These are companies with so much personal information about us
that they see into the darkest reaches of our souls more clearly
than Sigmund Freud channelled by Mystic Meg. They are peopled by
zealous superbrains who doodle weather system algorithms while
chatting to granny on the phone, yet even they can’t decide on the
right way to handle our personal data.
This confusion is no surprise if they try to do the right thing
and take the advice of the Information Commissioner’s Office (ICO).
The office is striking increasingly confident, even bullish, notes
on personal privacy, surveillance societies and our informational
rights. Yet it cannot even produce coherent guidance about what
companies are supposed to do.
If you collect personal information online the single most
important thing you need to know is: what do I tell the punter when
I take his details? Let’s turn to the ICO. Its guidance is clear: a
link to a privacy policy is not enough, companies must give far
more information at the point of data collection.
Crystal clear advice, delivered in 2001 by the then
Commissioner, Elizabeth France. Hang on, though: four years later
the current Commissioner, Richard Thomas, said that the best policy was a ‘layered notice’ like on
Microsoft’s MSN UK. The first layer of its notice? A link to a
privacy policy.
This confused me: was the Commissioner now saying that a link
was compliant? I phoned his office and was told no, the old
guidance held true: a link is not enough. The report was not an
endorsement of Microsoft’s first layer. A reader could not possibly
know that so it is no surprise that a link to a policy is the most
common approach today.
You see the problems faced by Google et al? Come June 2007,
though, the ICO issued brand
new guidance for website compliance (9-page / 69KB PDF).
It was time to sound the trumpets, clarity was at hand.
Well, not quite. It cleared up the previous issue by insisting
that a simple privacy policy link is insufficient. But it caused
heads to be scratched anew with its muddle on layered notices,
which it again advocated as best practice.
“This usually consists of three linked notices which are
increasingly concise,” it said. But it went on to say that the
short notice “is used where there is not enough space for the other
layers, so will not usually apply to websites.” So the current
recommendation for websites is a three-layer notice, one layer of
which is unsuitable for websites. Clear as Conrad Black’s name.
There is another fundamental ICO mistake: it can declare all it
likes that links to privacy policies are not enough, but has it
ever taken action against, or even criticised, a company only
employing such a link? No.
Companies will think, therefore, that the requirement is
trivial. The Commissioner could stop a company from using its
customer database because the collection was unfair, a massive
sanction in these data-driven days. That could seem to many firms
to be a bolt from the regulatory blue. For the sake of fairness, if
today’s standard practice breaks the law, the Commissioner must say
so, loud and clear.
By Struan Robertson, Editor of OUT-LAW. These are the
personal views of the author and do not necessarily represent the
views of Pinsent Masons.
This editorial has been reproduced from issue 16 of OUT-LAW
Magazine. Register with
OUT-LAW or amend your
profile to get a free subscription.
