It’s been reported that the Office of Fair Trading (“OFT”) intends to collaborate with the Information Commissioner’s Office (“ICO”) to further explore consumer protection and data protection issues related to the collection and use of consumer information by online retailers.
It seems that both the ICO and the OFT are concerned that consumers are uneasy with the range of personal information collected about them, and often have little understanding of how online businesses get or use their information, privacy notices, or of the steps they can take to protect their privacy.
How exactly will the privacy notice review be carried out?
As regular readers of Brodies TechBlog will know, the ICO is the UK’s independent regulator promoting public access to official information and protecting personal information, and has regulatory powers under the Data Protection Act 1998 (“DPA”) and associated codes of good practice.
The OFT is the UK’s independent consumer and competition authority, with a broad remit covering the whole of the UK economy. Its powers are not easy to summarise but it can obtain court orders against businesses which do not comply with their legal obligations to consumers, in addition to issuing fines.
The ICO publishes details of how it collaborates on specific initiatives with various bodies – including the OFT – on its website, but at present there is no memorandum of understanding describing how the organisations intend to work together on this particular issue. The OFT has issued a press release stating that “the OFT or others” could take “enforcement action” against online businesses, where there is evidence of misleading or unfair practices, such as consumers being misled about the reason information is being collected from them.
The OFT has apparently already written to over 60 leading online businesses to ensure they are transparent with consumers about how they collect and use their data. The ICO meanwhile, is currently examining 250 sites based in the UK, looking closely to see how easy their privacy policies are to read, and how clearly they explain how personal information is being handled.
Complying with the law when collecting data
Collecting data on individuals involves the “processing” of “personal data” and such processing needs to be carried out in accordance with the requirements of the DPA. In very basic terms, the processing needs to be fair and lawful and otherwise in accordance with a Schedule 2 condition of the DPA– for example, the consent of the individual concerned. However, notwithstanding that consent (or other Schedule 2 condition), the data collected must be relevant and not excessive in relation to the purpose for which they are collected.
In terms of fairness, businesses should seek to ensure that the privacy notice information in their terms and conditions of business, and/or on their website, is sufficiently proximate to the actual processing taking place in order to make that processing fair. The ICO has suggested (in general terms) that data controllers should be open and honest about how they intend to use data, and actively communicate to individuals appropriate privacy notices when collecting the personal data of those individuals.
Some basic helpful hints on creating a DPA-compliant privacy notice include:
- telling customers who your business is, and what is going to be done with their information.
- making sure the policy is clear, honest and understandable by the people it is aimed at.
- avoiding confusing mixtures of ‘tick here to opt-ins’ and ‘tick here to opt-out’, and ensuring that consent boxes aren’t pre-ticked.
- making sure customers know the difference between information which is essential to provide in order to get goods or services, and information which is optional.
- reviewing the privacy notice from time to time to make sure it is accurate, up to date and accessible to customers.
The ICO’s Code of Practice is also helpful.
On June 12, 2013