Organizations that collect or use European Union (EU) residents' personal data must comply with the General Data Protection Regulation (GDPR). But what about the owners of websites and apps that don't collect data?

This article explains whether the GDPR applies if you don't collect data and how to comply with the GDPR when that's the case.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Does the GDPR Apply if You Don't Collect Data?

The GDPR applies to you if you collect or process (use) personal data belonging to EU residents or if you are located outside of the EU and offer goods or services to EU residents or monitor EU residents' behavior.

Personal data is any information that relates to an identifiable person, such as names, email addresses, driver's license or Social Security numbers, and health and financial information.

If you don't process personal information and don't engage in business activities that could potentially harm individuals in the EU, certain parts of the GDPR that won't apply to you. For instance, you may not need to fulfill the GDPR's Data Protection Officer (DPO) requirement.

However, even if your website or app doesn't directly collect or use personal data, if you integrate certain plugins or software development kits (SDK) that collect data you still have to comply with the GDPR.

For example, Google Analytics collects data from websites and apps and produces reports to show how they are performing. You might not directly ask users of your website or app to submit their personal data, but if you use a tool like Google Analytics you will need to follow the GDPR's rules.

Similarly, many apps use SDKs. SDKs are tools that help support an app's functionality. SDKs can enable the tracking of users' in-app behavior and that data can then be sent to other companies. These companies could then use that data to create targeted advertisements.

For instance, Facebook's ad SDK shows targeted ads to users in any apps that have the SDK. Ad network SDKs can also collect user data to transmit to the ad network. Let's say a user downloads a real estate app that uses Facebook's ad SDK. Their data may be sent back to Facebook and they might start seeing ads for real estate-related products or services when they log in to Facebook.

The GDPR requires applicable organizations to inform EU residents about how their data is used and shared.

Article 13 of the GDPR states that data subjects (individuals to whom personal data belong) must be informed about why their personal data is being processed and who the data will be shared with:

Article 13 of GDPR

Do You Need a Privacy Policy if You Don't Collect Data?

Many global and state privacy laws (including the GDPR) require businesses that handle consumers' personal data to maintain a Privacy Policy that is accessible from their websites and apps.

However, even if you don't collect any data, you should still have a Privacy Policy for the following reasons:

  • Many third parties and app stores require businesses to maintain a Privacy Policy
  • Having a Privacy Policy helps build trust with your audience
  • Maintaining a Privacy Policy can help you stay ahead of constantly-evolving privacy legislation

You can use your Privacy Policy to show your audience (and authorities) that you don't collect personal information and to describe how you protect consumers' privacy rights.

Brave Search's Privacy Notice explains that it doesn't collect personal information and that it only collects usage metrics with users' consent:

Brave Search Privacy Policy excerpt

Similarly, Social Science Statistics' Privacy and User Consent Policy lets users know that it does not collect personal information, but that it does use cookies for data tracking purposes, and it does use third party platforms that collect data for advertising purposes:

Social Science Statistics Privacy Policy excerpt

Imgur's Privacy Policy lists the types of information it collects and reassures users that it does not collect any kind of data that could be considered personal information. It explains that it uses the data it collects for analysis and functionality purposes and to comply with applicable laws and requests from public authorities:

Imgur Privacy Policy: Information we collect clause

Do You Need to Conduct an Audit if No Data Is Being Collected?

The GDPR requires applicable businesses to perform data protection impact assessments to identify privacy risks and ensure their data processing activities are in compliance with the law.

You should run an audit even if you don't think you are collecting any data. Websites that don't collect data directly might still be involved in data collection activities from third parties, web forms, and contact forms.

An audit can help you:

  • Identify potential risks
  • Ensure third parties have compliant privacy practices
  • Maintain a record of your compliance

Do Third Parties Require Website Owners to Comply With the GDPR?

Even if you don't collect data, many third parties do, and therefore require any website owners that use their services to comply with the GDPR.

Google Analytics' Terms of Service agreement explains that any websites that use its features must maintain a Privacy Policy and comply with any laws relating to collecting information from users:

Google Analytics Terms of Service: Privacy clause - Updated

Mailchimp's Standard Terms of Use agreement lets its customers know that they must post a Privacy Policy that complies with applicable data protection laws and contains a link to its Global Privacy Statement:

Mailchimp Standard Terms of Use excerpt

Stripe's Services Agreement explains that anyone who uses its services needs to have a compliant Privacy Policy, get consent from users to allow Stripe to collect and use their data, and comply with laws governing their use, storage, and disclosure of personal information:

Stripe Services Agreement: Privacy and data use section

As you can see, many third parties require you to comply with applicable privacy laws (including the GDPR) if you use their services, even if you don't directly collect data.

Summary

The GDPR applies to:

  • Businesses that collect or process personal data belonging to EU residents, or
  • Businesses that are located outside of the EU and offer goods or services to EU residents or track EU residents' behavior

If you don't meet the above criteria, some parts of the GDPR, such as the GDPR's DPO requirement, won't apply to you.

However, even if you don't collect data directly, if you use plugins, SDKs, or any other third parties that collect data, you will need to comply with the GDPR.

You should maintain a Privacy Policy and conduct audits to ensure GDPR compliance even if you don't think you collect any data.

Many third parties require website owners that use their services to comply with applicable privacy laws, including Google Analytics, Mailchimp, and Stripe.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy