All websites operating in the UK and Europe need to ensure they are complying with EU data protection legislation. The revision of the laws has been cited as the “biggest shake up in marketing for decades” and ushers in a new age of consumer privacy and a greater burden of proof on businesses. If misuse of someone’s data causes “distress” or “damage” you or your company could be fined between £1000 and £500,000. The problem is, the exact laws still are not clear and is the subject of fierce debate. May 2014 was set as a provisional deadline when a data protection law for the single European market would be proposed and voted on. In the meantime small business owners were being urged to at least begin implementing changes in the way they and their website gathers data. The overall theme to the data protection discussion is that certain changes DO need to be in place right now, yet a lot of small businesses either don’t know about it or are just not bothering to implement systems to cope.
- The British Information Commissioner’s Office provides guidance on data protection.
It is also a good idea to be flexible in meeting demands of future changes, revisions or amendments to the regulations. First, let’s look at the basic stuff where website privacy policies and cookie consent is concerned.
How Search Engines Regard Due Diligence Statements
Interestingly, there is speculation that taking steps to add disclaimers about due diligence, obligations and responsibilities to a site can win the favour of the Google search engine. Part of their ranking algorithm is supposedly programmed to scan for and detect legal related web content and reward those sites. This is conjecture but the idea seems plausible because Google wants to rank serious, legitimate websites and adding the legal boilerplate to a site is likely to please them. Whenever I see a website neglecting to include disclaimers, privacy statements and cookie information, I think they’re missing a trick.
Cookies are small files downloaded to a user’s computer designed to track activity on a website. These files are totally legitimate and serve only to improve a website user’s experience by storing and remembering preferences. For example: whether or not a website log in form remembers a username and password. This is common browser functionality and a standard feature of all browsers.
- Cookie information is NOT transmitted to a website operator or web host.
- Cookie files can be easily disabled or deleted by clearing the browser cache.
Cookies are also used by advertising networks and analytics tracking software to either deliver adverts the users is likely to want to see, or to record and report data on how a user navigated a website, how long they spent on a page, what kind of device they use to browse the site etc. No names, addresses or personal data is collected.
Cookie Opt-Out button
The ICO have requirements in place where a company, organisation or webmaster must disclose what cookies are used and give the website visitor the opportunity to opt out.
- In the European Union tt is OK to assume cookie consent is already given but with the choice to turn off the cookies
- A prominent link/button with instructions on removing/blocking cookies needs to be clearly displayed.
You don’t need to block cookies and then ask to allow them – you only need to provide a way to disallow cookies.
It is recommended that an unobtrusive pop up either at the top or bottom of the website is used to provide the necessary information and means to take steps for changing cookie settings.
Official ICO FAQ Video
This video answers some questions. It was published back in 2012 as a general forecast on privacy, data protection etc. I recommend subscribing to their channel as well.
Avoid a fine
Under The Privacy and Electronic Communications Regulations the ICO has published guidelines concerning all aspects of data protection and privacy.
- This info is relevant as of February 2014 (revisions to their documents may occur so do not act on info in this blog without first doing your own research).
Read the ICO guidance document on monetary penalties. In the opening pages of the PDF it is said that a maximum fine of £500,000 can be imposed on a “data controller” who seriously contravenes regulations either deliberately or by failing to take action in circumstances where a privacy breach causes substantial “distress” or “damage” to another party. The document goes on to explain that the financial penalties imposed are in fact contingent on the financial resources of an individual or entity:
“The Commissioner will take into account the sector, for example, whether the person is a voluntary organisation and also the size, financial and other resources of a person before determining the amount of a monetary penalty. The purpose of a monetary penalty notice is not to impose undue financial hardship on an otherwise responsible person.”
The anecdotal example they use mentions a small business being fined £1000:
“As a general rule a person with substantial financial resources is more likely to attract a higher monetary penalty than a person with limited resources for a similar contravention of the Act or the 2003 Regulations. For example, a monetary penalty notice was served on a sole proprietor for the sum of £1,000 following representations about his financial status. When further precedents are available from either the monetary penalty notices served by the Commissioner or the decisions of the First-tier Tribunal (Information Rights), further guidance will be produced so that those affected can better assess their position.”
Examples of Privacy Breach
Though this does not apply to honest marketers and businesses, there’s always the possibility of a scenario where user data is abused or falls into the wrong hands. Either of the following two outcomes is an example of “systematic failings” where responsibility falls to the data operator. That’s you.
- A burglary resulting in the theft of laptops or media storage devices. Inadequate password protection could lead the perpetrators going on to commit identity theft. Names, addresses and phone numbers might be used for criminal activity and this would be a serious breach of data protection. The burden of responsibility is upon the organisation or individual who failed to prevent the breach.
- A customer sends an email enquiry through a website contact form, providing name, email address and phone number. If that data is added to an email marketing list without consent, or if unsolicited phone calls were placed or text messages sent to the individual, that would constitute a breach of privacy.
Update 2015: I have it on good authority that the notification bar might not be necessary any more, as long as you have a visible link at the bottom of every page on your site linking to information about the cookies you use. You can still watch the video, but please be aware I am no longer using the SiteBeam Cookie Consent scripts because I found it seriously slowed down my websites I was using it on.
ICO: Privacy and Electronic Communications Regulations ICO: Data Protection Guidelines Overview ICO: Cookies Guidance (PDF) ICO: Privacy Notices Code of Practice (PDF) ICO: Collecting Information About Your Customers – Small Biz Checklist (PDF) ICO: Monetary Penalties Statutory Guidance (PDF)