Out-Law News 2 min. read

ICO backs 'just-in-time' consent and greater control for consumers in new privacy notices code

Businesses can use pop-up messages to "provide relevant and focused privacy information" to consumers and comply with UK data protection laws, according to the Information Commissioner's Office (ICO).

The watchdog said 'just-in-time' notices, video messages and other innovative ways of communicating can help organisations obtain the consent they might need to process personal data fairly and lawfully. Organisations "should not necessarily restrict" themselves to publishing their privacy notice in a single document or page on their website, and should instead adopt a layered approach to providing privacy information, it said.

In a new privacy notices code of practice, the ICO said just-in-time notices can help organisations overcome constraints on the amount of privacy information they can convey at any one time on the screens of consumers' mobile devices.

The ICO said: "Often, and particularly when on an organisation’s website, people will provide personal data at different points of a purchase or interaction. When filling out a form people may not think about the impact that providing the information will have at a later date. Just-in-time notices work by appearing on the individual’s screen at the point where they input personal data, providing a brief message explaining how the information they are about to provide will be used."

"The individual can either choose to carry on with the basic information or click on the link to find out more information. This can direct them to a more specific page explaining in detail what will be done with the personal information they have provided. You can achieve a similar result using the hover over feature when completing fields in an online form," it said.

With its new code, the ICO has also encouraged organisations to give consumers greater choice and control over how their personal data is used. It has endorsed the use of "privacy dashboards" for those purposes. Operating a dashboard where consumers can amend their settings can help organisations reduce the number of "alerts" they prompt consumers with regarding their data, it said.

"It is good practice to embed links to tools like dashboards within your privacy notice to allow individuals to manage their preferences and to prevent their data being shared where they have a choice," the ICO said. "A privacy dashboard can help to achieve this. This offers people one place from which to manage what is happening to their information. This is helpful if you process personal data across a number of applications or services."

"For individuals it allows them to alter settings, so that (where consent is relevant) they are able to clearly indicate that they agree to the particular processing or data sharing. It also allows for consent to be provided and revoked over time, as processing develops or individuals change their minds. It should be as easy to revoke consent as it was to provide it," the ICO said.

The ICO said that businesses that follow its good practice guidelines in the new code "will be well placed to comply" with the EU's General Data Protection Regulation (GDPR). The GDPR, which will come into effect on 25 May 2018, will impose tougher standards on organisations in respect of "giving privacy information to data subjects" compared to those that currently apply under the Data Protection Act (DPA), the ICO said.

"The GDPR says that the information you provide to people about how you process their personal data must be: concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge," the ICO said in its new code.

"These requirements are about ensuring that privacy information is clear and understandable for data subjects. They also make explicit what has always been set out as good practice. Following the advice in this code about the use of language, about adopting innovative technical means for delivering privacy information such as layered and just in time notices, and about user testing will help you to comply with the new provisions of the GDPR, as well as the current requirements of the DPA," it said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.