Privacy Notices: A vital tool for customer engagement or just another requirement?
+44 (0)1189 333 186
The world is changing. Social media usage has exploded, driving a new set of social issues. Covid-19 has driven changes in all aspects of our personal and work lives. Video conferencing is the new social and work norm. Online retail is growing faster than it ever has. People are adapting and doing things differently, providing more information about themselves.
In this increasingly digital world, people are aware that their personal information is being captured and exploited. However, when they see headlines about data breaches on a seemingly weekly basis, their perception about how secure their information is changed. All of this is forcing people to think about how their personal information is being used and whether organisations are protecting it adequately.
At the same time, we see a growth in the compensation culture around privacy breaches. This is an area we see growing over the coming years as an individual’s awareness of the value of their information increases and the ability to launch a successful claim, this becomes the new ‘PPI claims’ industry.
When we combine all of these trends, privacy becomes an increasingly important factor in how we engage with our customers, both in B2C and B2B environments. If people perceive that your organisation is not meeting its obligations to protect their data, their trust in you will fail. We refer to this as ‘perceived privacy’. Any fall in perceived privacy will potentially result in customer leakage, reductions in customer growth and significant reputational damage, driven by the viral nature of social media.
The privacy notice is how most organisations choose to inform people of how they protect their personal information and notify them of their rights. It is the window onto how an organisation treats privacy and is a legal obligation. Many may say ‘nobody ever reads them’, but this is changing. As people start to become more aware of the value of their information, so they take an active interest in what happens to and how their data is handled – making the privacy notice a vital tool for customer engagement.
How are privacy notices used today?
After viewing hundreds of privacy notices over the last couple of years, there are a few observations we can make. One of the most notable things was the effort that went into updating privacy notices when GDPR came into effect in 2018, which was seen by many as a one time effort.
Unfortunately, although there have been significant changes in personal information usage by many organisations, many of them haven’t been updated since their initial creation. At one extreme, some organisations have very well written privacy notices. These businesses treat their privacy notices as a marketing document, not just a tool for minimising risk. They tend to reflect the company’s way of operating, explaining to their customers the privacy & data protection measures they have implemented in a clear, straightforward manner. At the other extreme, there are still organisations that have not yet published a privacy notice!
The bulk of the organisation’s sit between these two extremes but typically share many of the same mistakes and misunderstandings of how the law applies.
Many come across as having been written to tick a compliance box – risk minimisation, rather than for the benefit of their customers. Unfortunately, many do not even tick all of the legal requirements for a privacy notice.
It is these organisations that we believe have work to do on their privacy notices and would most benefit.
There several common issues that we have observed, not every organisation reflects them all, but most have at least one of these issues.
- A privacy notice is meant to outline why that organisation processes an individual’s personal information, the measures they have in place to protect it and what rights the individual has. It is about all the information the organisation processes behind the scenes, not just what’s visible on the website. Too frequently notices focus solely on data processed by the website, ignoring other facets of processing.
- Nearly every organisation will have multiple lawful reasons to process personal information. We have found that many notices state a single legal basis for processing and justify their processing against this. Still, later in the privacy notice, they drop in other lawful bases, like consent or statutory. Although this may be an accurate description, it can cause a great deal of confusion for the reader, leaving them more confused than when they started because the basis for processing appears to have changed.
- Legitimate interest seems to have become the default legal basis for processing, the comfortable catch-all. Too frequently, it is evident that a more suitable legal basis for processing is applicable. However, because legitimate interests seems to give an organisation the most justification to retain and manipulate personal information, this appears by default to be the preferred approach. The privacy notice is meant to inform the individual. It is not there to act as a justification for an organisation to hoard personal information.
- Organisations frequently highlight a data protection officer(DPO) as the contact point in the organisation, some even name them. The DPO is a very specific role under GDPR requiring both knowledge and experience. Very often when you check the ICO register, there is no named data protection officer and further investigation highlights they have another role within the organisation. If you have a dedicated data protection officer, then great, tell people. However, if you don’t, tell them the truth. Let them know you have at least made someone responsible part-time for data protection in your organisation, which is a good start.
- Data transfers are an interesting area, particularly after the recent EU Court of Justice (CJEU) findings against Privacy Shield (SCHREMS2). Most organisations, even the smallest, are conducting international transfers of data as a result of the increased prominence of cloud services where the service is accessed globally but the data is hosted outside the EU/UK. We found that Privacy Shield was the most commonly used form of safeguard that was mentioned. Binding Corporate Rules which are used for intra company transfers were outlined a few times and standard clauses very little. Overall, there was a distinct lack of clarity regarding the safeguards that organisations had in place to protect an individual’s rights. We believe, the CJEU judgement will put more focus on this!
- Retention periods are frequently mentioned, but the period is rarely either stated nor criteria to determine the period identified. Many detail that information will be retained for ‘as long as necessary to provide our services’. Lack of clarity on retention periods and some of the statements suggest that some organisations believe they can retain our data as long as they want to use it, which is illegal.
