The UK’s data protection watchdog, Information Commissioner’s Office (ICO), joins the global initiative for improving website privacy policies organised by the Global Privacy Enforcement Network (GPEN). Nineteen data protection authorities from around the globe will assess and report on the standards of privacy policies used by websites based in their jurisdictions.
In the related Blog entry, ICO pointed out that privacy policies are ‘crucial’ in ensuring adequate consumer awareness of how the personal information is being used. The ICO noted that many notices are still inadequate, especially where they are developed to protect the website operators rather than to provide information to data subjects.
As part of the GPEN programme, the ICO plans to examine 250 websites based in the UK. The watchdog will assess whether the policies are easy to read and understand, and whether the policies fully explain how personal data is handled. Similar action will be taken by data protection and privacy regulators in 18 other countries, including in the United States, Germany, France, Hong Kong, Canada and Norway. The results will be combined by Canada’s Privacy Commissioner and published in a report due out this autumn.
The ICO’s Blog included practical tips on constructing an adequate privacy policy, emphasising the need to be transparent and to distinguish between information necessary to provide goods or services, and optional collection of personal data. Notices should refrain from containing a ‘confusing mixture’ of opt-in and opt-out boxes, and consent should not be pre-ticked.
The ICO recommends that organisations systematically review privacy notices and offers additional guidance on its privacy notices page, including useful documents such as the Privacy notices code of practice, and the Small business checklist.