Some long-winded thoughts on privacy policies and consent popups

This Q&A is compiled from conversations I have had with many, many clients and collaborators who have had a hard time navigating things like the GDPR, privacy policies, cookie notices, consent messaging, and other related topics.

Here are all the questions covered below:

Requisite caveat: Though I have a lot of experience poking around in the GDPR and other privacy regulation wording and try to advise where I can, I would not consider myself an expert on information privacy law and you shouldn’t either. The guidance I provide here is a primer that scratches the general surface of these topics.

If you’re looking for concrete guidance, always refer to official documents and bodies such as the GDPR guide on gdpr.eu which is part-funded by the EU, the ICO’s guide to UK GDPR, and the European Commission website. And, of course, speak to a specialist who is an expert on this stuff!

And a note: There are other privacy regulations around the world that are worth keeping in mind, but I will refer to the GDPR throughout this Q&A since it is the strictest and most broadly applicable policy I am aware of at this time. If you’re curious about other regulations and laws that might be more applicable for your audience such as the CCPA in California or LGPD in Brazil, check out the Wikipedia page on information privacy law as a starting point.

Do I need a privacy policy?

If you are collecting any personal information from your website visitors and have any chance of website visitors from the EU—especially if this might include children—then yes, you do need a privacy policy according to the General Data Protection Regulation (GDPR).

The GDPR’s definition of personal information is extremely broad. This means that personal data includes more than just the obvious attributes such as a person’s name or email address. It also includes their IP address and cookie identifiers, amongst other things. For more details on what personal information is, read more on gdpr.eu.

But do I really need one? I’m not in the EU / my site is so small / I don’t use personal data for anything bad / etc.

Yeah, you probably do! You likely aren’t preventing EU residents from visiting your site, and you’re probably collecting data, so it’s a good idea.

Of course a lot of websites are still missing privacy policies, particularly those run by non-EU folks, and they’re not necessarily getting the hammer for it en masse. But personally, I’d rather take a moment to write a policy than risk the GDPR equivalent of an ambulance chaser deciding I’m a worthwhile target.

Besides that, it’s just a common courtesy thing. If I used security cameras indoors, I personally would either turn them off or let my friends know about them if I invited them to stay. Similarly, you’re being a better digital host by letting your visitors know what’s up with their data. It builds trust.

How do I know if I’m collecting personal information from my website visitors?

If you have a website at all, the likelihood is that you are collecting personal information somewhere. This is as true for a simple, text-only holding page as it is for an archive/webshop/marketing behemoth.

At the very minimum, your website is probably storing visitors’ information in server logs. Server logs include a record of each time a website resource is accessed including device details, the IP address of the visitor, and the host name of the accessing computer. These logs are extremely useful, often essential, for debugging or detecting malicious behavior.

Every shared hosting provider I’ve ever encountered has server logging by default. All-in-one website solutions such as Squarespace as well as serverless solutions such as Netlify or Sanity also likely have server logging, though you would need to check their privacy policies for more information. If you’re a dev running a VPS or some custom setup then maybe you have logging turned off, but you’d know at any rate since you’ve set it up yourself.

If you just have a simple one-page site, server logs might be the extent of your personal data collection. If you have a bigger site, you might also collect data for specific functionality. For example on this site, I collect data for security purposes, to keep my firewall running properly.

And then beyond that, you might be collecting personal information for marketing purposes. This might include a signup form for your e-newsletter, or browser-side analytics such as Google Analytics or Matomo to give you more information about the people visiting your website.

Based on all of this, if you have a website, you can be pretty certain that you are collecting personal information!

How do I write a privacy policy? What do I put in it?

A privacy policy is a transparent, plain-language document that answers the questions “Who?”, “What?”, “Where?”, “When?”, and “Why?” for anything and everything relating to personal data and how it is managed in relation to your site.

It’s mostly a common sense exercise, but the GDPR does have particular requirements in terms of what it should include and some of the terminology is a little confusing. In my opinion, the privacy notice guidance on gdpr.eu is the best place to get an understanding for the required contents. This guidance includes a list of exactly the information you need as well as best practices guidance and a template. It’s also a good idea to refer to other similar individuals’ or organizations’ privacy policies to see how they structure things and what tone they take.

There is a very good chance that you’ll run in to some roadblocks when trying to put together your policy, particularly in relation to what data you hold, how long you hold it for, and where it is held. If you run in to that sort of trouble, refer first to your service providers’ privacy policies and talk to their support staff since they should be able to provide you with the most detail. If that doesn’t get to the bottom of it, you might need to speak with your developer, an IT person, or another specialist to get the answers you need.

