Privacy notices – what should be in the ICO's next code?

The ICO confirmed to Out-Law.com that it intends to replace the current privacy notices code (26-page / 1.63MB PDF), which dates back to December 2010, and that it will launch a consultation on a revised code this autumn.

The changes will impact on every UK business as companies across all sectors look to maximise the value of data, whether to build better products, services, customer channels, marketing outputs, security protocols or forecasts and predictions.

Businesses need to be encouraged to select smaller snippets of information about privacy and data protection and bring this information to consumers' attention first. They need to embrace innovative new ways of presenting information which reflect digital trends and the continual growing use of mobile devices.

The ICO should focus its work on updating its code on providing clear guidance on these issues. Its work should also complement and expand on an approach that the Financial Conduct Authority (FCA) is currently promoting for customer communications made by businesses in the financial services sector.

Why is change necessary?

Subject to a few limited circumstances, organisations have a duty to tell consumers what personal data they intend to collect about them and what uses they intend to make of that data to comply with data protection laws.

The ICO's current privacy notices code provides guidance on what businesses need to do to meet these transparency obligations. The code supports the long-standing principle that companies need to disclose a comprehensive amount of information to customers about privacy and data protection. This has contributed to businesses producing privacy policies which set out in many words the arrangements for intended data collection, use and sharing with third parties.

However, these lengthy documents are often largely ignored and can be unsuitable for viewing on mobile devices. Many consumers will click past a privacy policy and not be aware of potential intrusive uses of their data that may be explained and buried within dense text.

The ICO is aware of privacy policy shortcomings and has been critical of their use in online contexts. Some issues it has highlighted include a lack of clear and understandable language businesses have used in such policies, and a lack of detail about data retention and transfers of personal data overseas. It has also accused some companies of using privacy policies "to protect themselves rather than inform the public."

However, whilst the ICO should use its code reform exercise to address problems with the content of privacy notices, the main focus of its work should be on helping businesses to give consumers greater control over the use of their data. Clear, detailed guidance with examples of how to present information will help businesses meet their obligations on fair processing of personal data.

What the ICO can learn from the FCA

The FCA is supporting the political and industry push for a better savings culture in the UK. As part of its support it has recognised that detailed and comprehensive disclosure statements, even regarding financial advice and products, may not be the best way to promote good consumer outcomes.

The FCA's director of strategy and competition Christopher Woolard perhaps summed it up best in the regulator's June discussion paper on 'smarter customer communications'. He said that "information itself does not necessarily empower the consumer" and that it can instead "overwhelm, confuse, distract or even deter people from making effective choices if presented in a way people struggle to engage with".

The discussion paper illustrated the FCA's backing for banks and insurers to experiment with video messages, infographics or other ways of presenting information to people which offer alternatives to long and complex text-based documents.

Woolard said that "the information needs of potential customers need to be fully considered when developing a product or service and throughout the lifecycle of that product or service".

This broad concept that consumers should be provided with the right information at the right time should be reflected in the ICO's new privacy notices code of practice.

Consumers need to be put in control of their choices as to privacy, online security and other data protection matters and the best way to do this is to speak to them in a language they understand and not to use too many words at once. We all get lost when we listen to long drawn out speeches. The same applies for disclosure statements – they need to be effective communications rather than simply comprehensive ones.

What privacy notices should achieve and look like after the code has been updated

The ICO in its current code of practice recognises that the emphasis should be on alerting consumers to collection and uses of data that they would find unexpected or surprising. However, it now needs to go further and explain that privacy risk warnings need to bring to the attention of consumers the harm that collection or use of data could cause them, where such harm could take place.

The new code should prompt businesses to think in terms of how the collection or use of data could harm their intended or likely audiences. This might range from financial harm, to professional harm, such as loss of job or future career opportunity, to damage to their reputation or family division or embarrassment.

Harm could also arise where data could be disclosed about a person to unwanted third parties. The nuisance, offence and annoyance caused to people by inappropriate personalised marketing is also something to which businesses should give consideration.

How prominently the information on potential harm should be presented should be proportionate to the risk. Consumers confident that any risk of harm has been made transparent to them in a proportionate way, will likely feel that they can reasonably accurately weigh the level of risk of harm to them against potential benefits of giving access to their data.  

In terms of how information should be presented, the current privacy notices code supports a layered approach, where companies are encouraged to prompt consumers with "basic privacy information" but also make detailed information available to those that wish to read more.

The ICO has already suggested it is willing to promote a more flexible approach to privacy notices.

In a paper it published earlier this year to coincide with a conference for European data protection authorities it was hosting, it said layered privacy notices could "encourage greater transparency" and that new "technical solutions" such as diagrams and pictures could be deployed to explain how personal data is used.

"It may be that encouraging organisations to use privacy notices which provide the public with choices so that it can be more tailored towards an individual’s personal views on their privacy is the way forward," the ICO said in its paper. "‘Just in time’ methods can give the public clear choices at significant points in their ‘informational journeys’. There is a case for considering privacy as more of an activity and less a matter of ‘being told something’ in a long terms and conditions-type privacy notice that very few people read."

The ICO needs to use its revised code to give detailed guidance on and examples of what an effective layered approach would entail, including how video and infographics can be effectively used, where it would expect businesses to use pop-ups or other types of just in time communications and other new ways of communicating. Doing so will raise the awareness among businesses that there is a better way to service customers and deal with data protection compliance than the current practice of providing lengthy un-engaging documents.

Luke Scanlon is a technology law expert at Pinsent Masons, the law firm behind Out-Law.com