It seems to be privacy week this week. My inbox, probably like yours, is overflowing with updated privacy notices and requests that I continue to stay in touch. How can I really turn down a request from Edinburgh Zoo to stay in touch when I’m presented with a very cute picture of a baby polar bear? Click – yes please.
No one really reads these privacy notices though do they? In some cases, I suspect that is what the company is banking on. However, as I’m doing quite a lot of work at the moment to support companies prepare for the General Data Protection Regulation from a data perspective, in the interests of research I decided I’d actually read each one as it came in.
I’m currently up to notice number 15 and I’m beginning to spot some trends, which I will summarise under the high-level headings of style and substance.
Since privacy notices going forward need to be personalised to the needs of the business, the ICO have held back from providing a template and instead have issued some best practice. Following this best practice, many institutions have introduced clarity by providing different levels of detail, bigger fonts, shorter paragraphs and lots more section headings and clearer language. This almost makes me want to read one.
In some cases its no good making it look pretty if when you click into the detail you find yourself faced with regulatory regurgitation of the definition of personal data, rather than a nicely formatted list of the data items actually being collected.
Google’s new privacy centre is a beautiful collection of colourful webpages. It reads well, but has apparently cost them millions. Most businesses, particularly charities and voluntary organisations don’t have millions to spend. Fortunately a few headings, a nice big font and the use of plain English and structured tables really does go a long way to making this rather dull topic consumable.
From the notices I’ve been sent this week, there appears to be a distinct segregation into the amount of effort put into making privacy notices “clear and transparent”. One theme I have picked up is that US service providers (not including Google) have put much less effort into this exercise than EU-based providers. Many EU providers are listing the actual data items, processing purposes and the third parties they interact with. They’ve obviously had quite a bit of pain to get to this point and I’m really happy they now feel capable of sharing everything they now understand about their existing processes for our benefit.
However, the other half tell us that they process “some data“, to do “some stuff” and might share this with “some other people“. To me this seems very lazy. This is particularly obvious when they refer me to their third parties’ privacy notice once data leaves their control, but I don’t know who these people are, so I couldn’t do this even if I wanted to.
Methods of dealing with minors still appears a little inconsistent. Is the age of consent 13, 16 or even 18? The problem here is that member countries have the right to introduce their own laws and it can actually be anywhere between 13 and 16. Most have opted for the approach of saying their services aren’t aimed at children and you should contact them if you are aware of children using the service. The ICO guidance suggests that for services aimed at children age-appropriate privacy notices are created. I’ve yet to find one of these. If there is a good one out there, please do let me know.
Another challenge appears to have been documenting retention periods. This is due to different items being kept for different lengths of time. However a nice table with the data item, the purpose and legal basis for processing and the retention period per item work pretty well. Tables do seem to be a good way of summarising this information, where used, they have been very effective.
So, to summarise my musings, there is a lot of variability in quality of privacy notices out there. Listing what data items are captured, for what purpose and where it all goes seems sufficient detail, any less is lacking clarity. Headings, short paragraphs and big fonts really help to keep it clear. If you are responsible for pulling one together yourself, put yourself in your customer’s shoes. Work out whether you could navigate the processes you’ve written down, is all the required information and associated links listed? Test it, by going through the process yourself. Finally, just get a lawyer to check it all over.