HIGHER DIGITAL turned questions about its personal data practices into an opportunity to improve customer satisfaction and address new GDPR requirements. We created a more transparent Privacy Policy and opt-in process, while removing boilerplate language that was unnecessarily intrusive, and went beyond anything we ever intended to do with customers’ personal data.

Higher Digital recently updated its Privacy Policy, as well as the opt-in process required before we will collect any personal data from our users. We did this partly in response to concerns raised by potential customers about language allowing broad categories of sharing, selling, and use of personal data. We never actually intended to do any of these things with our customers’ information, but we based our original policy on boilerplate language that many companies use as a template.

Such boilerplate policies should correspondingly evolve due to another recent development, the General Data Protection Regulation (GDPR), which went into effect May 25. This broad European Union regulation covering the collection and use of personal information extends EU privacy regulation to U.S. organizations in significant new ways.

In response, we have changed our privacy policy to:

  • Remove unnecessary language about using personal data for targeted advertising, and authorizing the sharing and selling of such data without restriction;
  • Describe precisely what we do with our users’ data, including the roles of third-party service providers we have integrated into our digital products and services;
  • Provide clear, high-level descriptions of our practices directly on our web site, where users must opt-in before providing personal data.

While the GDPR doesn’t really apply to us today, it will become more relevant as we expand globally. Conveniently, this dovetails with Higher Digital’s desire to provide more transparent and precise information to our users about the ways that their personal data will be protected, while also helping us provide quality products and services.

This new regulatory framework essentially requires organizations to implement generally accepted best practices in the protection, use, and availability of personal data – which may seem onerous to some, but most organizations have no reason to panic. However, they do need to evaluate its impacts and take whatever measures seem appropriate. The GDPR is a complicated regulation, with compliance guidelines and enforcement priorities that are still evolving. Watch for my follow-up article providing more general advice on addressing the GDPR – and similar regulations that are pending in California – to institutions we serve and others who face similar challenges.


Paul Hyland is Principal Technical Product Consultant at Higher Digital, and oversees, develops, and maintains its web site, including policy documents. He has drafted, updated, and maintained privacy policies for over 15 years, and consulted with media, nonprofit, and government organizations on privacy and security policies and practices – recently including assessing the impacts of GDPR.