Skip to Content Skip to Navigation

Understanding the different types of personal data that should be disclosed in a GDPR-compliant privacy policy isn’t easy, especially in an online world where people are tracked in innumerable ways.

One of the main categories of personal data is “device data”. That is, any data generated by a person’s computer, mobile phone, web browser, or other device or application which could be used to personally identify them. Examples of device data could be online identifiers such as IP addresses, cookies, pixel and ad tags, JavaScript, and even radio frequency identification (RFID) tags.

If you’re wondering where you’d actually be collecting device data from, you could already be doing so through your online advertising campaigns and website analytics. Both rely on the use of online identifiers to track and target users based on their interests and online behaviours, and the information collected by each can be used to build “profiles” of individuals.

While it’s unlikely that your small business would ever go to such pains, playing safe means staying on the right side of the GDPR by disclosing the collection of any device data by your business. We recommend conducting a review of your website, app, or landing page for any tools that could be collecting device data in the background.

As most popular online marketing and analytics tools are also required to comply with the GDPR, they should have a Terms of Service which will clearly explain the specific types of device data being collected and the method of collection.

In most cases, all you’ll need to do is restate this in your own privacy policy and Terms of Use, and if required, add a cookie consent banner to your website.

Generate a GDPR-Ready Privacy Policy

Get your small business GDPR compliant by starting with a clear and easy-to-understand privacy policy. Create your privacy policy now.