What websites need a privacy policy? Any website that processes personal data will need to provide privacy information to the individuals whose data is being used. This is typically done by providing a privacy policy on the website itself. You can find out what a privacy policy is by reading this blog.
It’s important to remember that the definition of personal data is very broad, and includes things like users’ names and contact details, but also their IP addresses and account handles. Your website will be processing personal data if you’re doing something with that information, such as collecting it, recording it, storing it, using it, sharing it etc.
Ecommerce websites need to process personal data in order to process transactions by customers. This means that if you run an ecommerce website, you will need to provide a privacy policy on your website.
Other instances in which a website might need to provide a privacy policy include the following:
- you ask users to provide their contact information if they want to subscribe to your newsletter; and/or
- you track how people are using your site.
Bear in mind that you can’t just put your privacy policy on your website and leave it for people to find – you must make them aware of it. This blog has guidance for you on how and where to provide your privacy policy on your website.
When to provide your privacy policy
Once you know what websites need a privacy policy, you need to understand when to provide it to individuals whose data you’re processing. This will depend on whether you got the personal data from the individual directly (eg because they filled out an online order form with their details) or from a third party (eg because you bought a marketing list from a third party).
Where you got the personal data directly from the individual
You must provide your privacy policy to individuals whose data you are processing at the point at which you collect their data from them. For example, if they provide their details to you through an online order form on your website, you should provide relevant privacy information on the order form itself with a link to your full privacy policy. For guidance about how to do so, read this blog.
Where you got the information from a third party
If you’re not collecting the personal data from the individuals directly (eg because you’re buying a marketing list from another business that contains their information), it won’t necessarily be practical for you to provide your privacy policy at the point at which you collect the data. In these circumstances, you must make sure you provide your privacy policy to the individuals whose data you are using within a reasonable period of time and no later than the earlier of:
- a month after you obtained their personal data;
- if you are using the personal data to communicate with them, the point at which you send your first communication; or
- if you’re planning to disclose the personal data to someone else, the point at which you actually disclose it.
There are some limited exceptions to the requirement to provide the individual concerned with your privacy policy if you obtain it from a third party, which include the following:
1. They already have your privacy policy
To rely on this exception, you must be able to demonstrate that the individual in question already has your privacy information (eg because the organisation you received the personal data from has already provided it to them). If you’re unsure whether it has actually been passed on, you should make sure you provide it yourself.
2. Providing the information to the individual would be impossible
In some circumstances, it may be impossible for you to provide your privacy information to the individual in question. For example, you might not have their contact details or any reasonable way to get hold of them. If you’re going to rely on this exception, you must carry out a data protection impact assessment (DPIA) before doing so and publish your privacy information (eg by linking to it on your website).
For further guidance about DPIAs, read our Q&A on Data protection impact assessments. We also have a template policy that will help you in fulfilling your DPIA legal obligations.
3. Providing the information to the individual would involve a disproportionate effort
If the effort it will take you to provide the individual in question with your privacy information would be disproportionate against the effect that your use of the data will have on them, you may be able to rely on this exception. To do so, you should make a written record of your assessment of the proportionality, and conduct a DPIA before processing the personal data.
Considerations you can bear in mind when making your assessment of proportionality include:
- the number of individuals involved;
- how old the personal data is; and
- what safeguards you have put in place.
In any event, if you’re relying on this exception, you must still publish your privacy information (eg by linking to it on your website).
4. You’re required by law to obtain and disclose the data
In some instances, you will be required by law to obtain or disclose personal data which you have obtained from a third party source.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.