ICO has published the final version of its “Privacy Notices Code of Practice”, together with a wealth of good and bad practice data collection examples – but gets its soft opt in example wrong! Phil Lee reports.
Topic: Privacy
Who: Information Commissioner's Office
When: 12 June 2009
Where: UK
Law stated as at: 29 June 2009
What happened:
ICO has finally published its long-awaited "Privacy Notices Code of Practice" (the "Code") in final form. In a welcome addition to the Code, ICO has helpfully provided some ancillary guidance including a small business checklist (available here) and some illustrative good and bad practice examples of privacy notices in action. These are:
- Text message marketing: good and bad practice examples of text message marketing to consumers (good practice example revealing sender identity and notifying opt-outs rights available here), bad practice example available here;
- Call centre data collection: good and bad practice examples of collecting personal data in a call centre scenario (available here); and
- Face-to-face data collection: good and bad practice examples of collecting personal data in a face-to-face street scenario (available here).
The Code has not changed significantly from its earlier draft form (reported on in our February issue here, and ICO continues to encourage businesses to put themselves in the position of the data subjects and to ask themselves the following key questions when preparing a privacy notice:
- Would the data subjects know who is collecting the information?
- Would they understand why you’re collecting it?
- Would they understand the implications of this?
- Would they be likely to object or complain?
The Code also emphasises the need to communicate privacy notices "actively" (e.g. by sending a letter or e-mail, or reading a script) in certain situations. These include when collecting sensitive information or when making unexpected or objectionable uses of personal information. The point to note is that simply making a privacy notice passively available (for example, on a website) will not suffice in all cases.
Subtle changes
Despite its broad similarity to the earlier draft Code, ICO has made a number of subtle tweaks worthy of attention. These include:
Marketing consents: On the issue of providing marketing consents on data collection forms, the draft Code had said: "don't provide a confusing mixture of opt-ins and opt-outs". This clearly set the tone that ICO disapproved of using opt-ins and opt-outs to collect inadvertent "consent" from data subjects, and suggested that combining opt-ins and opt-outs would never be acceptable (a position which most consumers would surely welcome). Surprisingly, in its final form, the Code now reads "Whilst it’s acceptable to use both opt-ins and opt-outs, they shouldn’t be used in a way that will confuse people." It is hard to understand why ICO felt this softening was necessary – can combined opt-ins and opt-outs ever be used in a way that does not confuse individuals? This change seems only to muddy the issue and run against the grain of fair processing.
- Processing: The draft Code had previously sought to clarify the meaning of the term "processing" (since data must be "processed" in order for the Data Protection Act 1998 (the "Act") to apply). It said that "'Processing' has a very wide meaning that covers virtually anything you do with personal information". However, this helpful clarification has been removed from the final Code, begging the question "why"? Did ICO simply feel the clarification was redundant, or did it feel the clarification overstated the meaning of processing (and if so, what acts does it think would not constitute processing)? We shall maybe never know.
- Fairness: The requirement to treat personal information in a way which is "fair" is a key principle of data protection law, and both the draft and final forms of the Code expand on what is meant by "fairness". The draft Code explained that fairness includes not using information in a way that that would "have unjustified adverse effects" on individuals – again, a useful clarification. Once again, however, this helpful clarification has had a red pen taken to it, and the final Code now reads that "fairness" includes using information "in a way that is fair". Hmmmm.
Does ICO understand soft opt-in?
Another interesting point to note from the final Code arises in relation to the examples ICO gives of good practice data collection. In an example on page 13 (entitled "Alternative 'opt out' version"), ICO presents an example of good practice "opt outs" for e-mail marketing. As Marketinglaw readers will be aware, e-mail marketing opt outs can, of course, only be used in a soft opt-in scenario. The good practice example reads:
"We would like to send you information about our own products and services, as well as those of selected third parties, by post, telephone and email. If you do not agree to being contacted in this way, please tick the relevant boxes.
Post [ ] Phone [ ] email [ ]"
Despite citing this as an example of good practice, ICO has incorrectly used soft opt-in in this example. If you look closely at the notice, the data controller is host mailing information about selected third parties' products and services. However, the soft opt-in rule does not extend to marketing third party products and services, even if these are host mailed by the data controller (the interested reader is referred to reg. 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "PEC Regs")). This is confirmed by ICO's own guidance on the PEC Regs which says: "It is unlikely you could send [host mailed] messages on a 'soft opt-in' basis because they are not your ‘similar products and services‘. However, you could send such material on a clear ‘opt-in’ basis provided you identify that you and not the third party are the sender."
A useful reminder that you can't always trust the regulator to get it right!
Why this matters:
The Code has rightly had a positive reception since its launch, helping businesses to better understand their compliance responsibilities when preparing a privacy notice. It reminds businesses that the obligation to give a privacy notice can mean more than simply making available a website privacy policy, and that privacy notices must be tailored to their audience and, in some instances, be actively communicated. All of this is welcome guidance, and the good and bad practice examples given by ICO are particularly useful.
However, the Code is not without its faults, and some helpful clarifications from the earlier draft have, surprisingly, not found their way into the final Code. In addition to this criticism, ICO's mistaken use of soft opt-in in a good practice example serves to highlight the complexities of the rules for collecting e-mail marketing consents – these seem even to confuse ICO itself.
Overall, however, the Code and its accompanying guidance should be welcomed. With Christopher Graham taking over as Information Commissioner with effect from 29 June 2009, it will be particularly interesting to watch how strictly ICO enforces compliance with this Code.