Mike Hintze


The need to include specific types of information in a privacy statement is a GDPR compliance obligation that does not get as much attention as some other GDPR requirements. Perhaps that is because privacy statements have been much maligned in recent years. They are too long and full of legalese. Nobody reads them. They are part of a notice and consent approach to privacy that puts an unrealistic burden on consumers to make informed choices. But despite these well-known criticisms, the GDPR doubles down on privacy statements. In fact, gauging by the roughly fourfold increase in privacy statement requirements compared to the previous law, the GDPR quadruples down. As a result, ensuring that a privacy statement is GDPR-compliant is one of the more important obligations that companies must navigate. And meeting the privacy statement requirements effectively is not as simple as it might first appear. This Article discusses how companies should approach and craft their privacy statements to meet these new GDPR requirements, thereby reducing their risk.