The UK data protection regulator, the Information Commissioner’s Office (ICO), has reviewed the data protection and privacy notices that appear on the websites of a variety of firms in the retail, banking and lending, and travel and finance price comparison sectors. The ICO has found that these notices are “often inadequate”, and that “organisations need to be more open, honest and transparent in their online privacy notices about how they handle people’s personal data.”
The ICO review found that:
- 26 of the 30 firms whose websites were examined did not set out clearly how and where consumers’ personal information would be stored. Particular criticisms were made of firms being “unclear and vague” regarding the potential transfer of data to other countries
- 26 firms did not satisfactorily explain whether data might be shared with third parties, and if so, which parties that might involve
- Three firms did not make any mention in their notices of whether data might be shared with third parties
- 24 firms did not provide users with a clear and obvious way of having their personal data deleted or removed
- Seven firms did not inform users how they could access the data held about them – this is often done via a Subject Access Request
Several recent ICO fines have concerned firms sending marketing messages (such as texts, emails and recorded calls). In a number of these cases, the firms believed that the recipients had given their consent to being contacted in this way, but the ICO found that they were relying on vague, non-specific consent statements that certainly did not make clear who the data might be passed to, and for what purposes.
Making use of robust consent statements will become all the more important after May 2018, when the European Union’s General Data Protection Regulation (GDPR) is introduced. This Regulation contains more stringent requirements for consent notices than is the case under existing UK data protection law, and also allows regulators to impose massive fines on firms who fail to comply – fines could be as large as the higher of 4% of annual turnover or €20 million. The GDPR will be enshrined into UK law prior to Brexit.
The ICO’s review was part of a worldwide review by 24 different data protection regulators, who together looked at 455 websites and apps.
ICO Intelligence and Research Group Manager Adam Stevens said:
“The findings suggest that people using those websites that we and our international partners examined are generally not very well informed about what happens to their data once it has been collected. That just won’t do. It is important that it is clear to people how they can control their information online.
“Working with our global partners has helped to identify that this is a worldwide problem. The GDPR is coming in May 2018 and from what we’ve found so far, organisations which want to do business or operate in the EEA have a lot of work to do if they don’t want to be breaking the new law.”
The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.