Due to existing and upcoming legislation any online presence will necessitate the publishing of a privacy policy and privacy compliance in general.

Nearly all websites interact with and collect data about their visitors in one way or another. So anyone that has a website and intends to have people visit that website, will need to include a privacy policy.  

GDPR requires websites to inform users about what data they collect, how it’s used, stored and protected along with information about users rights in regards to their data. The disclosures should be transparent, easily understandable, comprehensive and up-to-date. Failure to meet regulatory requirements can result in hefty fines (Article 83). These regulations apply to all organizations (including non-profits) that access data or offer goods or services to people in the EU. The GDPR applies whether the organization is located in the EU or not.

The upcoming Digital Services act which will enter into force on January 1 2024 will compel online marketplaces to take an active role in confirming the compliance levels of E-commerce sites, who do business through that marketplace. Article 22, for instance, makes online marketplaces actively check if E-commerce sites are compliant with GDPR. The Directorate-General (DG) for Communications Networks, Content and Technology, clarified that Article 22(1)(f) of the DSA, indeed obliges the party concerned to self-certify that it complies with applicable EU law, which includes GDPR. Where the E-commerce site fails to provide correct or complete information, the online marketplace shall suspend that site from its marketplace. Read more about the DSA here.

Failure to comply with these obligations may give cause to fines for the marketplace running up to 6% of the annual turnover. Do note that these fines are additional to the GDPR fines and liabilities already in place.

Online marketplaces will simply not be able to afford doing business with parties that do not publish a solid privacy policy.

The DSA also holds relevant provisions for hosting firms.

A hosting firm that is NOT a platform is not liable for information they host if they don’t know it’s illegal content and they disable access once they are aware of the fact the content is illegal.

Hosting firms shall put mechanisms in place to allow any individual to notify them of the presence on their service of specific items of information that the individual or entity considers to be illegal content and notices that include specific elements shall be considered to give rise to actual knowledge or awareness that makes the hosting service liable for the illegal content.

What is illegal content? ‘Illegal content’ means any information, which, in itself or by its reference to an  activity, including the sale of products or provision of services is not in compliance with the law.

This  is a very broad definition. The DSA gives examples ranging from illegal hate speech or terrorist content to activities involving infringements of consumer protection law. One of the cornerstones of consumer protection law is the Unfair commercial practices directive (UCPD). Under Articles 6 and 7 of the UCPD, traders should not mislead consumers on aspects that are likely to have an impact on their transactional decisions.

The collection and processing of personal data must comply with GDPR. A trader’s violation of the GDPR will not, in itself, always mean that the practice is also in  breach of the UCPD. However, such privacy and data protection violations should be considered when assessing the  overall unfairness of commercial practices under the UCPD.

From a UCPD perspective, the first issue to be considered concerns the transparency of the commercial practice. Under Articles 6 and 7 of the UCPD, traders should not mislead consumers on aspects that are likely to have an impact  on their transactional decisions. Furthermore, the information requirements from the GDPR may be considered as material  information under the UCPD Article 7(5). 

In conclusion : Violation of GDPR can constitute a violation of UCPD. Violation of consumer protection law (such as UCPD) can be illegal content.  So if a violation of GDPR is notified to the hosting firm, the hosting firm must consider and act.

It is more than ever a best practice to make sure every website has a privacy policy.