In May 2013 the Office of Fair Trading (OFT) wrote to a number of businesses trading online highlighting areas of concern about how companies collect and use consumers’ information.
The OFT do not believe that consumers are necessarily able to engage easily and effectively with privacy and cookie policies concerning the collection and use of their information. The OFT consider that businesses need to do more to provide greater transparency about their business practices in this respect.
The OFT is responsible for enforcement of consumer protection legislation such as the Consumer Protection from Unfair Trading Regulations 2008 (“CPRs”). The Information Commissioner (ICO) is responsible for enforcement of the Data Protection Act 1998 which requires organisations to collect and use personal data fairly and legally, and the Privacy and Electronic Communications (EC Directive) Regulations which govern the use of cookies and similar technologies on consumers’ computers and mobile devices.
Online businesses with inadequate data protection policies run the risk of breaching the CPRs as well as the Data Protection Act. Breach of the CPRs can result in an unlimited fine as well as criminal prosecution. Under the Data Protection Act, the maximum fine is £500,000. The move by the OFT suggests that the OFT will – alongside the ICO – be taking a greater interest in collection and use of consumer data and the transparency of privacy policies.
Tell consumers what information you are collecting and how it will be used
Under the CPRs businesses must give consumers all the information they need to make informed transactional decisions.
Consumers value their privacy and are concerned about the way businesses handle their information. Any surprising or unexpected practices in relation to these issues have the potential to influence consumer’s transactional decisions. Businesses should, therefore, tell consumers what they are collecting and how it will be used. This could be done through privacy policies and cookie notices.
Give consumers accurate, honest and clear details
Under the CPRs information should be given to consumers in a clear, intelligible and timely manner. Privacy policies and cookie notices should use ordinary language, and avoid technical terms or jargon where possible. They should be clearly presented and legible and draw attention to the most important details, usually those which could have a detrimental or unexpected impact on the consumer. If firms give misleading information to consumers or fail to provide them with important information this may result in a breach of the CPRs, as well as a breach of the Data Protection Act.
Give consumers a genuine chance to opt-out of non-essential collection and use of this information
The CPRs prohibit aggressive practices which unduly influence or exploit consumers and restrict their ability to make free or informed choices, to the extent that they are likely to take different decisions. Whilst consumers are becoming more aware about online shopping, they may still lack the technological knowledge or software to identify or prevent the collection and use of data by a firm’s website. In any event, firms still have a high degree of control over what information is collected.
Automatic collection or use without a genuine opportunity to opt-out of the automatic collection and use of data which is not essential for the consumer to deal with the business may constitute an “aggressive or misleading practice”, particularly where a firm gives the impression that it will be beneficial to the consumer.
Check what information third parties are collecting and how they will use it
Businesses should deal with consumers professionally and fairly. If they fail to do so, in a way which is likely to affect consumers’ transactional decisions, then they may breach the CPRs.
Where firms allow third parties to collect and use information, for example through cookies set on their website, then they should also check what is being collected and how it will be used.
As with their own collection of data, if consumers would not expect such information to be collected or could be disadvantaged in some way, then they should let consumers know what is being collected and consider giving them the opportunity to ‘opt-out’.
Make sure your T&Cs are fair
The Unfair Terms in Consumer Contracts Regulations 1999 (UTCCRs) – also policed by the OFT – require standard T&Cs to be fair, and to use plain and intelligible language. Important contract terms, particularly those which may disadvantage consumers, must be clear, prominent and actively brought to consumers’ attention.
Where the standard terms of a contract include provisions on how data will be collected and used, those provisions will be subject to the test of fairness under the UTTCRs. Their terms should be expressed fully, clearly and legibly and things that might disadvantage the consumer should be given appropriate prominence.
Firms must not take advantage of a consumer’s weaker bargaining position or lack of experience in deciding what their rights and obligations shall be, and the terms should be drawn up in a way that respect a consumers legitimate interests. This is particularly relevant in relation to the online collection and use of data, as consumers may be unfamiliar with the technological aspects of these practices.
Comment
The engagement of the OFT in data protection matters only increases the pressure on businesses to ensure fair, intelligible, open and transparent data protection policies. It is likely that the OFT will at some point want to make an example of a business which fails in this area.