Global Privacy Enforcement Network (GPEN) Survey
A recent survey by the Global Privacy Enforcement Network (GPEN) examined over 1,200 mobile apps by 26 privacy regulators and found that a shocking 85% of the apps surveyed had failed to clearly explain how they were collecting, using and disclosing personal information.
Website Privacy And Data Collection/Protection
Website privacy and data collection/protection are covered by UK and EU data protection laws and regulations (primarily The Privacy and Electronic Communications (EC Directive) Regulations 2003 and Amendment 2011).
A fundamental premise of web privacy compliance is that businesses must obtain an adequate level of consent from users who input personal data onto websites. There are varying (and sometimes complex) web privacy requirements to determine the level of consent needed. This depends upon the type of information you are collecting and what you plan to do with it.
So for example, if you wish to use personal data for email marketing purposes then you must obtain the appropriate consent from web users at the point where the data is collected. This has become increasingly prevalent with the advent of direct marketing techniques by SMS and text message. You don’t however need prior consent if the web user’s details have been obtained during the course of the sale or negotiations regarding a potential sale.
Exemptions to the rule relate to “strictly necessary” services requested by the web user and covers specific situations, such as cookies for a security purpose or where a cookie is needed to support the operation of a shopping basket of goods selected by a user.
Businesses with a website, (or one which actively targets UK users) and which places cookies on user machines, must identify the different cookies that are served, evaluate how intrusive they are and integrate measures to obtain the user consent before the cookie is served. Businesses must also detail clearly how cookies are used throughout their website.
The Human Rights Act 1998
The Human Rights Act 1998 is also worthy of mention since it is incumbent on courts and tribunals to consider an individual’s privacy rights when looking at how to interpret UK legislation as a whole. In addition, there are some applicable rules regarding unlawful monitoring and keeping a record of communications under the Regulation of Investigatory Powers Act 2000.
Businesses can also use The Freedom of Information Act 2000 to obtain information (such as information held about competitors). Businesses therefore need to consider carefully what information they supply to a public authority and whether this can be protected from disclosure in the event of a request being made.
Finally, businesses need to be aware of EU restrictions on transferring personal data outside of the European Economic Area (comprising of the EU plus Iceland, Liechtenstein and Norway). There are several exceptions including:
- Export to various countries which the EU deems has an adequate level of data protection
- Export to US companies with a “Safe Harbour” agreement
- A contract transfer abroad which has been sanctioned by the EU
This area is particularly important to businesses with overseas data hosting and cloud technology.
It is certainly food for thought and even if you have online data privacy and cookie policies, now may be a good time to review them.