When you collect personal data, you are legally required to provide certain key privacy information to individuals about how you will use their data. This includes:
- what personal data you will collect (and where from if you are not getting it from the individual directly), what you plan to do with the person’s data and your justification for using it;
- details about any plans to share the data;
- if you plan to keep the data, details about how long you plan to keep it; and
- information about individuals’ rights, eg the right to request access to information held about them and to ask for it to be amended or deleted.
Failure to comply with data protection law can have significant financial and reputational consequences for your business, including fines of up to €20 million or 4% of your global annual turnover, whichever is higher in the worst cases. It is therefore important to take your obligations seriously.
Do I need to provide any other information to website users?
To make sure your website has everything it needs, see our Checklist of information to include to ensure your website is legally compliant. You can also use our starting an online business toolkit for access to all of the documents you need to make sure your sales website is legally compliant.
The Government recommends that in order to help improve customers’ understanding of privacy information, businesses could consider the following approaches:
- using a FAQ format to present key terms, eg ‘What will you use my email address for?’;
- illustrating key terms with icons;
- providing terms in a text box that the customer can scroll through;
- providing certain privacy information when it is most relevant (eg when a customer provides their email address, explain what it will be used for);
- using illustrations and comics to explain certain processes;
- letting customers know how long it will take to read your privacy and cookie policies; and
- telling them when it is their last chance to read it.
Bear in mind that if your website is likely to be accessed by children, you may need to comply with the ICO’s age appropriate design code when providing your privacy information (see below).
The ICO recommends that you carry out user testing across a sample of your customers to find out how they accessed your privacy information, whether it was easily understandable by them, or whether they noticed any errors. The results of the feedback you receive can help you to ensure that your privacy information is achieving its purpose. The ICO also recommends keeping your privacy information under regular review to ensure that it continues to accurately reflect your use of personal data and to analyse complaints from the public about both your use of their personal data and how you explain that use.
Following the UK’s exit from the EU on 31 January 2020, we are in a transition period until 31 December 2020 during which the EU and the UK are negotiating their future relationship. During this period, there are no immediate changes to data protection law in the UK and you should comply with the current GDPR requirements regarding privacy and cookie policies.
What are the rules about privacy policies and children?
If your website is used by children, you may need to consider the Age Appropriate Design Code (or Children’s Code). This is a statutory code of practice that is relevant to ‘information society services which are likely to be accessed by children‘. This means that it can apply to you even if your service was not specifically designed to be used by children and covers most online services, including websites selling goods or services, games, apps, online marketplaces, streaming or other content services etc.
It came into force on 2 September 2020, giving businesses 12 months to comply. Although the Code is not technically law, the Information Commissioner must take compliance with the code into account when considering whether a business has breached its data protection obligations.
What do I need to do if my website is likely to be used by children?
If your website or app provides online products or services which are likely to be used by children (ie under-18s) in the UK and it processes their personal data, you should comply with the Age Appropriate Design Code, or the ‘Children’s Code’.
The Code contains 15 flexible standards which set out out what measures websites and apps need to put in place to ensure that children’s personal data is safeguarded. These include:
- putting the best interests of the child first when designing and developing your website;
- doing a data protection impact assessment;
- making sure children have high privacy settings by default;
- ensuring that privacy information is age appropriate;
- providing children with age appropriate tools to help them to help them to exercise their data protection rights; and
- putting appropriate policies and procedures in place.
See our guide on on privacy and children for more information about how to comply with these standards.
How should I provide privacy information to children who use my website or app?
In addition to your general obligations (see above), if you process children’s personal data on your website or app, you must provide them with privacy information in a way in which they can understand it. This requirement is reinforced in the Age Appropriate Design Code, which you will need to comply with if your website or app provides online products or services which are likely to be used by children. If your business falls within the scope of the Code, the ICO has recommended a number of steps that you should take when providing privacy information to children. These include:
- providing privacy information in a clear and prominent place and presenting it in a child friendly way (eg using pictures, symbols or interactive content);
- providing ‘bite-size’ explanations at the point at which children give you their personal data or at other appropriate times. You might also suggest that they check with an adult before proceeding, depending on their age range;
- making sure you use child-friendly explanations alongside any legal language; and
- considering how you can tailor the information to the age of your users (ie will one set of privacy information work for everyone or do you need to consider different developmental needs?). For example, if your service is likely to be accessed by very young children, you are more likely to need to rely on parental support and to encourage children to check with a trusted adult before proceeding.
Equally, if you provide parental controls on your website or app, you must give children age appropriate information about this (eg by providing them with an obvious sign that they are being monitored). The ICO also recommends that you provide the parents with information about their child’s right to privacy.
What else do I need to comply with data protection law?