Why is Privacy Policy required by default?

The issue of the privacy policy has been brought up a few times now.

We plan on making it optional and having you select which of your created consent types is the one we should use for tracking (currently privacy-policy).

Thank you for your reply.

In practice, will there be the possibility of deciding which options to activate – separately – on simple site view and on user registration?

I wish you a good work!

What options would you like to disable/enable?

Well, I am trying to fully understand what the EU law requires, and for this reason do not take my assumptions as totally correct.

In practice, I think that the user registration process involves privacy acceptance, whereas the simple website visit only requires cookie acceptance or refusal.

Take for instance how C.B. works (I do not know if I can write the full name as it is a commercial service…). On website visit it gives you the possibility of accepting or refusing cookies classified by category (required, web analytics, marketing…). No acceptance on privacy at simple site visit stage.

Therefore I think that the best solution would be the possibility of accepting each single option at site view or at user registration, or both. This would give us the chance of limiting privacy acceptance on user registration only.

Thank you!

Hi,

@flaviowordpress

I am not a law expert either, but the way I see it is this:

If a site doesn’t use any cookies, then it’s okay not to have a privacy policy. But if it does, and the cookies are not necessary for site functions or they are persistant, then you need to have a privacy policy.

In the privacy policy you can give a dumbed down explanation of what each cookie does. Then, and only then your visitors can truly make an educated decision about the cookies they are willing to accept.

In my opion, it is better to be safe than sorry and collect a clear consent about privacy policy from each visitor, so you can show if neccessary, that the implications of their consent have been made clear to them.

Hello @tt74, thank you for your contribution.

I think things are a bit mixed up. The present EU Cookie Law (which came into force on June 3rd 2015) was made to regulate the use of cookies produced by websites and block them, waiting for the user’s assent on their use. Nothing was said about personal data handling.

That’s why sites were equipped with the cookie banner and the OK button to accept the use of cookies (and not the use of personal data).

The 2018 GDPR is made to protect personal data and privacy at all levels, and both cookies and data handling must be accepted before proceeding, but…

1) Cookies must be accepted before visiting the website;

2) Data handling must be accepted before sending an e-mail or doing other stuff that implies the transfer of the user’s personal data.

We need to comply with both obligations, but in different stages. I do not need the user’s assent to get his data if he only visits my site. All I have to do is protect him from cookies arising from my website if he does not want to be tracked.

Later on, if he/she wants to write me, I’ll ask for his/her assent on data handling just before clicking on the “Send mail” button.

Obviously this is just my view of the thing, and I have based my request and my post on it.

In my opinion obligations 1 and 2 can’t be seen as separate.

In Article 4 – Definitions says:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

It would seem that even logging user’s IP-address is considered as gathering and processing personal data, and needs a consent. Therefore I see the need for consenting to well drafted Privacy Policy in any case.

• This reply was modified 6 years, 6 months ago by TT74.

IPs can be anonymized in Google Analytics.

Nevertheless, although anonymized, in all my sites Google Analytics cookies are blocked until user accepts.

Despite this, IMHO the policy acceptance should be optional.

This will become the behavior in the near future.