Privacy Statements Under the GDPR

26 Pages Posted: 22 May 2019 Last revised: 5 Jul 2019

See all articles by Mike Hintze

Mike Hintze

Hintze Law PLLC; University of Washington School of Law; Future of Privacy Forum

Date Written: February 7, 2019

Abstract

The European General Data Protection Regulation (GDPR) imposes many onerous compliance obligations that affect companies worldwide. Those subject to the GDPR must evaluate the risk of all their data processing obligations and prepare formal data protection impact assessments (DPIAs) on those that are higher risk. They must ensure that contracts with vendors and service providers contain specific data protection terms set out by the Regulation. They must implement systems and processes capable of responding to requests from individuals exercising their rights under the GDPR, including rights to access, correct, port, delete, or restrict the processing of personal data. They must implement product development processes and policies to meet the law’s new “data protection by design” requirements. And there are many others.

The need to include specific types of information in a privacy statement is a GDPR compliance obligation that does not get as much attention as some other GDPR requirements. Perhaps that is because privacy statements have been much maligned in recent years. They are too long and full of legalese. Nobody reads them. They are part of a notice and consent approach to privacy that puts an unrealistic burden on consumers to make informed choices. But despite these well-known criticisms, the GDPR doubles down on privacy statements. In fact, gauging by the roughly fourfold increase in privacy statement requirements compared to the previous law, the GDPR quadruples down.

As a result, ensuring that a privacy statement is GDPR-compliant is one of the more important obligations that companies must navigate. And meeting the privacy statement requirements effectively is not as simple as it might first appear. This Article discusses how companies should approach and craft their privacy statements to meet these new GDPR requirements, thereby reducing their risk.

Keywords: privacy, data protection, GDPR, notice, privacy statement, privacy policy, transparency

JEL Classification: K29, K39

Suggested Citation

Hintze, Michael, Privacy Statements Under the GDPR (February 7, 2019). 42 Seattle U. L. Rev. 1129 (2019), Available at SSRN: https://ssrn.com/abstract=3390017

Michael Hintze (Contact Author)

Hintze Law PLLC ( email )

505 Broadway E #151
Seattle, WA 98102
United States

University of Washington School of Law ( email )

William H. Gates Hall
Box 353020
Seattle, WA 98105-3020
United States

Future of Privacy Forum

United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
224
Abstract Views
1,468
Rank
345,205
PlumX Metrics