal data is broad, so be sure to cover everything.
  • Specify the lawful basis used for each different processing purpose. Where consent is being used, be sure to include information about the data subjects right to withdraw consent at any time.
  • If the processing is based on legitimate interest, describe them in detail. For personal data obtained from third-party organisations, be sure to include the categories of data involved (such as contact details, financial data, or health care information).
  • Explain whether you will be transferring personal data to external processors, including whether they are a third-country outside of the UK and what safeguards are in place to protect the data.
  • Provide information about how long you will be holding on to their data. The GDPR is clear that you must only retain personal data for as long as the legal basis for processing allows. This could be how long an organisation performs a task under contract or once consent has been withdrawn. Similarly, organisations should keep hold of personal data being processed on the grounds of a legal obligation, public task or vital interest while those activities are still relevant. If it is not possible to give a clear answer, as could be the case with legitimate interests, supply the criteria used to determine that period.
  • Where automated decision making or profiling is used, confirm what logic is involved and what consequences there may be for the data subject.
  • You should also inform data subjects of their rights to access, rectify, erase, restrict or object to processing and their right to data portability.
  • Inform data subjects on their right to lodge complaints with the ICO.

While EU GDPR recitals were not transposed into UK data protection law, they do provide further clarification in relation to writing a privacy notice.

Recital 58 - The Principle of Transparency:

  • The principle of transparency emphasises that any information addressed to the public should be easy to understand and that, where appropriate, visualisation be used.
  • Such information could be provided in electronic form, for example, when addressed to the public through a website.
  • This is of particular relevance in complex situations where it is difficult for the data subject to know and understand whether their personal data is being collected, by whom, and for what purpose, such as in the case of online advertising.

Recital 60 - Information Obligation

  • The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.
  • Provide the data subject with any further information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data is processed.

For more information, the ICO has a page that explains the above requirements and provides detailed guidance to organisations about how and where to begin drafting your privacy information.

Before you commence writing your privacy notice, the first step is to know what data you have and how it is processed. If you haven't already done this, you will need to conduct an information audit or data mapping exercise.

Guidance On How To Present And Structure Privacy Information

It's one thing to recognise there is scope to improve how we present privacy information. It's quite another to execute an effective strategy. In this instance, the GDPR is literally transparent about how to resolve the problem.

There are two key points to highlight from Article 12:

  • Organisations should provide information related to processing personal data... in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

And that:

  • Information can be displayed in combination with icons to give an easily visible, intelligible and a clearly legible overview of the processing operations.

In addition, the ICO also talks about different methods to provide privacy information, including using icons, dashboards, and layering information to reveal further details.

Write Your Privacy Notice The Way We Consume Online Content

The way we read online is an area of intense research. As such, we know people rarely read digital content in full. Instead, we're much more likely to scan content, picking out individual words and sentences. We only commit fully to reading online content when we find something we are interested in or are motivated to learn more.

Therefore, the challenge is to reduce your privacy information to high-level summaries made up of brief snippets or bullet points that can be quickly scanned and clearly understood. Think of nutritional labels but for privacy. Further details can be provided using layering techniques or embedded links. These summaries can then be grouped into simple categories and presented on a dashboard-style layout with added icons for easier scanning.

This is where good website user-experience design can make all the difference. Given a proper set of instructions about the layout of your privacy information, an experienced digital marketing agency or web designer can transform a table of data and supporting information into highly engaging content that consumers will want to read.

The point is, you are making it easy for prospects, customers, service users, employees and any other relevant stakeholders (data subjects) to see precisely how you collect and process their personal data—and therefore making you genuinely more trustworthy.

The final point to consider is where to position your new privacy notice for maximum effect. The traditional position in the website footer is still relevant given that it's where people know to look. However, introducing a section to your home or about page emphasising your updated privacy information's features and benefits will significantly enhance its chances of being seen and read.

In Conclusion, How About a Quick Example?

It's not a perfect representation per se, but this is as good an example as we can find at this time (we are planning to implement the above technique on our next website update). For now, we will have to draw inspiration from Apple.

Apple is one of the few US technology companies that promotes privacy as a core feature of its phones and other products. In an interview in 2015, Apple CEO Tim Cook said:

  • "privacy is a fundamental human right that people have. We are going to do everything that we can to help maintain that trust. ..."

In June 2020, Apple announced that it would require app developers to disclose their app's privacy practices to customers through easy to glance privacy labels that must be included in the App Store. These new app privacy labels are now live, and as you can see, they provide a much simplified view of how apps handle personal data.

Composite App Labels

In our next article, we return to conducting the readiness assessment and implementation of a GDPR compliance programme.

If you would like to speak to an expert on how to write a policy notice or if you're looking for data protection and privacy law training, email us at contact@freevacy.com or call 0370 04 27701.

Click your chosen course below to see our next available courses dates

Freevacy has been shortlisted in the Best Educator category.
The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.