ICO joins global sweep to improve website privacy policies

Too often organisations are using privacy notices to protect themselves rather than inform the public, the Information Commissioner’s Office (ICO) said in a recent blog. The ICO has been examining the privacy policies of 250 websites based in the UK as part of a global sweep to improve the privacy policies of websites.

The ICO was one of 19 national data protection authorities that took part in the week-long exercise (May 6-10), organised by the Global Privacy Enforcement Network (GPEN).

The ICO examined how easy the privacy policies/data collection notices were to read and how clearly they explain how the website owners handle personal information provided by website visitors.

ICO tips for privacy policies/data collection notices

• Do customers know who you are and what you are going to do with their information? The privacy policy gives you a chance to tell them
• Make sure your policy is clear, honest and will be understood by the people it is aimed at
• Avoid confusing mixtures of ‘tick here to opt in’ and ‘tick here to opt out’, and don’t pre-tick consent boxes
• Make sure customers know the difference between information they need to provide to get the goods or services they’ve requested and information which is optional
• Review your privacy notice from time to time to make sure it is accurate, up to date and accessible to your customers.

You can also get more tips from the ICO’s privacy policy guide for more detailed advice about collecting and using personal information.

Next stage in privacy policy/data collection notices global sweep
The results will be sent to the Office of Privacy Commissioners for Canada who will publish a report this autumn giving a global overview of whether the privacy policies/data collection notices of the websites examined by all the national data protection authorities are compliant. It is also expected that the report will identify websites where further action may need to be taken by website owners to ensure compliance with national and international data protection legislation.

This global privacy sweep demonstrates how national data protection authorities are coordinating their enforcement activity in areas such as the internet which go across national boundaries and which can have a great impact on an individual’s data protection/privacy rights.

Implications for EU data reform & UK businesses
It is highly likely that the new EU Data Protection Regulation will contain rules requiring website owners to specifically ensure that their privacy policy/data collection notice is clear and easy to understand.

There is also a competitive advantage to be gained as consumers are more likely to give you their personal information if you are transparent about how you are going to use it in the future. Channel 4 has managed to strike the right balance with its privacy policy and is a good example of transparency in action. You can also contact the DMA legal team for help and advice.

James Milligan, Solicitor, Direct Marketing Association