These are companies with so much personal information about us that they see into the darkest reaches of our souls more clearly than Sigmund Freud channelled by Mystic Meg. They are peopled by zealous superbrains who doodle weather system algorithms while chatting to granny on the phone, yet even they can’t decide on the right way to handle our personal data.
This confusion is no surprise if they try to do the right thing and take the advice of the Information Commissioner’s Office (ICO). The office is striking increasingly confident, even bullish, notes on personal privacy, surveillance societies and our informational rights. Yet it cannot even produce coherent guidance about what companies are supposed to do.
If you collect personal information online the single most important thing you need to know is: what do I tell the punter when I take his details? Let’s turn to the ICO. Its guidance is clear: a link to a privacy policy is not enough, companies must give far more information at the point of data collection.
Crystal clear advice, delivered in 2001 by the then Commissioner, Elizabeth France. Hang on, though: four years later the current Commissioner, Richard Thomas, said that the best policy was a ‘layered notice’ like on Microsoft’s MSN UK. The first layer of its notice? A link to a privacy policy.
This confused me: was the Commissioner now saying that a link was compliant? I phoned his office and was told no, the old guidance held true: a link is not enough. The report was not an endorsement of Microsoft’s first layer. A reader could not possibly know that so it is no surprise that a link to a policy is the most common approach today.
You see the problems faced by Google et al? Come June 2007, though, the ICO issued brand new guidance for website compliance (9-page / 69KB PDF). It was time to sound the trumpets, clarity was at hand.
Well, not quite. It cleared up the previous issue by insisting that a simple privacy policy link is insufficient. But it caused heads to be scratched anew with its muddle on layered notices, which it again advocated as best practice.
“This usually consists of three linked notices which are increasingly concise,” it said. But it went on to say that the short notice “is used where there is not enough space for the other layers, so will not usually apply to websites.” So the current recommendation for websites is a three-layer notice, one layer of which is unsuitable for websites. Clear as Conrad Black’s name.
There is another fundamental ICO mistake: it can declare all it likes that links to privacy policies are not enough, but has it ever taken action against, or even criticised, a company only employing such a link? No.
Companies will think, therefore, that the requirement is trivial. The Commissioner could stop a company from using its customer database because the collection was unfair, a massive sanction in these data-driven days. That could seem to many firms to be a bolt from the regulatory blue. For the sake of fairness, if today’s standard practice breaks the law, the Commissioner must say so, loud and clear.
By Struan Robertson, Editor of OUT-LAW. These are the personal views of the author and do not necessarily represent the views of Pinsent Masons.
This editorial has been reproduced from issue 16 of OUT-LAW Magazine. Register with OUT-LAW or amend your profile to get a free subscription.
