The Good, the Bad and the Ugly - Which one are you?

Jan 30, 2020

In part’s one and two of this series, we’ve examined how a Privacy Policy helps build trust and confidence in your brand, enhances your brand reputation and demonstrates the fundamental transparency principle of the GDPR.

We’ve looked at what a privacy policy should contain, where it should be available and how it should be perceived, so let’s now look at some examples of the good, the bad and the ugly.

What's the number one common error?

Too much information presented at the wrong time.

There is a common misunderstanding of terminology between a “Privacy Notice” and a “Privacy Policy”. The GDPR indeed does not specify any of these terms, merely referring to “transparency”.

  • A policy, in its usual definition, is “a definite course of action adopted for the sake of expediency, facility, etc.”
  • A notice is “a note, placard, or similar, conveying information or a warning”

If you want to be transparent when collecting information, displaying a Privacy Notice explaining what that specific collection is for and any rights to be exercised is appropriate. You can link through to a more detailed Privacy Policy, but only if you cannot show all the relevant information on that initial notice.

When should privacy notices or policies be shown?

If your website, mobile or app or any tools such as cookies, online forms, sign up to newsletters or mailing lists collect personal information from your users then by law you must show a notice and/or policy at the point of capturing the data, and preferably before any data is captured.

If the purpose of collecting the information is simple, a simple privacy notice may suffice. For example, on online checkout process can simply say “The information you provide will be used to complete your order”, but remember if there are additional purposes like marketing in addition, you need to mention these separately and they cannot be rolled together making the consent a condition of the order.

If the purpose(s) are more complex, a summary notice is fine, but you should provide a link through to the relevant part of your privacy policy which will explain the purpose(s) in more detailed.

Consider your audience

When collecting data for some purpose, you must consider who’s data you are actually collecting and ensure that those persons can understand and genuinely choose to accept what you are telling them, including any risks, consequences and safeguards involved such as with transfers of data outside of the EU, or automated decision making.

The British Dyslexia Association has a good Privacy Policy. It is well structured, contains all the relevant information and is easy for me to read.I do however wonder about their audience. If the site it intended as a resource for people with Dyslexia to obtain information and/or support, could they perhaps have gone a little further and had a narrated version or a video/animation version for those who find it difficult to read?

What if your target audience are visually impaired or blind? What if they are children or young adults? Could those people fully understand the technologies or processes you are explaining.

Also, don’t just think about online, lots of retailers and service providers now collect information in person, over the counter at the point of sale.Your privacy policy needs to be accessible there and then, and I doubt anyone will stand and read a lengthy policy, nor would you want them clogging up your queue!

Here we look at some examples of the good, the bad and the ugly.

The Good!

The BBC have absolutely nailed these principles!

We happen to know as the BBC’s Privacy Team gave an excellent presentation at the Data & Marketing Association’s Data Protection Conference in September 2018, of how they had overcome these and many other scenarios. They really had thought through their audience and created multiple privacy notices and policies, which were accessible in multiple ways.

When you sign up for a BBC account, the very first thing they’re asking is are you a Child, or an Adult/Young Adult.

This is so they can walk their customers through a relevant sign-up process that they’ll understand.

If you’re a child, the BBC recognise that an Adult really needs to help, so encourage the child to ask a parent to help them, but they also present it in a more child friendly tone.

Now they’re starting to capture “necessary” information.

In addition, they ask for things like Postcode or Gender.

Importantly they’re telling people why they want that piece of information, such as to deliver content relevant to your local area, or understanding how different genders use BBC services.

These are essentially mini Privacy Notices, one for each attribute they need to explain.

Where someone might reasonably ask “why do you need this?” they’ve pre-empted this question and put a link.

Ok, nearly done.The BBC have captured all the information they would like or need and told us why they want it.

We’ve had choice over whether to provide it, unless it’s necessary for the provision of BBC services, now they want to keep in touch.

A simple Yes or No with an explanation of what they’ll send and when.

Importantly, it’s simple and well structured, built based on questions they think people might ask, like “What are you doing with my information?”, rather than “this is what we collect” and “this is why we collect it” etc. The common thread throughout is that on almost every page, certainly where they may need to explain in more detail why they want certain information, there’s a link to a Privacy Policy.

