Privacy notices are much more than a legal tick-box exercise. They can serve as a core tool for establishing customer trust, enhancing brand reputation, and gaining internal insights about data flows, which can be leveraged across the business. But to unlock the full potential of privacy notices, they need to be done right. So, what are the essentials?
What is a privacy notice and why do you need it?
A privacy notice (sometimes called a privacy policy) is like a map of what's going on with personal data behind the scenes at an organisation. It communicates to individuals exactly what information about them is being collected and how it is being used and is distinct from internal policies you may have on data governance and compliance more widely.
Privacy notices are crucial not only because they enable you to meet your legal obligations under the (UK) GDPR, but because they build trust between your organisation and your customers – a recent study found that 81% of users believe the way an organisation treats their personal data is indicative of the way it views them as a customer – so there's clear commercial value to be gained from being transparent. You will also need a cookie notice (see here for more.
What should a privacy notice cover?
An effective privacy notice isn’t just about saying 'we value your privacy' — it needs to be sufficiently detailed to meet your transparency obligations under the (UK) GDPR. Key information you will need to cover includes:
- what information is being collected/processed, for example, an individual's name, email, or even IP address
- why you are collecting this information eg for customer service, marketing, or something else entirely
- what your 'lawful basis' is for using the information in this way eg are you relying on the customer's consent or your own legitimate interests?
- who you share the personal data with
- whether you export the personal data to third countries, why, and how you protect it if you do
- how long it will be stored
- what rights the individual has in relation to their personal data and how to exercise them.
This is just some of the information you will need to provide – there is much more!
How specific should a privacy notice be?
Transparency is front and centre when it comes to privacy notices, and EU and UK regulators are increasingly expecting privacy notices to be more granular and specific. Both these points were specifically mentioned in the 2021 WhatsApp decision, which resulted a fine of €225 million. In summary, your privacy notice must be specific enough to enable an individual to understand how each category of their personal data is being used – two elements are key here:
- You must ensure that there's a link between each category of personal data, the purpose for which it is being processed and the lawful basis you are relying on. Each purpose will require a lawful basis, even if the data itself is the same.
- You must use language that is clear and specific, this means avoiding qualifiers such as 'may', 'might, 'some', 'often' and 'possible' as these create ambiguity.
You will need to keep your privacy notice under review, updating it whenever your practices change.
When and how to display your privacy notice?
Displaying privacy notices the right way is just as important as the content itself. They should be easy to find and understand, and not buried in fine print. The UK regulator (the ICO), mentions that a "blended approach" to privacy notices is often most effective, and gives examples of the following techniques that can be used to achieve this:
- Layered approach – this is where the most important information is mentioned up front and then user can click for more information in a series of drop downs. This way, the user gets the information they need without feeling overwhelmed.
- Dashboards – this is a central hub where the user can not only find the privacy notice but all things data and privacy related. Innovative organisations often use a dashboard to provide the same information in multiple mediums, for example, using a video format, which can be particularly effective for communicating information to children.
- Just-in-time notices – these pop up right when the individual is just about to share their personal data, giving them a heads-up on what’s being collected and why.
The more unusual or invasive your use of personal data, the more effort you need to put in to ensure it's brought to the individual's attention in a way that they can understand.
Transparency and dark patterns in privacy notices
You must ensure that you're not using harmful online choice architecture (OCA but also known as dark patterns) to negatively influence an individual's decision making or understanding of your privacy practices.
In 2023, the ICO and the CMA (the UK regulator for consumer protection law), published a joint paper, which highlights how dark patterns, such as 'harmful nudges', 'confirm shaming,' and 'biased framing', can distort consumer behaviour by manipulating or pressuring users into making decisions that may not be in their best interest, leading to potential breaches of data protection laws. Using these deceptive techniques in privacy notices can erode customer confidence and can attract regulator scrutiny.
The ICO-CMA paper emphasises the importance of designing interfaces that empower users with genuine control over their personal data, enabling them to make informed choices without undue influence. It advocates for evidence-based testing of design choices to prevent harm to consumers and ensure compliance with applicable laws.
What about AI?
2024 has been the year of artificial intelligence, and organisations' use of AI is growing. Organisations will now need to consider how personal data is being used alongside AI and be upfront and clear in their privacy notices about this. It’s not just about saying "we use AI" – it’s about explaining what it means for the individual and their personal data. A good privacy notice should detail how AI algorithms analyse personal information, whether to make personalised recommendations, for decision-making processes, automated responses, or something more innovative. It must be clear how and when automated decision making is happening and explain the individual's rights in that regard.
Is public information fair game?
Personal data collected from public sources, like a public register, can be a goldmine for data-driven companies, for example, it can be used for identity verification, market research, or targeted advertising. However, it's important to note that just because the information is public doesn’t mean you can do whatever you want with it. Your privacy notice should make clear if you're using personal information from public sources, explain why you're collecting it, and the lawful basis for doing so. Transparency is key, and more so when the source of the data isn't the individual themself, as there is often no direct link between you and the individual, so they won't always be immediately aware.
Focus on:
- (UK) GDPR compliance – have you included everything required in your notice?
- Transparency – have you been upfront about what you are doing?
- Clarity – will the individuals covered by the notice be able to understand what you are doing with their data?
- OCA – are you making use of a variety of techniques to bring the most important parts of your notice to the attention of individuals? Are you avoiding dark patterns?
- AI – If you are using AI, have you explained what it does and why you are using it?
Privacy notices can be tricky to get right, particularly if you're a data-rich organisation. If you're looking to update your privacy notice or understand how to meet your transparency obligations when using AI, please reach out and ask your preferred chat bot to email us!