The other roadblock usually involves figuring out your legal basis for collecting personal information, more on this below.

How do I know what legal basis is applicable, and what on earth is “legitimate interest”?

The terms “legal basis” and “legitimate interest” are probably two of the more confusing phrases you’ll encounter when trying to put together a privacy policy.

To be compliant with the GDPR, you have to have a legal basis for gathering personal data, and that legal basis has to be disclosed to the visitor in your privacy policy. “Legitimate interest” is just one legal basis among the six outlined in Article 6 of the GDPR, listed below.

The data subject has given consent
To perform a contract with the data subject
To comply with a legal obligation
To protect the vital interests of the data subject or someone else
To perform a task carried out in the public interest
For the purposes of your or a third party’s legitimate interests, unless those interests are overridden by the interests or rights of the data subject

You only need one legal basis for each instance of data collection, and you don’t have to use the same legal basis for every bit of data you collect.

The first point, consent, is the reason why you now see so many pop-ups online, especially on advertising-heavy sites. I’ll go in to consent in a moment.

That last point about legitimate interest is the most murky. Legitimate interest is a flexible, useful criteria in certain applications, but it puts the onus on you as the data controller to prove the validity of those interests.

Honestly, “legitimate interest” isn’t something that I can clearly define here in a concise way. If you think you might need to rely on legitimate interest as the lawful basis for some or all of your data collection, I would recommend reading more on the UK’s Information Commissioner’s Office website, specifically their guidance on what legitimate interest is and when it applies.

So what about things like Google Analytics, what legal basis would that fall under?

It depends.

Some people try to argue that the collection of data with Google Analytics or a similar platform could be under the legal basis of legitimate interest. And in my opinion? I think there are a few limited cases where this could and should be true. But there were multiple rulings in 2019 that indicate that this may not be valid, particularly since it involves transmitting data to a third-party for arguably nonessential purposes.

If you lock down your Google Analytics so that you are tracking and sharing the least amount and most anonymized information possible then you might be able to get away with arguing legitimate interest. But if you were confronted about it, you would have to prove that the data processing is necessary under the three-part test and/or would have to prove that no personal information is being collected. Honestly, it’s something I would consider talking to a lawyer about if you’re unsure.

Because it is difficult to be 100% certain that you can classify Google Analytics data collection under the lawful basis of legitimate interest, many website owners have decided to collect that data under the lawful basis of consent instead. Consent is unequivocal, but it can also be pretty obtrusive.

If you’re using consent as your lawful basis for collecting data under the GDPR, consent must be given freely, must be specific, must be informed, must be unambiguous, and must be revokable. The gdpr.eu site goes in to some clear detail on each of these points.

This is the reason for the in-your-face pop-ups and flyout panels you see on so many sites now forcing you to manage your preferences before you enter a website.

In order to be compliant to the letter, sites that are using consent as their lawful basis have to gather this consent before the tracking cookie is dropped and data starts being transmitted, effectively locking their visitors out of the site until those settings have been accepted. Consent has to be given for each purpose that data is tracked, which is why some of these consent management components are so overwhelming and enormous on very tracking-heavy websites.

Other websites have very low-key popups along the lines of the below:

We use analytics to better understand our audience. By using our website, you consent our use of analytics. Please see our privacy policy for further information.

This sort of notice usually looks nicer and it might be sufficient for another lawful basis, but it isn’t really sufficient as consent. The user isn’t giving their consent freely before being tracked, and this doesn’t allow them to revoke their consent.

This is a tough situation.

The only way I feel fairly certain that you could do this—again, speak to an expert to be sure—is to use server-side analytics which harness the server logs that you likely have already. (Reminder: server logs gather details about site visitors for functionality and security purposes as I mentioned earlier in the Q&A.) Since these logs gather plenty of information regarding things like IP addresses and device information, they can be used for pretty granular analytics as well. You need some additional software in order to parse this data and view it in a digestible manner, and the user interface definitely leaves a bit to be desired in most cases, but some hosting providers offer this for free so it can be a pretty strong alternative to browser-side analytics like Google Analytics. AWStats, for example, is an open source log file analyzer that many of the better shared hosting providers I’ve come across seem to offer by default.

If you have to use Google Analytics and don’t want to gather consent, you probably need to put yourself in as strong a position as possible to argue that you are gathering data under the lawful basis of legitimate interest. This means locking down your Analytics account and script to anonymize as much information as possible and prevent it from being shared for any unnecessary reason.

