Data Protection (GDPR)
How data protection law affects copywriting, from handling client data to writing privacy notices.
Key points
- GDPR affects how you handle client data and what you write about data collection
- Privacy notices must be clear, concise and written in plain language
- Marketing copy involving personal data has specific requirements
- Be careful with AI tools and client data
What the Code says
The Code of Practice addresses data protection directly: “Handle personal data in accordance with data protection regulations” and “Ensure clear, transparent privacy communications.”
As a copywriter, data protection affects you in two ways: how you handle data in your own business, and what you write for clients about their data practices.
GDPR basics
The UK GDPR (retained from EU law) and Data Protection Act 2018 govern how personal data must be handled. The key principles are:
- Lawfulness, fairness and transparency — be clear about what you’re doing with data
- Purpose limitation — only use data for specified purposes
- Data minimisation — don’t collect more than you need
- Accuracy — keep data correct and up to date
- Storage limitation — don’t keep data longer than necessary
- Security — protect data appropriately
These principles should guide both your own practices and the copy you write about data handling.
Handling client data
As a copywriter, you’ll often receive personal data from clients — customer research, contact lists for email campaigns, case study subjects. Handle it carefully:
Storage and security
- Store client data securely (encrypted, password-protected)
- Don’t keep data longer than needed for the project
- Delete or return data when the project ends
- Use secure methods to transfer sensitive data
AI tools and data
- Don’t input personal data into AI tools unless you’re certain about their data practices
- Check your client’s policy on using AI with their data
- Anonymise data before using it for AI-assisted analysis
Many AI tools process data on external servers and may use inputs for training. Never paste personal data, confidential client information, or trade secrets into AI tools without understanding their data handling.
Writing privacy notices
Privacy notices must be “concise, transparent, intelligible and easily accessible, using clear and plain language.” This is a legal requirement, not just best practice.
What a privacy notice must include:
- Who you are (identity and contact details)
- What data you collect and why
- The legal basis for processing
- Who you share data with
- How long you keep data
- People’s rights (access, deletion, etc.)
- How to complain to the ICO
Writing tips:
- Use short sentences and paragraphs
- Avoid jargon — “we” and “you” not “the data controller” and “data subjects”
- Use headings and bullet points for scannability
- Be specific — “marketing emails” not “legitimate interests”
Marketing copy and consent
When writing marketing copy that involves collecting personal data, ensure:
Sign-up forms
- Consent language is clear and specific
- Pre-ticked boxes are never used for marketing consent
- It’s obvious what people are signing up for
- Opt-in is separate from other terms acceptance
Email marketing
- Unsubscribe must be easy and obvious
- Sender identity must be clear
- Subject lines shouldn’t be deceptive
Cookies and tracking
- Cookie consent must be informed and active
- Essential cookies can be distinguished from optional ones
- People must be able to decline non-essential cookies easily
There’s an exception for existing customers: if someone has previously bought from you, you can email them about similar products without fresh consent. But you still need clear unsubscribe options.
Summary
Data protection isn’t just a compliance checkbox — it’s about respecting people’s privacy and being transparent about how their information is used. Good data protection copy builds trust.
When writing privacy notices or consent language, remember that most people won’t read every word. Your job is to make the key information as clear and accessible as possible.