We really like that they have their “BBC privacy promise” and also that if the information on that page is still not enough to satisfy the reader, they provide links to their main privacy policy which goes into even more detail.

What they’re doing is “layering”. Providing enough information to explain, but the option to go into more detail should the reader wish to, rather than overloading the reader.

We know from the BBC’s presentation at the DMA conference that they devoted many weeks, even months to this, but the result is something that is stunningly simple and it really enhances their brand perception.

The Bad!

Everybody expected the first monetary penalty (fine) under the GDPR to be a big player - Facebook, Google, British Airways or Marriott Hotels. Some are even under the misconception that BA and Marriott were fined, but those were only notices of intent to fine.

Back in December 2019, a small business, Doorstep Dispensaree Ltd were fined £275,000 by the Information Commissioners Office for multiple breaches of the GDPR.

Within the considerations that led to this significant fine was the fact that the businesses Privacy Policy contained eleven separate breaches of the Articles of the GDPR. We won’t list them here in full, you can read all about that case in Section 46 on Page 18 of the publicly available notice linked above.

In essence however, they;

  • Implied but did not explicitly state that they were a data controller of personal information
  • Failed to state the lawful basis upon which they relied to process special category data (health data)
  • Did not outline the categories of data they processed
  • Did not state retention periods or other means of determining a retention period
  • Did not inform the reader (data subject) of their rights.

I could go on, but will simply say this.Doorstep Dispensaree relied upon a template written by someone else that they did not customise for their business. We do not know what Privacy Policy they supplied to the ICO during the investigation, but we note using the Internet Archive, we found that at least dating back to prior to the ICO’s involvement, and even as of writing this article, Doorstep Dispensaree’s website Privacy Policy is a link to, it is not even on their own website! If you’re using that service yourself, I’d encourage you to reach out to us now to ensure you don’t become the next Doorstep Dispensaree.

The Ugly!

This has been a “bee in the bonnet” for Xynics’ Mike Kilby for some time and there’s background to this stretching beyond Privacy Policies. Not to side-track, the ICO launched investigations early in 2019 into the AdTech Industry. Later that year they published results that the AdTech industry was non-compliant with the GDPR and needed to change their game.

Verizon Media (or Oath as they used to be known) are a company that uses AdTech heavily, hiding a lot of what they’re doing behind their Privacy Policy and Cookie Walls.

What’s the problem?

Verizon Media own Yahoo (including Yahoo/BT/Sky Email, Finance, Lifestyle, News, Weather and other Yahoo sites, TechCrunch, Aol, HuffPost and Flurry.

They then “partner” with other brands through the AdTech networks, using the information they gather from their users, passing it to AdTech businesses who “bid” for advertisements to be placed on Verizon owned sites and applications.

In order to use any Verizon service, the user is required to accept cookies, and if they do not, they cannot browser the site or service. The GDPR says if you provide an online service, and it is possible to use it without tracking or targeted advertising, you cannot deny access because the individual does not consent to the cookies that drive tracking and advertising.

In our opinion, their Privacy Policy is a nightmare to read, and their practices around cookies and the associated transparency (privacy notices) are far from fair!

One of our clients, is a large brand operating internationally and has several sub-brands/businesses. Each sub-business has its own privacy policy and as such makes it really easy for their audience (some of who are children) to understand who they are dealing with, what information will be processed and why.

Verizon on the other hand is built of multiple businesses/brands. They may feel it is easier for them to administer one set of Privacy documents, and in all fairness, it probably is but it doesn’t make it easy for the end users. If I’m looking at Yahoo, I’m seeing all kinds of junk about completely unrelated businesses that I don’t need to know about.

It would be unfair to say they don’t give the information as it is all present, and they do make efforts to provide tools to manage choices, but because they operate all their businesses under one Verizon Media brand, it makes the whole thing confusing and complicated.

Simply put, it’s just not friendly. It’s not fair, transparent, clear or concise. It’s just not in the spirit of the GDPR.

Contact Us

If you want to discover how you could do more with
your data, get in touch with Xynics.

Get In Touch