Under the GDPR, data controllers are tasked with communicating to data subjects how their data is processed in a way that is both concise and transparent. From a consumer-protection perspective, this is undoubtedly one of the regulation’s more commendable requirements; as many who have drafted website privacy policies understand, there is often tension between the twin goals of concision and transparency. Providing fully transparent disclosure about data-processing activities, while keeping such disclosures brief and easily readable, can be a tricky balance to strike.

One question the GDPR may prompt is whether it makes sense for an organization to maintain separate residency-dependent privacy policies, or a single, all-encompassing policy. There are pros and cons to each, and what works best for a particular organization will often depend on the operational impact of each, as well as the usability of each by the relevant data subjects.

THE MULTIPLE PRIVACY POLICIES APPROACH

Organizations that treat data-subject information differently depending on its origination point, or that opt not to extend the enhanced protections offered under the GDPR to non-European data subjects, may prefer to maintain separate residency-dependent privacy policies.

In this instance, the benefit is that each policy can be tailored, and made fairly concise and readable, as it is not “cluttered” with terms that are irrelevant to the user. Some organizations may also favor this approach if they prioritize making as few disclosures as required by local law and are concerned that a GDPR-compliant policy would cause operational headaches if applied more broadly.

The downside is that, on an individual basis, although each privacy policy may be easier to read because it is tailored to a particular jurisdiction, the organization may have challenges administering its policies consistently. Additionally, the availability of multiple privacy policies on a website can cause confusion for data subjects regarding which applies to them. And while the level of transparency required by the GDPR may not, per se, be required under U.S. law, the fallout from the Facebook/Cambridge Analytica scandal suggests that organizations may still face reputational hardships in the U.S. as a result of lost consumer confidence caused by being less than frank about how personal data is processed. Accordingly, there may be good business reasons for rolling a GDPR-flavored privacy policy out more generally.

THE SINGLE PRIVACY POLICY APPROACH

Another approach is for organizations to maintain a single website privacy policy for all data subjects that contains short, jurisdiction-specific sections. Organizations that would tend toward this approach would likely be those that process larger amounts of personal data, such that tracking where it came from and processing it under different policies would make for significant operational challenges. Some organizations may also find this approach appealing because of the marketing opportunities it affords, as it would allow them to highlight their transparency and efforts to go above the minimum disclosures set by local law.

This approach is generally simpler for data subjects to navigate, as no decisions need to be made about which policy may apply. It also may be easier to administer, as it would have fewer distinctions between how personal data is treated, depending on its country of origin. For these reasons, it’s the more popular choice as of the date of this blog posting.

The drawbacks to this approach are that the single policy will be longer than the more tailored multiple policy approach, as it will include potentially irrelevant terms specific to certain residents. Some organizations also reject it because they prefer not to exceed the minimum amount of disclosures required by local law.

YOUR ORGANIZATION’S APPROACH DEPENDS ON ITS DATA SECURITY AND PRIVACY CULTURE

Large, multinational corporations that operate fairly differently, with distinct teams overseeing the data-processing activities in different countries, may prefer the flexibility offered under a residency-specific approach. Organizations that have a single team managing the data processing globally may prefer the uniform privacy policy approach, as it is often impractical to reliably tag personal data based on country of origin and apply different policies. Like many policy decisions, the best approach depends largely on the specific organization’s culture and operational realities.