Creating Compliant GDPR Notices

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 01 July 2022.

Creating Compliant GDPR Notices

Wherever your business is based, there's a good chance you fall under the scope of the EU's GDPR. If so, any consent you get must be clear consent in order to be compliant. To make sure this consent is valid you'll usually need to produce several notices so that users can make informed decisions regarding granting their consent.

Here's what you need to know.


GDPR Overview

The General Data Protection Regulation (GDPR) took legal effect in 2018. It's a European Union directive and thus has legal force in all European Union countries. There's no need for the countries to explicitly incorporate it into domestic law.

The GDPR enforces a series of rights for individuals about the processing of their personal data. "Processing" covers collection, use, sale and disclosure of data.

Although a European Union measure, the GDPR affects businesses around the world. That's because it covers three elements (the business, the individual and the data processing itself) but applies even if only one of these elements is in a European Union country.

For example, the GDPR would apply in all of these cases:

  • An American company processes data about a French customer
  • A German company processes data about a Canadian customer
  • An Australian company uses a processing centre in Ireland to handle data about a Brazilian customer

Arguably the biggest change the GDPR brought in compared with previous data laws was a requirement to get advance consent before processing data in certain circumstances. It also requires a series of notifications.

GDPR Notices

GDPR Notices

The GDPR's requirements mean that you must produce a series of notifications to customers in different situations. Broadly, these notifications must make certain that individuals are aware of the following:

  • What data you collect about them
  • How and why you use this data
  • The right to give or refuse consent to this data processing (and the consequences of doing so)
  • How they can access, challenge and correct data you've already collected

To comply with the GDPR you'll need some or all of the following notices to cover your activity.

General GDPR Notices (Privacy Policy)

The GDPR requires that you have a Privacy Notice or Privacy Policy. It also lists a range of information you need to include and specifically says in Recital 58 that you must provide this in writing (including electronically) using a "concise, transparent, intelligible and easily accessible form, using clear and plain language."

A Privacy Policy is the only really effective option for delivering this information.

The key points you must include in a Privacy Policy to comply with the GDPR are:

  • Your contact details
  • Details of your data protection officer if you have one
  • Why you are processing personal data, including which of the six legal bases allowed under the GDPR is applicable
  • Whether you'll pass on the personal data to anyone else
  • Whether you plan to transfer the data outside of the European Union (and if so, what safeguards will apply)
  • How long you'll keep the data (or how you'll decide how long)
  • The fact that the user has the right to access the data, correct it, ask for it to be deleted, or get a copy in a form they can take elsewhere
  • The fact the user has the right to withdraw consent later on, but that this won't affect the legality of processing that happened before the withdrawal
  • The fact the user has the right to complain to the relevant regulatory body in their country
  • Whether providing the data is a legal or contractual requirement and what will happen if the data isn't provided
  • Whether you use automated decision-making using the data

This example from PERI is compliant with the rules on declaring the legal basis for processing data. However, it could be more user-friendly by explaining what the cited bases are, rather than just referring to the paragraphs in GDPR:

PERI UK Privacy Policy: Legal Basis for the Processing of Personal Data clause

This example from ATPI covers how data is passed on and the relevant safeguards in place:

ATPI GDPR Privacy Notice: Transfers to Third Parties clause

This example from The Brexit Party Ltd covers the right of the user to complain to a regulatory body, as well as gives the necessary contact details:

The Brexit Party Ltd Privacy Policy: Your right to complain clause

You can see how it's easy to cover all the required information in relatively short yet informative clauses in a Privacy Policy.

The easiest set-up for achieving compliance is to have a standalone Privacy Policy and then include a clear link to it whenever you are requesting to collect personal information.

If your Privacy Policy is short enough, you could show it in full at the point of collecting data (for example in a pop-up window). Having a standalone page will work better if your Privacy Policy is more detailed or covers requirements under other privacy laws as well as GDPR.

However you do this, it's vital that you clearly signpost the existence of your Privacy Policy and make clear that you are asking the person to read it and then agree to it as part of consenting to the processing of personal data.

This example from Docusign puts the necessary signposting right before the point at which the user clicks the button to submit their data:

DocuSign sign-up form with agree and consent text highlighted

Even before the GDPR, cookies were covered by a European Union rule known as the ePrivacy Directive. Although it's well worth covering cookies in your GDPR-compliant Privacy Notice, you do need a specific Cookie Consent notice that appears before you issue any cookies.

The key points to cover in this notice are:

  • The fact that you use the cookies
  • What the cookies do and why you use them
  • The fact that you must get user consent

You must get active consent before issuing cookies. As detailed later in this article, this must involve an active, intentional action by the user to confirm consent. You can't use an opt-out system or assume that the user gives consent because they haven't actively objected.

You don't need to get permission or give notice about any cookies that are necessary to carry out the core purpose for which the user has visited the website. The most common example of this is cookies needed to keep goods in a virtual shopping basket.

Here's an example of a cookie consent notice from the EU Parliament that provides clear options to accept, refuse or learn more about cookies:

EU Parliament cookie consent notice

You should also make sure to include more information about cookies in your Privacy Policy or dedicated Cookies Policy.