If possible, you should choose the geographic location of your data so that it is stored in your country of residence. Under your Google Analytics Account Settings, you should adjust your data sharing settings to disable as much as possible. Under Property Settings, you should disable Advertising Features and probably User Analysis as well. Under Tracking Info, disable Remarketing and Advertising Reporting Features, ensure that User-ID is disabled, and set your Data Retention to the lowest reasonable timeframe. Under Product Linking, disable as much product linking as you can get away with to limit the sharing of data. And finally, adjust your Google Analytics script to anonymize IP addresses. A developer may need to help you with this last step.

To be clear: these steps do not guarantee that your Google Analytics implementation is GDPR-compliant when not gathering consent. It just may make it slightly more likely that you could viably argue for gathering data under the lawful basis of legitimate interest. One last time: Talk to an expert about this if you aren’t sure about your compliance.

What about cookies? How do they fit in to all this?

Cookies are related to information privacy regulations like the GDPR in that cookies are often used to store and transmit personal information. For example, most Google Analytics instances won’t work without cookies. Cookies are different, however, in that there is a whole separate set of regulations that apply, the ePrivacy directive or “Cookie Law”.

The gdpr.eu page on cookies does a decent job outlining how the Cookie Law regulations and GDPR work together. To quote directly from them:

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

Receive users’ consent before you use any cookies except strictly necessary cookies.

Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.

Document and store consent received from users.

Allow users to access your service even if they refuse to allow the use of certain cookies

Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

“Strictly necessary cookies” are pretty much restricted to things like session cookies, without which you couldn’t log in to a CMS or manage your purchases in a cart, for example. It doesn’t include cookies for statistics, marketing, or preferences. As per the UK ICO: “Where the setting of a cookie is deemed ‘important’ rather than ‘strictly necessary’, you are still obliged to provide information about the storage or access to the user or subscriber and obtain consent.”

Besides gathering consent where it is required, you have to provide “clear and comprehensive information” about the cookies you intend to use, why you intend to use them, any third parties that may also be using these cookies, and the duration of the cookie. See the UK ICO page on cookies for more on what information you need to provide.

Since there is a lot of overlap in the Cookie Law and GDPR requirements, you’ll often see cookie information baked in to a broader privacy policy, for the sake of keeping all of this information in one place for the site visitor.

Do I have to show a pop-up about data collection or cookies when someone visits the site?

Whether or not you have to show a pop-up depends on what data you are gathering and the lawful basis.

If you’re gathering on the basis of consent, or if you are setting cookies that require consent, then you need a pop-up that can used to manage consent.

If you’re gathering data on the basis of legitimate interest or another reason and aren’t setting unnecessary cookies, then you shouldn’t need a pop-up. You may however still want to show some sort of discreet message to let the user know more broadly about cookies and your privacy policy, in the footer or in a small, dismissable message.

Is this a “set it and forget it” thing? When do I have to revise my privacy and data messaging?

I’m afraid creating a privacy policy is not a “set it and forget it” task.

This is partly because service providers change all the time. For example, if your hosting provider changes the way they handle data, there is a chance you will need to update this on your privacy policy as well.

Likewise, your organization might change the way they handle data. If you decide to move from MailChimp to another e-newsletter platform, you’ll need to reflect that in your privacy policy.

And finally, the relevant regulations are shifting gradually. The ePrivacy “Cookie Law” is due to be updated any day, which will likely mean that you have to shift how you approach your privacy policy and data collection messaging.

I’d recommend checking on your privacy policy at least twice a year to just double-check that everything is as it should be, or much more often if you process a lot of data.

This is quite a frustrating topic to write about… I always feel like a top-tier buzzkill when discussing these things with clients and collaborators.

I know how important analytics can be for some organizations, particularly those that rely on public funding and have to provide analytics information in things like grant applications. And I also know how awful so many of those consent pop-ups are, they’re a mess in every way and have sort of ruined large swaths of the web. And there are so many big companies that collect data via Google Analytics but don’t have any consent management system! How are they getting away with it? Are they just willing to pay the potential fines?

All that said, even though I’d love to say “Screw it, you don’t need a pop-up”, I can’t recommend ignoring things like the GDPR consent requirements. My hope is that the upcoming ePrivacy law update and future GDPR updates make it more reasonable to gather small amounts of strictly anonymized personal data for statistics purposes via third-party platforms, particularly for individuals and very small organizations. But I’m not holding my breath!