Press "Enter" to skip to content

Tag: transparency

Bad Privacy Notice Bingo!

Snark attack!

Having spent many, many hours reviewing privacy notices lately – both for the day job and for my own personal edification – I’m discouraged to report that most of them have a long way to go before they meet the requirements of Articles 13 and 14 of the GDPR, let alone provide an engaging and informative privacy experience for the data subject.

Because I am a nerd who cares passionately about making data protection effective and accessible, but also a sarcastic know-it-all smartarse, I created this bingo scorecard to illustrate the problems with many privacy notices (or “policies” as some degenerates call them) and splattered it across social media. Hours of fun.

Bingo scorecard showing things that don't belong in a privacy notice

I am not just about the snark

However, I am also a geek who would much rather there was no need for my hissy fits of piss-taking and so in that spirit, I shall deconstruct here; why the items on the bingo scorecard are Bad Things to find in a privacy notice.

Bad Things

“We may….”

A privacy notice is a communication that needs to convey useful information, not a guessing game. If you say you ‘may’ do something, I’m left in the dark as to whether you’re actually doing it to MY data, and when that might be, if so. If you’re going to do something, say you do it. If you’re going to do something but only under particular circumstances, then describe those circumstances. If you’re not going to do it, don’t even mention it.

“Personally Identifiable Information”

This is not the same thing as personal data, it’s a subcategory of personal data. When I see this in a privacy notice, it immediately says to me that either the organisation is either oblivious to the premise and requirements of EU privacy law, or that they are trying to pull a fast one by doing all kinds of stuff with de-identified personal data that they don’t want me to know about. More about the differences between “PII” and ‘personal data’ here:

“EU citizens”

You will not find the word “citizens” anywhere in the text of the GDPR. Feel free to do a search on the text if you don’t believe me. That’s because data protection rights are human rights, and residency status is not a variable for ascertaining humanity. It’s about data subjects located in the EU, Data Controllers carrying out activities in the EU or Data Controllers who are offering goods and services to people located in the EU, or who are monitoring the activity of people located in the EU. People. Not just citizens. If a citizen of the EU goes to a third country, they lose the protection of EU law.

“by <….>, you consent to this processing”

Consent must be informed, freely-given, specific and unambiguous. That means the data subject needs to take some kind of positive action to indicate their consent to processing which has been described to them, in circumstances where they have a genuine choice and where the consent for processing is not tied to an unrelated activity. By browsing a website and reading the privacy notice, I consent to……nothing at all. By wearing my socks on my ears, I have nice warm ears and look a bit daft but am still not consenting to anything at all.

If I were to provide my email address on a company’s website to enter into a prize draw, I would be consenting to having my email addressed used to select and notify the winner of the prize and that’s all. If the company wants to use my email address to send me marketing then they have to get entirely separate consent from me to do so.

More about consent for data processing here:

“General Data Protection Regulations

Just one Regulation. A big beast, to be sure – but a singular one. If an organisation can’t even get that right, what are the chances that they’ll be paying proper attention to what it actually says? Not great, I reckon.

ICO logo

You’re not allowed to use the ICO’s logo without their permission. If a website owner uses the ICO’s logo without permission then they are acting unlawfully by breaching copyright. If they are willing to act unlawfully in regard to intellectual property, what makes you think they will be any more ethical or diligent about processing your personal data, eh? At best, they are clueless. At worst, they are being deliberately deceptive. Either way, their privacy notice is not to be trusted and neither are they.

Refers to the DPO as the “Data Controller”

A Data Protection Officer is an individual who performs the functions described in Articles 37-39 of the GDPR for an organisation (either in-house or on an outsourced basis). A Data Controller is the organisation which determines the purpose and means of the processing of personal data. Even if the Data Controller is a sole trader, there would probably be a conflict of interest disqualifying them from being the DPO anyway (there’s one for the DP geeks to gnaw on). If an organisation doesn’t even know the difference between DPO and Data Controller, then the chances of them knowing enough about data protection obligations and rights to be able to process your personal data fairly and lawfully, are pretty slim.

“We keep your personal data as long as necessary”

See also; “as long as required by law”. More guessing games. How long is that then? Unless it’s something outrageous, unexpected or high-risk; why even bother to tell me about it? What is “necessary” and how do you justify it?

Oh, and if you’re saying there’s a law that requires you to do something with my personal data, please cite that actual law. Making a statement saying “we comply with the law” gets you no Brownie points – the whole point of the law is that you have to comply with it. You might as well make sure you say “We don’t chop off annoying people’s heads with axes” too.

