Privacy and cookies policy (social networking)
A website privacy and cookies policy can have more than one purpose. From a lawyer's perspective, the primary concern is compliance with disclosure of data protection legislation. Across the EU and in the UK, that means compliance with the General Data Protection Regulation and related legislation. However, there are also marketing and user relations perspectives.
Users expect website privacy policies and practices to be fair. For some users, unfair policies and practices may be enough to turn them away from a website or service. This is particularly true in the case of social networking websites and services, which process lots of personal information. This privacy and cookies policy template has been created with social networking websites specifically in mind. It is an adapted version of our standard privacy and cookies policy template, and contains many of the same provisions.
The key aspects of the policy are as follows.
Collection: what personal data are collected by the website? Typically, social network operators will collect, store and process usage data, profile information, information submitted in the course of using website services such as friendship data and private messaging data, and information imported from third party services such as Facebook and LinkedIn.
Use: for what purposes will the personal data be used? In addition to the obvious purposes such as enabling the operation of the website and the provision of website services, an operator may wish to use personal data for marketing and other potentially less-welcome activities. Where marketing activities require specific consent, a consent statement buried in the legal documentation will not be sufficient.
Disclosure: to whom may personal information collected through the website be disclosed? For instance, will it be disclosed to subcontractors, suppliers, professional advisors or other group companies? Personal information published on the website may, of course, be disclosed to the entire world.
Transfer: to which countries may personal data be transferred? The rationale for providing this information is that countries outside the UK and EEA may not have data protection laws equivalent to those within.
Retention: for what period or periods will personal data be retained by the operator? Some information may be required for so long as the website continues to operate, while other information may quickly lose its usefulness.
In addition to these "core" provisions, the section concerning personal data disclosures also covers amendments to the policy, data subjects' statutory rights and third party privacy policies.
The section concerning cookies is designed to aid compliance with the ePrivacy Directive and, in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as subsequently amended). In this section, the website operator should disclose information about the cookies used on the website, including analytics cookies and third party cookies. You will also need to consider how to comply with the consent requirements in the Regulations.Ask about this document
Privacy and cookies policy (social networking) contents
- The personal data that we collect: introduction to categories; processing of contact data; processing of account data; processing of profile data; processing of service data; processing of communication data; processing of usage data; processing of other data; disclosure of third party personal data.
- Purposes of processing and legal bases: setting out purposes etc of personal data processing; processing for operations (website and services); processing for publications; processing for communications (contact data, account data and communication data); processing for personalisation; processing for direct marketing (contact data, account data and profile data); processing for research and analysis (usage data and service data); processing for record keeping; processing for security; processing for insurance and risk management; processing for legal claims; processing for legal compliance and vital interests protection.
- Automated decision-making: personal data used in automated decisions; logic involved in automated decisions; significance of automated decisions.
- Providing your personal data to others: intra-group disclosures of personal data; disclosure of personal data to insurers etc; disclosures of personal data to subcontractors; disclosure of personal data to third party suppliers; disclosure of personal data necessary for legal compliance etc.
- International transfers of your personal data: introduction to international personal data transfers; international transfers within business; international transfers to hosting services provider; international transfers to subcontractors; publication of personal data on internet.
- Retaining and deleting personal data: data retention introduction; personal data retention default rule; personal data retention specific rules (social networking); personal data retention criteria; personal data deletion exception.
- Your rights: introduction to data subject rights list; list of data subject rights; learn more about data subject rights; exercise of data subject rights.
- Your rights: introduction to data subject rights summaries; list of data subject rights; summary of right to access personal data; summary of right to rectification of personal data; summary of right to erasure of personal data; summary of right to restrict processing of personal data; summary of right to object to processing of personal data; summary of right to object to processing of personal data for direct marketing; summary of right to object to processing of personal data for research purposes; summary of right to personal data portability; summary of right to complain to data protection supervisory authority; summary of right to withdraw consent to personal data processing; exercise of data subject rights.
- Third party websites: hyperlinks to third party websites; no responsibility for third party privacy policies.
- Personal data of children: website targeted at persons over specified age; deleting personal data of children.
- Updating information: correcting or updating personal information.
- Acting as a data processor: acting as a data processor; not applicable as data processor.
- About cookies: what are cookies?; persistent and session cookies; cookies and personal data.
- Cookies that we use: purposes for which cookies are used.
- Managing cookies: how to manage cookies; negative impact of blocking cookies; effects on website use of blocking cookies.
- Cookie preferences: managing cookie preferences.
- Amendments: amendment by publication; check for changes to policy; notification of changes topolicy.
- Our details: website operator name; company registration details; place of business; contact information.
- Representative within the European Union: identity and contact details of representative of data controller.
- Data protection officer: data protection officer contact details.