IP, Technology & Data

It’s been reported that the Office of Fair Trading (“OFT”) intends to collaborate with the Information Commissioner’s Office (“ICO”) to further explore consumer protection and data protection issues related to the collection and use of consumer information by online retailers.

It seems that both the ICO and the OFT are concerned that consumers are uneasy with the range of personal information collected about them, and often have little understanding of how online businesses get or use their information, privacy notices, or of the steps they can take to protect their privacy.

How exactly will the privacy notice review be carried out?

As regular readers of Brodies TechBlog will know, the ICO is the UK’s independent regulator promoting public access to official information and protecting personal information, and has regulatory powers under the Data Protection Act 1998 (“DPA”) and associated codes of good practice.

The OFT is the UK’s independent consumer and competition authority, with a broad remit covering the whole of the UK economy. Its powers are not easy to summarise but it can obtain court orders against businesses which do not comply with their legal obligations to consumers, in addition to issuing fines.

The ICO publishes details of how it collaborates on specific initiatives with various bodies – including the OFT – on its website, but at present there is no memorandum of understanding describing how the organisations intend to work together on this particular issue. The OFT has issued a press release stating that “the OFT or others” could take “enforcement action” against online businesses, where there is evidence of misleading or unfair practices, such as consumers being misled about the reason information is being collected from them.

The OFT has apparently already written to over 60 leading online businesses to ensure they are transparent with consumers about how they collect and use their data. The ICO meanwhile, is currently examining 250 sites based in the UK, looking closely to see how easy their privacy policies are to read, and how clearly they explain how personal information is being handled.

Complying with the law when collecting data

Collecting data on individuals involves the “processing” of “personal data” and such processing needs to be carried out in accordance with the requirements of the DPA. In very basic terms, the processing needs to be fair and lawful and otherwise in accordance with a Schedule 2 condition of the DPA– for example, the consent of the individual concerned. However, notwithstanding that consent (or other Schedule 2 condition), the data collected must be relevant and not excessive in relation to the purpose for which they are collected.

In terms of fairness, businesses should seek to ensure that the privacy notice information in their terms and conditions of business, and/or on their website, is sufficiently proximate to the actual processing taking place in order to make that processing fair. The ICO has suggested (in general terms) that data controllers should be open and honest about how they intend to use data, and actively communicate to individuals appropriate privacy notices when collecting the personal data of those individuals.

Getting your privacy policy right

Some basic helpful hints on creating a DPA-compliant privacy notice include:

  • telling customers who your business is, and what is going to be done with their information.
  • making sure the policy is clear, honest and understandable by the people it is aimed at.
  • avoiding confusing mixtures of ‘tick here to opt-ins’ and ‘tick here to opt-out’, and ensuring that consent boxes aren’t pre-ticked.
  • making sure customers know the difference between information which is essential to provide in order to get goods or services, and information which is optional.
  • reviewing the privacy notice from time to time to make sure it is accurate, up to date and accessible to customers.

The ICO’s Code of Practice is also helpful.

The legendary Brodies’ Intellectual Property, Technology and Outsourcing team can assist you in developing a privacy policy that will help your business to comply with its obligations under the DPA. If you would like to discuss this further, please get in touch with myself or your usual Brodies contact.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me