What's the number one common error?
Too much information presented at the wrong time.
- A policy, in its usual definition, is “a definite course of action adopted for the sake of expediency, facility, etc.”
- A notice is “a note, placard, or similar, conveying information or a warning”
When should privacy notices or policies be shown?
If your website, mobile or app or any tools such as cookies, online forms, sign up to newsletters or mailing lists collect personal information from your users then by law you must show a notice and/or policy at the point of capturing the data, and preferably before any data is captured.
If the purpose of collecting the information is simple, a simple privacy notice may suffice. For example, on online checkout process can simply say “The information you provide will be used to complete your order”, but remember if there are additional purposes like marketing in addition, you need to mention these separately and they cannot be rolled together making the consent a condition of the order.
Consider your audience
When collecting data for some purpose, you must consider who’s data you are actually collecting and ensure that those persons can understand and genuinely choose to accept what you are telling them, including any risks, consequences and safeguards involved such as with transfers of data outside of the EU, or automated decision making.
What if your target audience are visually impaired or blind? What if they are children or young adults? Could those people fully understand the technologies or processes you are explaining.
Here we look at some examples of the good, the bad and the ugly.
The BBC have absolutely nailed these principles!
We happen to know as the BBC’s Privacy Team gave an excellent presentation at the Data & Marketing Association’s Data Protection Conference in September 2018, of how they had overcome these and many other scenarios. They really had thought through their audience and created multiple privacy notices and policies, which were accessible in multiple ways.
When you sign up for a BBC account, the very first thing they’re asking is are you a Child, or an Adult/Young Adult.
This is so they can walk their customers through a relevant sign-up process that they’ll understand.
If you’re a child, the BBC recognise that an Adult really needs to help, so encourage the child to ask a parent to help them, but they also present it in a more child friendly tone.
Now they’re starting to capture “necessary” information.
In addition, they ask for things like Postcode or Gender.
Importantly they’re telling people why they want that piece of information, such as to deliver content relevant to your local area, or understanding how different genders use BBC services.
These are essentially mini Privacy Notices, one for each attribute they need to explain.
Where someone might reasonably ask “why do you need this?” they’ve pre-empted this question and put a link.
Ok, nearly done.The BBC have captured all the information they would like or need and told us why they want it.
We’ve had choice over whether to provide it, unless it’s necessary for the provision of BBC services, now they want to keep in touch.
A simple Yes or No with an explanation of what they’ll send and when.
What they’re doing is “layering”. Providing enough information to explain, but the option to go into more detail should the reader wish to, rather than overloading the reader.
We know from the BBC’s presentation at the DMA conference that they devoted many weeks, even months to this, but the result is something that is stunningly simple and it really enhances their brand perception.
Everybody expected the first monetary penalty (fine) under the GDPR to be a big player - Facebook, Google, British Airways or Marriott Hotels. Some are even under the misconception that BA and Marriott were fined, but those were only notices of intent to fine.
Back in December 2019, a small business, Doorstep Dispensaree Ltd were fined £275,000 by the Information Commissioners Office for multiple breaches of the GDPR.
In essence however, they;
- Implied but did not explicitly state that they were a data controller of personal information
- Failed to state the lawful basis upon which they relied to process special category data (health data)
- Did not outline the categories of data they processed
- Did not state retention periods or other means of determining a retention period
- Did not inform the reader (data subject) of their rights.
This has been a “bee in the bonnet” for Xynics’ Mike Kilby for some time and there’s background to this stretching beyond Privacy Policies. Not to side-track, the ICO launched investigations early in 2019 into the AdTech Industry. Later that year they published results that the AdTech industry was non-compliant with the GDPR and needed to change their game.
What’s the problem?
Verizon Media own Yahoo (including Yahoo/BT/Sky Email, Finance, Lifestyle, News, Weather and other Yahoo sites, TechCrunch, Aol, HuffPost and Flurry.
They then “partner” with other brands through the AdTech networks, using the information they gather from their users, passing it to AdTech businesses who “bid” for advertisements to be placed on Verizon owned sites and applications.
In order to use any Verizon service, the user is required to accept cookies, and if they do not, they cannot browser the site or service. The GDPR says if you provide an online service, and it is possible to use it without tracking or targeted advertising, you cannot deny access because the individual does not consent to the cookies that drive tracking and advertising.
Verizon on the other hand is built of multiple businesses/brands. They may feel it is easier for them to administer one set of Privacy documents, and in all fairness, it probably is but it doesn’t make it easy for the end users. If I’m looking at Yahoo, I’m seeing all kinds of junk about completely unrelated businesses that I don’t need to know about.
It would be unfair to say they don’t give the information as it is all present, and they do make efforts to provide tools to manage choices, but because they operate all their businesses under one Verizon Media brand, it makes the whole thing confusing and complicated.
Simply put, it’s just not friendly. It’s not fair, transparent, clear or concise. It’s just not in the spirit of the GDPR.