Following on from last month’s draft Code of Practice for Privacy Notices, ICO has now launched the “BIG PRINT small print” campaign, with a view to ending the practice of burying fair processing notices within the small print to online and offline data capture forms. Phil Lee reports in medium size print.
Topic: Privacy
Who: Information Commissioner's Office
When: 12 February 2009
Where: UK
Law stated as at: 16 February 200
What happened:
Following on from last month's draft "Code of Practice on Privacy Notices" (the "Code") (reported in last month's Marketinglaw here http://www.marketinglaw.co.uk/articles/2009/11357.asp), ICO has launched a new campaign to end misleading small print in marketing materials – the appropriately-monikered "BIG PRINT small print" campaign (the "Campaign").
In one of those rare examples of 'doing exactly what it says on the tin', the Campaign seeks to encourage marketers to be upfront and transparent about how they intend to use customers' personal data. At the same time, ICO encourages consumers to take the time to learn how their personal data may be used, and not simply to ignore fair processing notices that provide this information.
The Campaign is based, in part, on research conducted by YouGov which suggests that:
• 47% of people believe that small print is designed to be as "woolly" as possible;
• 42% believe small print is used as a vehicle for companies to make money by selling customers’ details;
• 63% want marketers to use less jargon in their fair processing notices;
• 62% want a clearer explanation of how their personal information would be used; and
• 71% admit to not properly reading or understanding the small print.
In addition, approximately half of YouGov's respondents want marketing small print to, quite literally, become big print by being printed in larger text – and hence the "BIG PRINT small print" campaign was born.
Why this matters:
The draft Code has already trumpeted the call by outgoing Information Commissioner, Richard Thomas, to make privacy notices more accessible to the ordinary public. As the Information Commissioner himself notes: "…no-one should need a magnifying glass or a lawyer to find out what will happen to their information, what their choices are and what their rights are."
The point is that the days of complex, legalistic privacy policies are numbered. ICO is taking a clear stance against organisations that seek to indemnify themselves by burying huge amounts of jargonistic detail deep within an inaccessible privacy policy that no one ever accesses or reads. Going forward, organisations can expect that they will have to make available simple, plain English notices at data capture points that ensure customers are made fully aware how their personal data may be used – and, in particular, that any unusual uses of their personal data are brought to their attention. An organisation that fails to do this may find itself exposed to ICO's wrath under its incoming enforcement powers (which include potentially unlimited fines for data protection breaches caused deliberately or recklessly) and, possibly, liability under the Consumer Protection from Unfair Trading Regulations 2008 for "unfair" commercial practices or "misleading" acts or omissions.
We'll let Nick Ross, who was quoted in ICO's Campaign press release (available at http://www.ico.gov.uk/upload/documents/pressreleases/2009/spbp_pressrelease.pdf), have the final word on this issue: "This stuff should be crystal clear and anything unusual should have a neon flashing warning. Decent companies should lead the way: either make small print clear to customers, or scrap it and face the legal penalties; but don't go through the motions."
You have been warned!