The Demise of the Pre-ticked Consent Box
Spring of 2016 has been a busy time in the world of data protection which culminated in the publication of the finalised text of the General Data Protection Regulation in April. This briefing note kicks off our series which explores the new Regulation’s practical effects on business.
Ever untick a box on a website when providing information about yourself? If so, then you will be familiar with privacy notices. Privacy notices are statements provided by organisations to individuals when collecting their personal data that govern the use of that personal data.
The GDPR requires organisations that collect personal data to update their privacy notices. With just under 2 years to go until the GDPR kicks in (here at MacRoberts we are crossing off the days on our calendars), we recommend adopting a two-step approach to getting your privacy notices ready for the big changes.
Take a look at the ICO’s Code of Practice on privacy notices, transparency and control published earlier this year. This reflects best practice under current law and will be of assistance for organisations that want to get up to speed with their data protection obligations, particularly in terms of the online and mobile environment. Amongst the ICO recommendations is the “blended approach” which includes various different channels that organisations can use to communicate actively the content of privacy notices in ways that are relevant to the data being collected.
The ICO recommendations include:
- The use of layered privacy notices (key information stated clearly upfront with a link to further details about processing)
- Privacy dashboards (which allow data subjects to control their preferences in relation to their data)
- Just-in-time notices (notices provided in a pop-up window or similar at the same time as the data is being collected from the data subject)
Should you require any further inducement to check out the guidance, the ICO stated that when it was producing the Code, it kept a close eye on how the GDPR was shaping up so there is a high chance that paying attention to these issues now will soften the blow in 2018.
The conditions for collecting and processing personal data are somewhat stricter under the GDPR. We have pulled together some practical tips to help you remain compliant under the GDPR:
- You may collect data “for specified, explicit and legitimate purposes.” As a result, be as specific as you can about what you will do with the personal data you collect because if you use that data for purposes which are different from what you have outlined, your privacy notice may be ineffective. Even under current law several organisations have run into difficulties relying on privacy notices which have not been sufficiently specific.
- There is additional specific information which you must include in the privacy notice, such as:
- The data controller’s and data protection officer’s contact details;
- The legal basis of processing;
- The recipients or categories of recipients with whom you will share the data; and
- Whether you intend to transfer the data outside the EEA.
- Considering your specific circumstances you should also provide additional information necessary to ensure fair and transparent processing. This could include telling people how long you will store the data, if you will engage any automated decision-making or profiling and what the data subject’s rights are in terms of rectification or complaints.
- Your privacy notice will have to be easy to understand and in plain language. Recently the ICO has turned its attention to the way privacy notices are worded and this is featured heavily in its Code of Practice. Once the GDPR is in force, there will be no hiding behind legalese!
All this additional information could take a lot more space than your current privacy notice does, and it may not be the most mobile user-friendly (not to mention aesthetic) move to place a huge block of text on your website. If this is a concern, we recommend the layered approach recommended by the ICO where some of the information is provided elsewhere and is accessible through a link on the page.
See, we told you that it would be worth your while to take a peek at the ICO code…
Consider your data and the purposes for which you (and potentially others) are using this data and evaluate whether any of the recommendations of the ICO Code of Practice on privacy notices, transparency and control will assist your compliance with the current and upcoming legislation and becoming more transparent about data processing.
If in doubt come and talk to us.