Philips does a good job of explaining the different categories of cookies it uses in its Cookies Policy. This is effective because the site allows users to give or withhold consent for cookies on a category-by-category basis. Note that this would also work as a clause in a Privacy Policy if you don't have a separate Cookies Policy:

Philips UK Cookie Policy: Why are cookies used clause


You should normally use a dedicated notice when collecting an email address for marketing purposes. Remember that this covers two separate activities under the GDPR's broad "processing" definition:

  • Collecting the email address
  • Using the email address to send marketing materials

This means you must take account of the following when writing the email marketing notice:

  • You must make the user aware they are consenting to you using the address to send the marketing material.
  • You must make sure the user can give specific consent to cover you collecting and using the address. You can't bundle it in with other requests for consent such as accepting cookies or agreeing to a general Privacy Policy.
  • You must tell the user how they can withdraw consent later on. You should remind them of this at the bottom of any marketing email you send, as well, and provide an unsubscribe mechanism.

The Money Saving Expert site covers these points very concisely within a wider guide to its weekly newsletter:

MoneySavingExpert email sign-up and FAQ

In this example from Hay House, the user has to click at least two checkboxes - one to acknowledge and agree to the Privacy Policy and one to choose a newsletter - before clicking "Submit." This makes sure the consent is meaningful. It's also helpful that the newsletter descriptions explain how often the user should expect to get emails:

Hay House email newsletter sign-up page with checkboxes for consent

One downside is that the links to the Privacy Policy and Terms of Use aren't clear. The links only appear when the user moves the mouse over the words in question and there's an asterisk that doesn't lead anywhere. It would be less confusing if the links were underlined as is common practice online.

Obtaining Consent

Not only does the GDPR require prior consent for data processing, but it has a clear and specific definition of consent, namely:

"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

This definition, along with subsequent court rulings, means some previously common forms of "confirming consent" are no longer valid.

Let's look at the different methods of obtaining consent, which ones you should avoid and which ones are most favorable/recommended.

Browsewrap

Some websites use a passive method of getting users' consent to Privacy Policies, cookie placement and more. This often dates back to before the GDPR took effect, particularly in countries with looser rules on data privacy.

This passive method is known as browsewrap. The common feature of browsewrap is that the method works on the basis that a visitor who simply uses a website is consenting to the terms in the Privacy Policy (or other legal agreements).

Browsewrap is invalid under the GDPR because it does not constitute clear and affirmative consent. There is too much risk that the user either hasn't seen the Privacy Policy or hasn't read it in full. Under the GDPR, the burden is on the site operator to prove the user has read the policy and consented to it, or at least knows one even exists.

Clickwrap

The best method for ensuring meaningful consent to a GDPR notice is an active checkbox or similar measure.

The most common method is a notice on screen that displays a statement that the person consents, with an empty checkbox marked "I agree" or "I accept." The user then ticks the checkbox or switches the toggle, then normally clicks a button confirming their choice. This method is known as clickwrap.

It may seem redundant to have this extra step, meaning the user has to take two actions, but it's the best way to get the necessary certainty about the person's consent. The key is that the user:

  • Makes a meaningful decision (whether or not to give consent), then
  • Confirms that decision

As you would expect given it regulates privacy issues, this example from the Information Commissioner's Office is compliant in both form and function. It distinguishes between necessary cookies (which can be enabled by default) and other cookies (which can't be issued with consent.) It uses a toggle but sets it to "off" by default so a user can make his own choices:

ICO Cookie Consent notice

Pre-ticked Checkboxes

Until 2019, some website operators assumed that a pre-ticked checkbox was adequate for obtaining consent. This means showing the user a form that includes a statement to say they have read, understood and consented to the Privacy Policy or other data privacy measures such as cookie use.

The form has either a checkbox or a toggle that is set to "yes" by default, meaning the user has to actively untick or switch off the indicator to show they do not consent before clicking a button to proceed or dismiss the message.

In 2019 the Court of Justice of the European Union ruled that pre-ticked checkboxes and similar measures are invalid forms of consent because they are implied or assumed. As with browsewrap, this type of clickwrap approach doesn't give conclusive evidence of the user intentionally consenting.

This example from National Geographic Expeditions is compliant as it has a mandatory checkbox that is unchecked by default:

National Geographic Expeditions newsletter sign-up form with a clickwrap consent checkbox

Summary

Let's recap the key points about GDPR-compliant notices.

  • The GDPR covers your business if either you or a customer/site user are in a European Union country or if you process data in an EU country.
  • You must get meaningful consent when obtaining consent.
  • You will likely need several notices to make sure the user can give meaningful consent. The best solution is usually a standalone Privacy Policy plus specific notices for some specific forms of consent such as cookies and email marketing.
  • Your Privacy Policy must cover several key points including your contact details, what data you collect, how you use it, and the user's rights under GDPR.
  • You must always display, or clearly link to, the relevant privacy notice at the point when you are about to collect data.
  • Consent must be clear, active and unambiguous. You can't infer consent just because somebody continues to use your sites or services after seeing your privacy notice.
  • Don't use pre-ticked checkboxes or toggles set to "on" by default as a way to confirm consent. A court ruling means these are no longer valid as they don't offer enough proof of the user's intentions.