In “Basic Law for Web Designers No 2: Website Terms and Conditions” JD Supra 27 Aug 2011, I discussed the terms and conditions that should appear on websites. I said that every website should have at least two sets of terms: “website access terms” and a “privacy statement.” I added that if a website owner intends to market his or her goods or services over the internet, his or her website should also set out his or her terms of business. I then discussed the contents of “website access terms”, “privacy statements” and terms and conditions of business and how they should be developed.
When I wrote that article the OECD website provided a useful tool for developing privacy statements known as the “Privacy Statement Generator”. Sadly, after more than 10 years if service, that tool has been removed. The space where the Privacy Statement Generator used to be found points to the paper “Making Privacy Notices Simple: An OECD Report and Recommendations”, OECD Digital Economy Papers, No. 120, OECD Publishing, the OECD. The foreword to that paper notes that:
“Privacy notices are an excellent tool to disclose an organisation’s privacy practices and policies. Research suggests, however, that many notices are too lengthy, confusing, and contain complex legal language. This report recommends that privacy notices be short, simple and usable to make it easier for individuals to assimilate the information they contain and to compare the privacy practices of the organisations processing their personal data.”
Part of the research to which the foreword refers was commissioned by the UK Information Commissioner. The researchers found that approximately 60% of people said that they cared about what happens to their personal information, yet most people ignore privacy statements. Even when they do pay attention to them, readers are not able to assimilate much of the information provided. The problem was that notices were too long and repetitive, they contained financial and legal jargon, they identified the main points inadequately and, above all, failed to engage the reader.
To address those points, the OECD has made the following recommendations:
“1, Identify data flows: Identify your organisation’s practices regarding the collection, use, sharing, protection, and destruction of personal data.
2. Conduct a legal review: Determine which laws, regulations, industry codes, contracts, corporate promises, or other legal requirements cover the collection and use of personal data by your organisation.
4. Develop a simplified notice: Develop a shorter, clearer notice that includes key information that will enable consumers to understand how their personal data is used and any rights they have with respect to the organisation’s use of that information.
5. Test the usability of the notice: Conduct testing to ensure that readers of the simplified notice find it comprehensible and user-friendly.
6. Disclose the simplified notice: Prominently display the simplified notice on the organisation’s website or otherwise distribute it so that it can be readily and easily accessed and read by an individual whose personal data may be used by the organisation. Where needed, ensure easy accessibility to the comprehensive statement for those who want complete details, or where its availability is indicated by the legal review.”
Having contributed the first chapters on data protection to Butterworths Encyclopaedia of Forms and Precedents and Atkins Court Forms nearly 30 years ago I have been consulted on a lot of privacy statements. Should anyone wish to discuss this article or any topic concerned with data protection, he or she call me on 0800 862 0055 or use my contact form.