Some long-winded thoughts on privacy policies and consent popups
This Q&A is compiled from conversations I have had with many, many clients and collaborators who have had a hard time navigating things like the GDPR, privacy policies, cookie notices, consent messaging, and other related topics.
Here are all the questions covered below:
- But do I really need one? I’m not in the EU / my site is so small / I don’t use personal data for anything bad / etc.
- How do I know if I’m collecting personal information from my website visitors?
- How do I know what legal basis is applicable, and what on earth is “legitimate interest”?
- So what about things like Google Analytics, what legal basis would that fall under?
- What qualifies as consent?
- What if I really don’t want to gather consent but must have some sort of analytics to track visits?
- What about cookies? How do they fit in to all this?
- Do I have to show a pop-up about data collection or cookies when someone visits the site?
- Is this a “set it and forget it” thing? When do I have to revise my privacy and data messaging?