Thursday 12 February 2009

Is time running out for privacy notices?

After launching a consultation on a draft code of practice for privacy notices last month, the ICO has now published the results of an online survey where over 2000 adults were asked how they felt about the "small print" contained in standard privacy notices. Apparently, 71% of participants admitted to not properly reading or understanding the small print (a lower number than Matron would have expected!) and 47% believe that small print is "purposely designed to be as woolly as possible". Indeed! Having spent several years in private practice advising corporate clients that the privacy policy is their friend not their enemy, Matron certainly feels that this message has hit home with CEOs and inhouse legal counsel quite some time ago .

As someone who for a very long time predictably, boringly and (in the opinion of her partner) embarrassingly read all small print before signing, Matron has found that over the last few years she too has become more complacent. While she will still search for the tick boxes that will (hopefully) prevent her from being inundated with adverts for Viagra and penis enlargements, she no longer reads the privacy statements with the same sort of youthful vigour.

That has partly to do with the problem identified by the ICO - they are getting longer and more impenetrable. But also - and therein, as they say, lies the rub - she makes a plain old profit/loss analysis. As her esteemed friend and colleague Prof. Lilian Edwards points out in one of her articles, the majority of privacy statements, particularly those used by online providers, are effectively adhesion contracts - not subject to negotiation, take it or leave it. If you want the service, you have to agree with the terms, so reading them could often be seen as an utter waste of time. And because most consumers - again in Lilian's words - prefer "jam today" - goods and services, fun and frivolity - over "jam tomorrow" - safety and security of their personal information - it has become easy for online providers progressivley to expand the purposes for which they may use their customers' personal data - ostensibly with their consent.

Consequently, and without wanting to criticise the ICO's commendable move to initiate a discussion of this subject, Matron cannot help thinking that the ICO stopped a bit short of what may actually be required. Instead of simply joining the plain English campaign, may it not now be time to revisit the entire concept of fair processing notices, particularly where the purposes for which the data can be used by businesses become binding on their customers on the basis of their IMPLIED consent (as is possible in the UK)? Should we start thinking about these isssues in terms of consumer protection and should we be looking into the possiblity of legislating for "unfair privacy terms" along the lines of the Unfair Terms in Consumer Contracts Regulations 1999?

It seems that for the time being the ICO wants to stick with the "educational approach": getting companies to simplify their privacy statements so that consumers can understand them better and make better choices. But extensive permissions to use consumer data are still extensive permissions by any other name and the concept of choice - as in all adhesion contracts - may be illusionary.

No comments:

Post a Comment