Privacy Policy

Because of this overlap, it is common to include cookie disclosures in a privacy policy, and this template does include relevant disclosures – although not in so much detail as in our premium privacy and cookie policy templates.

The key legal instruments currently applicable to cookies are:

The latter is the UK’s implementing legislation for the former. The consolidated version of the UK regulations is not available on the website and the text of the relevant Regulation (No 6) has been updated since 2003 – so use with care.

New legislation on cookies is currently going through the EU legislative process, but this is not expected to become law until 2020 at the earliest.

In addition to the information disclosure requirements, you may need to get user consent to cookies. This privacy policy template includes an optional statement to the effect that users consent to the use of cookies. However, this will not alone satisfy the cookies consent requirement under the cookie laws.

How do I edit the privacy policy?

After you have downloaded the policy, you will need to open it in your word processing software for editing.

The first thing you should decide is how to categorise the personal data that you process. Your categorisation should reflect how data is handled in practice. For example, you might differentiate between analytics data, enquiry data, customer relationship data and transaction data. The template privacy policy includes a suggested categorisation.

With respect to each of your categories of personal data, you will need to determine the purposes for which the data is processed and – this is often the hard bit – the legal basis for processing. Possible legal bases are individual consent, the performance of a contract, and your legitimate interests.

You will also need to identify recipients or categories of recipients, as well as relevant data retention periods.

Guidance notes are included in the template to help with the editing process.

After editing, you should add the privacy policy text to your website, either via your content management system or directly after converting it to HTML.

Why is your privacy policy is longer / more complicated than some other policy templates?

This policy is intended to be easy to use, but data protection law in general and the GDPR in particular are difficult to use.

Data protection law is necessarily built of abstractions, but some of the abstractions at the heart of the GDPR do not map easily onto the real world. The European Data Protection Board (EDPB) has produced voluminous guidance on the application of the GDPR, but the very existence of this guidance highlights the problem. If the law was clear, the guidance wouldn’t be needed.  In many cases, the guidance either overreaches or dodges the difficult issues.