How does the company obtain personal data?
Your personal data may be collected when you browse or interact with our website” as that is the only way we collect information.
What forms of personal data does the company collect?
You need to rewrite your policy to explain what types of data the company is collecting. Just to serve a website means that you will be collecting IP Address, browser type, operating system and probably referral pages (eg; what website they came from). But if you have a registration page then you might be collecting name, address, age, sex and email address as well. A payment page might collect a credit card number or if they send money to your bank then you would be collecting banking details.
How does the company use personal data?
How do you use the data you gather? Do you use it for advertising, website statistics, selling products, tracking customers, logins, password resets, or selling the data to third parties. This all needs to be declared so people know what is going to happen to the data they provide you. This, and the next point, are what has the larger players on the Internet worried as they feel their relationships will suffer if people find out what is happening to the data they are providing.
TPS found this one quite easy as the data is only used to operate the shop. As such the policy says,
Whether we receive your personal data directly from you or a third-party source, we will only use it to facilitate The Privacy Shop services.
How does the company share personal data?
This also covers third parties who also have access to the data. If you are using a web hosting service, VPS service, etc….they all come under this. If WordPress plugins have access to the data then you should declare that you are sharing data with third parties. Google analytics, payment providers, pictures linked from other servers, font servers…everything. You would be amazed how many services can be used by a website that get over looked. Look at your site using a plugin like Firefox Lightbeam or uBlock Origin and see what is attached and connecting to your users that you may not have thought of. Most people remember Google analytics but might forget that if the website was built on Wix then there will probably be four or more third party servers attached to every person who visits the site.
This was an interesting one for TPS. It isn’t connected to any third party servers but the server is hosted by Linode so they can track all the connections to the server. The server is run by Runcloud so they could have access to the data. It uses Wordfence for security so that will have access to the connections and WP Statistics to view information about visits to the site. Plus emails are sent through Mailgun so they will have access to the email addresses. It also pointed out how much work is left to be done to truly care for customers data on the site. Eventually it will need its own hardware, email server, and secure web server.
Certain service providers that we use to operate our website may also gain access to your personal data.
What steps does the company take to keep personal data secure?
You need to declare how you secure peoples data and this doesn’t just mean encrypting data on the site or hashing IP addresses but also who can read the data. Just employees or is it being broadcast publicly. Do you use a web developer? Will they have access to your customer data and do you have a policy covering that access. If the data is passed on to a third party will it be anonymised? Is the data deleted when a customer leaves? Your data protection strategies have to be explained to the user so they can have confidence, or lack of it, when using the site.
The policy must also describe the users rights regarding personal data (rectification, erasure, restriction, objection, transfer, etc.) including company contact information for data questions.
For instance, TPS has a policy of requesting users use fake names and fake email addresses. It also hashes the IP addresses of users so they can’t be read in WP Statistics and deletes orders and the server logs each month.
Providing your personal data is optional. If you choose not to enter true information, we may be unable to provide some services, such as sending emails.
We will delete your personal data when it is no longer reasonably required. You may request a copy of your personal data and we will correct any errors identified by you. You may also restrict our processing of your personal data. All such requests, or any questions or comments regarding this policy or our handling of your personal data, should be addressed to our contact page.
This website stores some user agent data. These data are used to provide a more personalized experience and to track your whereabouts around our website in compliance with the European General Data Protection Regulation. If you decide to opt-out of any future tracking, a cookie will be set up in your browser to remember this choice for one year. I Agree, Deny.
Google recommends something more like,
What ever the language used it needs to provide informed consent to the user and there needs to be a record of that consent. Just continuing to browse does not imply consent.
The GDRP has been portrayed in the media as something to be worried about. It isn’t as all it does is clarify what we should all be doing anyway. Taking care of users data and explaining to them what is done with it. It does worry the advertising industry though as they have largely been able to do what they wanted with user data in the past. Currently they are running around trying to cover themselves and find loopholes in the law with tactics such as industry wide consents (one click and you let them all in) and cookie-less tracking solutions. Hopefully this will fail.