Privacy watchdog proposes code of practice for privacy notices

Do you remember the last time you made an online purchase from Amazon or the Apple Store? When you entered in all your personal information, do you remember reading Amazon or Apple’s privacy notices? If you clicked on it, did you read through the entire thing? It is quite likely that your answer would be no.

Privacy notices can be described as statements or explanations that individuals are given when their personal information is collected from them. At the very least, the privacy notice should tell people what will be done with the information that is collected.

According to an Out-Law.com article, the Information Commissioner’s Office (ICO), UK’s privacy watchdog, has observed that privacy notices are often full of legal jargon and are designed more to reduce organizations’ liability rather than help customers/users understand what their personal data might be used for.

In response to this, the ICO has published a draft “Privacy Notices Code of Practice” to encourage companies to be clear to customers/users about how any information collected from them may be used. It strives to provide guidelines on how to draft and provide a privacy notice, what it must contain, how to make the privacy notice accessible and includes numerous examples of good and bad privacy notices.

The ICO contends that the need for a clear and fair privacy notice is strongest when the collected information will be used for “unexpected, objectionable or controversial purposes, or where the information is confidential or particularly sensitive.” An example of a potentially objectionable purpose would be if the information collected had the possibility of being sold. The code takes this further and states that not only does the privacy notice need to be clear and fair in these situations, but also needs to be actively communicated to an individual. Instead of just merely having the privacy notice available for the individual to peruse, the company needs to implement means to ensure that the privacy notice will be read. A possible approach could be to have the text of the privacy notice appear on one of the screens on a website right before the information collection is to take place.

ICO’s endeavour to publish the “Privacy Notices Code of Practice” is definitely a commendable one, but one must wonder whether a privacy notice, even in its most ideal, clear and fair form, will actually make a difference to the public. After all, if one desperately needs to purchase a textbook off Amazon, whether the privacy notice is clear or not, or actively communicated or not, the purchase will still be made. ICO’s concern with the excessive legal jargon found in privacy notices is that they are designed to reduce companies’ liability. However, isn’t the act of rendering privacy notices more clear, transparent and fair also self-serving in a similar way? A clear and actively communicated privacy notice will only serve to reduce companies’ liability even more effectively. It is not as if potential customers will refrain from using a website or purchasing a product online based on what is written in the privacy notice. With a clear and actively communicated privacy notice, there is less of a chance the customer would be able to argue in court that the privacy notice was ambiguous and unclear.

Even a clear, transparent and actively communicated privacy notice does not give customers a choice as to the extent of how their information is used. The only choice that they are given is the choice to not purchase the item online from that particular online vendor. This does not mean that the customer now can choose an online vendor that uses collected information in a less objectionable way. Other online vendors may have similar potential uses for collected information that is also reflected in their privacy notices. This means that it does not really matter for the general public as to how the privacy notice is written or presented to them; either way, if members of the general public want an item badly enough, they will be forced to simply just accept that their information will be used in certain ways, or make no transaction at all. It is true that a clear, transparent and actively-communicated privacy notice will enable the user to know exactly what will be done with their information, but how is this knowledge actually helpful? Knowledge of something is only considered to be helpful if it assists in future decision making. Without tools that enable users to actively decide and control how their information is used, a clear, transparent and more actively communicated privacy notice affords very little benefit to users.