Home > Analysis
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Why do we need to accept a Privacy Policy?

A privacy policy is supposed to contain an outline of how an organisation intends to process the personal data. The ICO says:

A privacy notice is a statement that tells you who is collecting information about you and what it will be used for. Privacy notices take a number of forms, for example a notice on a website or a script read out over the telephone. A privacy notice should be in clear language and must be truthful.

However, when registering with a website you'll often find either a separate requirement to tick a box to accept the organisation's privacy policy or it will be appended to the requirement to accept the organisation's terms and conditions. Why? I can understand the need for a company to obtain and document their customer's acceptance of their standard form civil contract but a privacy policy is for information only, so what purpose is served by ticking a box to accept a privacy policy? It's pointless and misleading in my opinion.

Tick boxIt's pointless: ticking a box to accept a privacy policy is as pointless an exercise as ticking a box to accept an organisation's About us page. They are both "information only" pages; they are not required by law and have no legal status other than the requirement placed on a data controller to ensure that their statements of processing are truthful. It's ironic then, that although a requirement is placed upon the individual to "accept" a privacy policy, in reality, the only enforceable aspect of a privacy policy is placed upon the data controller - if they decide to use a privacy policy it must be a truthful reflection of their processing.

It's misleading: many data controllers will incorrectly interpret the apparent tick-box acceptance of their privacy policy by the individual as an indication that they have obtained their consent to the processing statements contained within. And of course, the processing statements that they really want the individual to consent to are the ones relating to electronic marketing. It's highly unlikely though that a data controller will be able to demonstrate that they obtained an informed indication of consent from an individual just because they ticked a box. The data controller has a requirement under the PECR to obtain an "informed" indication of consent, so unless the data subject was made aware that by ticking a box to accept an organisation's terms and conditions/privacy policy that their information would be used to target them with electronic marketing, then it's unlikely that the data controller has obtained their consent. Which is why you will often see consent statements and/or marketing related tick-boxes on the registration form.

According to the ICO there are many ways for a data controller to obtain an informed indication of consent but I've only found three, and one of them isn't very reliable. These are:

A consent statement on the registration form to summarise those statements of processing related to marketing that appear in the privacy policy.

A marketing tick box or boxes that comply with the regulation 22 rules.

A welcome e-mail that is sent to the data subject after registration to clearly advise them that their data will be processed to target them with direct marketing unless they opt-out. The welcome e-mail should be non-promotional, should be sent well before any marketing e-mails, and if the data subject decides to opt-out, they should not receive any marketing at all. This method is unreliable though as often the welcome e-mail will be promotional, or the data subject will receive marketing before they see the welcome e-mail. It should work in theory but in practice it's unreliable.

A word or warning about the ICO. In my experience, some of the staff working at the ICO get confused about consent and the need for a data controller to obtain an informed indication of consent. If you are told by the ICO that you have given your consent because you accepted a privacy policy then this is likely to be incorrect and you should seek advice from a more senior member of staff. Unfortunately the ICO enquiry department can to be inconsistent with their responses. For a more accurate response you really need to talk to a case worker.

See what is electronic marketing?

See what is consent?