Privacy-Policy
Who we are
Our website address is: Thebuzzzfeed.com
Comments
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.
Media
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Cookies
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
Who we share your data with
If you request a password reset, your IP address will be included in the reset email.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
What is a privacy notice?
A privacy notice is a public document from an organization that explains how that organization processes personal data and how it applies data protection principles. Articles 12, 13, and 14 of the GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible. If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so.
Note that the terms “privacy notice” and “privacy policy” do not actually appear in the text of the GDPR and are essentially interchangeable. The guidelines explained in this article apply to any public documents in which your organization describes its data processing activities to customers and the public.
According to the GDPR, organizations must provide people with a privacy notice that is:
- In a concise, transparent, intelligible, and easily accessible form
- Written in clear and plain language, particularly for any information addressed specifically to a child
- Delivered in a timely manner
- Provided free of charge
The GDPR also stipulates what information an organization must share in a privacy notice. There is a slight variation in requirements depending on whether an organization collects its data directly from an individual or receives it as a third party.
If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:
- The identity and contact details of the organization, its representative, and its Data Protection Officer
- The purpose for the organization to process an individual’s personal data and its legal basis
- The legitimate interests of the organization (or third party, where applicable)
- Any recipient or categories of recipients of an individual’s data
- The details regarding any transfer of personal data to a third country and the safeguards taken
- The retention period or criteria used to determine the retention period of the data
- The existence of each data subject’s rights
- The right to withdraw consent at any time (where relevant)
- The right to lodge a complaint with a supervisory authority
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
- The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences
If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same information, except for:
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
And instead must add:
- The categories of personal data obtained
Per Article 14(3), if you obtain personal data from a third party, you must communicate the above information to the data subject either: no later than one month after you have obtained the data, at the time you first communicate with the data subject, or before sharing the data with another organization.
Generally, a privacy notice will be provided in writing and, where appropriate, supplied electronically. Every organization that maintains a website should publish their privacy notice there, under the title “Privacy Policy,” and it should be accessible via a direct link from every webpage. If a website collects any personal data online, the privacy notice or a link to it should be provided on the same page where the data collection occurs. The GDPR also states that privacy notices must be available orally upon request to ensure comprehension and to aid the visually impaired.
GDPR privacy notice best practices
Privacy notices should avoid using qualifiers such as “may,” “might,” “some,” “often,” etc. as they are purposefully vague. The writing should be in the active tense and sentences and paragraphs should be well structured, using bullets to highlight specific points of note. Avoid unnecessarily legalistic and technical terminology.
According to the European Commission’s GDPR guidelines, the phrases below are not sufficiently clear as to the purposes of processing. (We took these examples directly from the document.)
- “We may use your personal data to develop new services” (as it is unclear what the “services” are or how the data will help develop them)
- “We may use your personal data for research purposes” (as it is unclear what kind of “research” this refers to)
- “We may use your personal data to offer personalised services” (as it is unclear what the “personalization” entails)
- On the other hand, these kinds of phrases are much better:
“We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in” (it is clear that what types of data will be processed, that the data subject will be subject to targeted advertisements for products and that their data will be used to enable this) - “We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive” (it is clear what type of data will be processed and the type of analysis which the controller is going to undertake)
- “We will keep a record of the articles on our website that you have clicked on and use that information to target advertising on this website to you that is relevant to your interests, which we have identified based on articles you have read” (it is clear what the personalization entails and how the interests attributed to the data subject have been identified)
GDPR privacy notice template
Here we have provided a sample privacy notice template for a website that collects personal data directly from individuals. It contains all the necessary information in a clean, easy-to-digest format. You should modify the contents depending on whether this is a privacy policy for your website or a privacy notice about some other data processing activity.
Does the CPRA Apply to Your Business?
Under the CPRA, if you collect users’ personal data you must have a Privacy Policy that includes:
- An explanation of users’ rights and your data access request process
- A category-by-category explanation of the data you collect, where you got it, the purpose of collecting it, and who you have shared it with
Your CPRA-compliant Privacy Policy may already contain most of this information. But the CPRA creates several new consumer rights and notification requirements for businesses. You will need to review and, where appropriate, update your Privacy Policy to reflect these changes.
Relevantly, the CPRA amendment creates:
- A new category for data called sensitive personal information
- A right to correct personal information
- A right to opt out of data sharing
- A requirement for businesses to notify users of their data retention process
- A requirement for businesses to notify users of automated decision-making
Let’s take a closer look at each of these and how to address them in your Privacy Policy.
New Category For Data – Sensitive Personal Information
In addition to the 11 categories of personal information under the CCPA, the CPRA identifies a new category of data called sensitive personal information. If your business collects sensitive personal information, you will need to update your Privacy Policy and website to notify users of this.
What is Sensitive Personal Information?
Sensitive personal information includes:
- Government-issued identifying numbers e.g. drivers license, passport, or social security number
- Financial account details that allow access to an account, such as a credit card number and access code
- Genetic data
- Precise geolocation
- Race or ethnicity
- Religious or philosophical beliefs
- Union membership
- The contents of a user’s mail, email, or text messages (unless your business is the intended recipient)
- Biometric data, when collected for the unique identification of a user
- Health data, when collected and analyzed
- Sexual orientation or sex life, when collected and analyzed
If the information is already publicly available, it isn’t sensitive personal information.
If your business collects any of the above data, you need to include sensitive personal information as a separate category in your Privacy Policy, explaining where you collected it, the purpose of collecting it, and who you have shared it with.
For example, MicroStrategy’s current Privacy Policy includes a separate section for California residents, listing the eight categories of personal information it collects:
Key updates in the CPRA include:
- The establishment of the California Privacy Protection Agency to monitor and enforce the CPRA
- Further restrictions on how businesses handle users’ personal data
- Enhanced data protection rights for consumers
If the CCPA does not currently apply to your business, then the CPRA won’t apply.
Under the CPRA amendments, the CCPA now applies if:
- Your annual gross revenue exceeds $25 million
- You process the personal data of more than 100,000 California residents or households in a year, or
- You generate at least half of your annual revenue by sharing or selling the personal data of California users
If any of these criteria apply to your business, you will need to review and update your Privacy Policy to make sure it’s compliant with the CPRA.
How to Create a CPRA-Compliant Privacy Policy
Under the CPRA amendment, if MicroStrategy collects sensitive personal information, it will need to add it to this table as a separate category.
User Rights Regarding Sensitive Personal Information
The CPRA amendment allows users to limit the collection and use of their sensitive personal information.
This must be done via a link from your homepage labeled “Limit the Use of My Sensitive Personal Information.” This link should direct users to a separate page where they can register their preferences.
If a user exercises their right to limit the use of their sensitive personal information, it can only be used in very limited circumstances including “to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.“
Where your data is sent
Visitor comments may be checked through an automated spam detection service