- The final one is a particular bugbear of mine. The onus is on organisations to inform individuals when they start to process their personal information where it is not collected directly from them. We can count on one hand the number of times this has been addressed in any way in privacy notices we have reviewed. There are thousands of companies out there trading or processing our personal information, but we are not aware of most of them. I’m glad to see that the ICO is re-stating this requirement in the upcoming code of conduct for direct marketing.
To try and bring this to life, let me give you a personal experience. I found out a US-based organisation was selling my contact details to support third-party direct marketing activity. I had never provided them with my details, but fully accept that the data could have been publicly available somewhere and they can use some of it under PECR.
According to the privacy notice, their legal basis for processing my personal information was legitimate interest, stating they could retain my data for as long as required. If a legitimate interest assessment had been carried out, which they suggested was the case, I can understand how it could pass the necessity test. Inevitably, when they looked at the balancing test, there was no way that the processing could be justified as they were selling my personal information, but had never informed me that they were processing it.
So, I submitted a subject access request. When the response came, I found out that my information had been obtained from another third party, who had supposedly secured consent for using my data. I didn’t have a clue who this new company was and had not freely given my specific, informed, and unambiguous consent for my data to be used in this way!
This was from a firm who stated they were fully compliant with GDPR. Let’s just say this story is ongoing, but it highlights how questioning a privacy notice opens up a whole new can of worms.
Hopefully, the example of my experience highlights how organisations can use a privacy notice to justify processing in a way that suits them, minimising their risk, while not being honest with the customer.
What are the implications?
First, we must remember that the obligations outlined in GDPR (or other data protection laws), for providing information at the point of processing, are a legal requirement. Where organisations choose a privacy notice to publish this information, it should fulfil the legal obligations. The majority do not. This could be considered a breach of data protection law.
Consequently, if severe enough, it could result in a regulatory fine or, which is more probable,it could result in a compensation claim.
As we pointed out at the beginning of this blog, there is an increasingly compensation driven culture emerging around privacy breaches. There are claims firms out there who make their money by identifying organisational privacy breaches, acting on behalf of individuals to secure compensation. This doesn’t mean every breach will result in a class action, but compensation payments to individuals will probably be on the rise. It could prove costly, both to finances and reputation!
Secondly, a poorly written privacy notice could contribute to a loss of trust in your organisation. We do not believe that most organisations are deliberately trying to deceive their customers, but it must be recognised that a privacy notice can lead to a reduction in perceived privacy. As stated before, this can lead to customer leakage and reputational damage.
When we examine these impacts in B2C and B2B environments, they are different.
In B2C, consumers tend to find a product or service they are looking for, conduct a price comparison and then buy. Historically, people have tended to ignore the privacy notice, but, particularly when buying information related services, they are being read more frequently At this stage any ambiguity in the privacy notice, from the customers perspective, will lead to a reduction in perceived privacy, creating uncertainty in the buying process. The outcome can be a lost transaction, but more worryingly it is issues such as these that tend to be highlighted on social media, spreading virally and leading to significant reputational damage.
In B2B, data protection is no longer a nice to have; it is an order qualifying criteria. As the data controller, you are responsible for not only ensuring that the personal information you collect is done in a compliant way, but if you appoint data processors, you are responsible for them and ensuring compliance of the whole supply chain.
Just imagine you have spent time and effort developing a proposal that you believe will secure a piece of work, clearly identifying the data protection measures your organisation has put in place. When the proposal is received, a member of the procurement team looks at your privacy notice, which they are being encouraged to do, and finds it doesn’t reflect what you outlined in your proposal. Disaster. It could derail your whole proposal.
As we can see, poorly written privacy notices have the potential to damage your organisation severely.
So, what should you be thinking about to improve privacy notices moving forward?
The first thing that all organisations should do is review existing privacy notices and make sure they address each of the legal obligations for informing individuals.
The second recommendation is dependent on the role of the privacy notice in customer engagement. For some the privacy notice is there simply to inform customers that they are processing their personal information and inform them of their rights. It is a legal requirement, they have no real interest in building the relationship further. In this case the privacy notice is a risk minimisation tool and must contain the required information.
If, on the other hand, you are an organisation that is seeking to leverage personal information, you can use the privacy notice to help build customer trust, treating it more as a marketing document. By improving the level of perceived trust in your organisation, the individual may be willing to share further information, enabling you to potentially extend your service offering to them.
In conclusion, privacy notices are fundamental requirement for letting individuals know how you manage their personal information and informing of their rights. They must contain sufficient information to meet your legal obligations – after all, getting it wrong can have serious consequences. Taking the role of the privacy notice further, organisations should recognise that privacy can play a key role in your customer contact strategy. It is because of this that any privacy notice should be written with your customer in mind, in a transparent and accessible format to allow you to build trust in your organisation.
We hope that you have found this blog useful in understanding the role that privacy notice can play for your organisation. As always, different people have different experiences, and it is by sharing these that we learn. So, feel free to comment below, even if you disagree!