This week Thomas returns, to highlight why you should care about your website privacy notice. Over to Thomas to explain all...
There have been two reasons: first, to re-assure visitors that their data is safe, that you will not sell it or spam them with marketing messages; and second, because the Data Protection Act 1998 provides that they must comply with certain rules. Compliance is administered by the Information Commissioner’s Office (“ICO”).
After several small changes, the rules changed dramatically with the Data Protection Regulations 2013. To emphasise the changes, they even came up with a simple new name for the document: a “privacy notice”. (The new regulations are technically part of the Act.)
The ICO suggests placing the information you need to provide in a privacy notice, and making that page available from any page on your site. In that way, you comply with the need to make the information accessible whenever someone might need it. Most sites link to it in the footer.
The main changes are:
Your privacy notice must contain a lot more information than before.
Your obligations to comply are greater.
There is a whole new obligation around cookies. You have to ask every visitor to your website whether he trusts you with your data – hence those little pop-ups about cookies everywhere.
There are exceptions. If you use social media accounts as a front for your business (such as a Facebook page), or your store is within another site, such as Etsy, Amazon or eBay, then it is the responsibility of the store provider or social media site to inform visitors.
The law aims to make sure that information is collected and used fairly and transparently. It should, provide an individual with information about the organisation; how the data will be used; and who the data will be shared with. It must take in to account the current use of the data as well as likely future uses.
The Information Commissioner’s Office (ICO) has created a “Code of Practice” (which is well worth reading) to guide businesses as to what they should tell their visitors and customers. Although you don’t have to follow the Code, you do have to comply with the law, and following the Code is the easiest way to do this.
The Code is based on eight principles. We can summarise them in six as:
You take personal information only if you really need it for your transaction with your user and the extent that you need it.
You must not keep the data longer than you need it.
Personal data you record must be accurate and kept up to date. (There is no help with how you are to do that. We assume it applies only to date you do not take directly from the human owner).
You cannot keep the data for longer than you need it for the purpose for which it was given.
You must take technical steps to prevent unauthorised use of the data, loss of it or damage to it.
You must not transfer the data to a country where the privacy requirements are substantially less protective than the UK.
The good news is that although there are criminal sanctions for breach, there is no organisation with the money and organisation to police this law. Any retribution for breach is likely to be through a civil court. However, that will not be very effective either because the aggrieved person would have to be able to prove that he had lost money in some way, by the breach.
So, a cynic might say that provided you comply as best you reasonably can, this law is unlikely to hit you hard. That means just two things:
Get a really good privacy notice; and
Show one of those cookie permission pop-ups.
Your privacy notice needs to be readable. That means both that your visitors must understand them (a good reason to use plain English rather than legalese) and that the font style and size should be large and clear.
It is tempting to copy the notice of a competitor, but you should be careful in doing so. His might not be a good example – it might not comply with the law, or his business might be slightly different to yours. It is better to find a template online that you can customise from scratch. Net Lawman, for example, provide one for free.
It is probably something you would rather not deal with, but making sure you have a good privacy notice in place will benefit your new business.
Thomas Taylor a director of Net Lawman, an alternative for small and growing businesses to using a solicitor to obtain legal documents. He is a qualified accountant (FCCA, FPA/FIPA).