Information - insight - keep asking questions
Privacy Policy
What exactly does the law require?
Well, the official version of the GDPR is 261 pages long, contains 173 Recitals, 99 Articles and (as mentioned) is complex and often broad, vague and ambiguous (lucky us). We're going to cover just a few of its key principles:
- Transparency
What data are you collecting and how will it be used? Explaining that to your customers in an easy to read and easily understood manner is an important principle of any privacy law, including GDPR.
Our guess is you've received about a million "we've updated our privacy policy" emails lately, right? It's no coincidence. GDPR requires that companies provide greater transparency and clarity as to how they collect and use their customers' information (in other words, make it more user-friendly). Privacy policies are the mechanism for you to offer transparency - explaining to your customers clearly and in simple language how you collect and use their personal data and how they can contact you or exercise rights they might be afforded.
GoDaddy provides tools that allow you to incorporate privacy policies into your websites, and in some cases provides templates for you to work from. However, because we do not know how you operate your business, it's impossible for us to provide you with a fully-compliant privacy policy. - Customer Controls and Managing Consent
Being transparent is a great start, but if you are using (or collecting) information from your customers in addition to what is strictly needed to provide them the goods or services you sell, then you must also be sure they are given the options to consent to additional uses, and afford them with controls to later revoke that consent.
The most obvious example here is using email addresses or phone numbers collected to communicate with your customers (usually we think in terms of opt-in/opt-out to such communications/subscriptions). This information may be provided by your customers in the course of creating an account or purchasing a product or service from you. However, it also includes your collection of information about individuals who visit your websites via tools commonly known as "cookies" (and similar technologies such as pixels, scripts, etc). Certainly, you've seen "cookie banners" when visiting websites, and similar to the use of a privacy policy, these cookie banners allows for greater transparency. By displaying a cookie banner, individuals may learn more about what tools are being used to collect information about them, accept or decline such use, and/or otherwise granularly control which cookies might be acceptable for use.
Under GDPR, your customers must be given the right to consent to such collection (and subsequent use), and the only way consent may be properly given is if you presented the option to exercise such consent in an easy to understand, specific (to the particular use), and explicit manner. Pre-checked boxes, silence or inactivity cannot be used to indicate your customer's consent. For instance, if you have a checkbox on your website that says, "We will share your data with 3rd party advertisers," you cannot pre-select the checkbox to opt data subjects in to processing their data. The checkbox needs to remain un-checked for data subjects in the EEA until they voluntarily opt-in or express consent to such processing.
Ultimately, you need to ensure your customers can exercise control over use of their personal data, communications, and consent, including a right to revoke that consent. - Right to be Forgotten
We mentioned before that GDPR is very similar to other privacy laws around the world - this one is a right to your customers that is GDPR-unique. The GDPR provides individuals the 'right to be forgotten' (the "Right of Erasure" under the law). This means that the customer can ask that their personal data be deleted (and they be "forgotten"), where the personal data collected is no longer necessary for the purposes they were collected or otherwise processed.
Where the right exists, you must delete the data subject's personal data from your systems (unless there are legitimate business or legal reasons that such data must be kept, say for your financial reporting purposes or legal retention needs).
For instance, if a customer decides to stop doing business with you, they may no longer want you to keep information about them that was previously collected and stored by you. Though there are limitations to this right - with exceptions and complicated nuances - where applicable, you must consider how, and your ability to honor that request when made.
GoDaddy, for its part, as we've described and in accordance with our Data Processing Addendum, will honor requests received from you (the Data Controller) to remove your customer's information from our systems when such a request is made. - Right to Data Portability
The right to data portability is another GDPR-unique right that allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Let's say you're an event planner. Your customer provided all their contact details and relevant personal preferences, but then they moved and decided to hire a new event planner. In the EEA, they should be able to get an electronic copy of their personal data to establish with a new event planner easily. GoDaddy is here to assist with such requests to the extent your customer's personal data exists within and is capable of being exported to you from the products or services we provide. - Privacy by Design
Privacy by Design (or by default) essentially means that when you obtain, process, store or use personal data, the necessary protections are contemplated and included - no special considerations, no additional steps are needed, only the minimum necessary data is collected, received securely (e.g. encrypted), stored in a secure location, and only people with a valid need that have been properly trained have access to it. This includes making sure third parties also have protections in place before sending them your customer's personal data.
This is essentially the same as a patient visiting a doctor's office. As a patient, you would expect your health records, notes taken, and advice received to be kept safe and confidential. Extend that same type of vigilance to data subjects and you'll be in good shape.
Any examination of your business operations should include how GoDaddy's products and services can be used with privacy in mind. While we hope our products and services can be configured to meet your specific needs, it is up to you to make an independent determination as to whether use of our services is adequate for your compliance with applicable data privacy and protection laws. - Data Breach Notifications
In the unfortunate event of a personal data breach, companies have a duty to notify its supervisory authority within 72 hours of becoming aware of the breach or without undue delay. For more details on how to disclose and what steps to take, please consult with your lawyer.