is a privacy policy important for an online company?

Is A Privacy Policy Important For An Online Company?

Linkilaw Legal Advice

Global Privacy Enforcement Network (GPEN) Survey

A recent survey by the Global Privacy Enforcement Network (GPEN) examined over 1,200 mobile apps by 26 privacy regulators and found that a shocking 85% of the apps surveyed had failed to clearly explain how they were collecting, using and disclosing personal information.

[tweet_dis_img]85% of app companies are failing to clearly explain how they use and collect personal data.[/tweet_dis_img]

Well we all know that it’s good practice to have a website privacy policy to detail the nature and extent of personal data which your online business collects via your website, what you use it for and who you disclose it to. However, what you may not know is that your business runs the risk of being sued or subject to regulatory enforcement action if you fail to obtain the right level of consent.

Although technically a legal document, you should try to ensure that your privacy policy is written in clear and easy to understand terms. The ICO, as the UK’s independent authority on information rights, has published some useful guidance.

Website Privacy And Data Collection/Protection

Website privacy and data collection/protection are covered by UK and EU data protection laws and regulations (primarily The Privacy and Electronic Communications (EC Directive) Regulations 2003 and Amendment 2011).

A fundamental premise of web privacy compliance is that businesses must obtain an adequate level of consent from users who input personal data onto websites. There are varying (and sometimes complex) web privacy requirements to determine the level of consent needed. This depends upon the type of information you are collecting and what you plan to do with it.

So for example, if you wish to use personal data for email marketing purposes then you must obtain the appropriate consent from web users at the point where the data is collected. This has become increasingly prevalent with the advent of direct marketing techniques by SMS and text message. You don’t however need prior consent if the web user’s details have been obtained during the course of the sale or negotiations regarding a potential sale.

It is no longer adequate to deal with cookies in your website privacy policy. Since 26 May 2011 businesses who use cookies (and equivalent technologies) must only place cookies on the machines of users who have given their consent.

Exemptions to the rule relate to “strictly necessary” services requested by the web user and covers specific situations, such as cookies for a security purpose or where a cookie is needed to support the operation of a shopping basket of goods selected by a user.

Businesses with a website, (or one which actively targets UK users) and which places cookies on user machines, must identify the different cookies that are served, evaluate how intrusive they are and integrate measures to obtain the user consent before the cookie is served. Businesses must also detail clearly how cookies are used throughout their website.

The Human Rights Act 1998

The Human Rights Act 1998 is also worthy of mention since it is incumbent on courts and tribunals to consider an individual’s privacy rights when looking at how to interpret UK legislation as a whole. In addition, there are some applicable rules regarding unlawful monitoring and keeping a record of communications under the Regulation of Investigatory Powers Act 2000.

Businesses can also use The Freedom of Information Act 2000 to obtain information (such as information held about competitors). Businesses therefore need to consider carefully what information they supply to a public authority and whether this can be protected from disclosure in the event of a request being made.

[tweet_dis_img]A privacy policy protects your customers' data and prevents legal issues arising.[/tweet_dis_img]

Finally, businesses need to be aware of EU restrictions on transferring personal data outside of the European Economic Area (comprising of the EU plus Iceland, Liechtenstein and Norway). There are several exceptions including:

  • Export to various countries which the EU deems has an adequate level of data protection
  • Export to US companies with a “Safe Harbour” agreement
  • A contract transfer abroad which has been sanctioned by the EU

This area is particularly important to businesses with overseas data hosting and cloud technology.

It is certainly food for thought and even if you have online data privacy and cookie policies, now may be a good time to review them.

Final Words: Is A Privacy Policy Important For An Online Company?

A privacy policy is now an important requirement if you run a business online and collect any information about your customers online. Without it, you run the risk of legal issues that could all too easily have been avoided. 

Want a privacy policy bespoke to your business? Then get yours ordered below and we’ll send you a customised privacy policy that will protect your business and your customers.

Privacy policy CTA