11 Apr 2018

Updating website privacy statements for the GDPR

Data Protection laws are undergoing a major upgrade when the GDPR (General Data Protection Regulation) supersedes the Data Protection Act on the 25th May 2018.

These wide-ranging changes are impacting on a number of areas, and one of these is the website privacy statement. Websites have been displaying privacy statements for years, especially since infamous EU Cookie law came into force in 2012. They often take the form of a long page of detailed text. This privacy policy is then linked to on registration forms, website footers or the annoying cookie notification pop-ups some sites decided to implement.

Visitors would need to set aside 244 hours a year to read the privacy statement of every website they visited

The length of some of these privacy statements is a big problem. Research by Professor Lorrie Cranor of Carnegie Mellon University suggested visitors would need to set aside 244 hours a year to read the privacy statement of every website they visited.

The GDPR attempts to tackle this, not by addressing lengthy policies, but by requiring websites to state the most important points in an easy to read format at the point where personal data is collected and/or consent is required. The GDPR states that organisations that collect personal data must provide information that is:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

When registering a user, websites cannot simply just display a link to a long privacy policy statement anymore without outlining the salient points.  Also, users need to actively agree by ticking boxes related to the registration.

Tick boxes related to the use of personal data cannot be pre-selected anymore. The GDPR also states the areas a privacy policy needs to address, including:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

If you run a website, you might not think you are collecting personal data, but be aware of cookies being used by the systems that power your website. For example, do you use Google Analytics to monitor usage? Does the Content Management System you use collect user data? Is there a sign up to an email list?

Check what you collect and start planning now for these changes. More information and some useful examples can be found on the Information Commissioner’s Office at

Add new comment

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Enter the characters shown in the image.