One loooooong page/doc

The harder it is for me to read your privacy information, the more likely it is that I will suspect you’re up to no good and make the effort to scrutinise it. Now, that’s just me because I’m a suspicious-minded nitpicking smartarse, but even for people who don’t spend their leisure time examining privacy notices, the point of the whole exercise is – as I mentioned above – to effectively communicate information to people about what’s going on in relation to their personal data. The GDPR even says in Recital (39) that “The principle of transparency requires that any information and communication relating to the processing of [..] personal data be easily accessible and easy to understand”. Making me scroll through acres of dense small print until my brain turns to mulch, is basically doing the opposite of what the GDPR requires.

(NB: If you want to see an absolutely beautiful privacy notice, have a look at this. Seriously. It’s the best bit of UX I have ever seen. I am a little bit in love……and probably need to get out more)

“From time to time…”

This is a phrase which conveys absolutely nothing in the way of useful information. Which times would those be? 3 times a year? Once a week? Under what circumstances? Every time I [example redacted in the interests of good taste and public decency]?

It reeks of ‘we couldn’t be bothered to think about this too hard’….or even ‘we daren’t tell them what’s really going on’. Either way – not a good look. A waste of pixels/printer ink.

Lists purposes separately to legal basis

This might keep auditors happy when they review your privacy notices so they can tick the ‘Article 13 requirements” boxes, but unless there is a clear narrative for the data subject to follow in relation to their personal data; it’s not actually going to meet the obligations of transparency. I want to know what’s happening with my data, under which circumstances, and why you think that’s allowed. Separate lists will not allow me to do that. Tell me that you’re going to use my postal address to send me news about your latest offers and that you reckon this is in your legitimate interests. Tell me that you have to keep Gift Aid declarations for 6 years because the Tax and Finance Act (or whatever) says you have to. Don’t tell me that there are a number of potential purposes for processing my personal data then make me have to try and figure out which one of the potential legal basis you’ve listed somewhere else is being used to justify the processing activities that you’ve described in yet a third separate list. Not transparent. Not helpful.

“administration purposes”

Administration is an activity not a purpose. It is not an end unto itself. No-one gets up in the morning and goes “ohhh, my whole reason for living is to administrate!” What is the administration activity and why is it being carried out? Perhaps you need to make sure my contact details are up to date so that you can chase me for my membership dues, which are a requirement of my agreement with you. Maybe you need to make sure that your event tickets are not sold to more people than the venue can accommodate. Obviously, there are some legal obligations your organisation must fulfil. So please tell me about them rather than skulking behind the diaphanous skirts of “administration”

“including, but not limited to….”

If it’s worth mentioning, it’s worth telling me all of it. Examples are helpful but they do not replace the legal obligation to describe the processing, the purposes and the legal basis for the processing. If your organisation doesn’t actually know what you’re going to do with my data then I don’t want you to have it. If you know but you’re worried about telling me, then I really don’t want you to have it!

Looks and sounds like a contract.

Privacy information, a privacy notice or privacy policy (if you must) is not a legally-binding agreement. It’s not a deed or a contract. It’s a piece of marketing material that just happens to need to be scrupulously honest as well. A good privacy notice not only has to make you feel OK about how your data is being used (while not obfuscating, concealing or outright lying), it should make you want to read it because it is helpful and engaging! Privacy notices written by lawyers hoping to outsmart other lawyers are easy to spot – they’re the ones you’d rather scoop your eyes out with a spoon than spend any time reading (unless – perhaps – you’re THAT kind of lawyer). And don’t event get me started on the American convention of PUTTING REALLY IMPORTANT STUFF IN CAPITAL LETTERS OSTENSIBLY TO ‘DRAW ATTENTION TO IT’ BUT THEREBY RENDERING IT UTTERLY INCOMPREHENSIBLE TO ANYONE.

“Military-grade encryption”

Oh, do piss off.

Encryption is a tool to mitigate a particular type of risk. It is not always the appropriate tool and like any other tool, is only as good as the implementation and competence of the people using it. You could be using 3DES to protect the negotiation for your public key exchange, with your own CA in a bulletproof box, but if your sysadmin’s password is “Password” or you’ve mixed up your public and private keys, then you wasted a lot of time and money (rather like buying a rocket launcher then using it to bash your own head in).

If you couldn’t make head or tail of that last paragraph, then don’t worry – the people who write “military-grade encryption” into a privacy notice don’t know what any of it means either.

“We take data protection very seriously”

See previous comment on boasting about not axe-murdering people.

In conclusion

A privacy notice isn’t there to cover your arse. Yes, it’s a legal requirement but the purpose of that is not simply to make you jump through hoops like a Peke at Crufts. The purpose of the legal requirement to provide privacy information is not to give you something to point to to tick off the ‘transparency’ principle, it is the transparency principle. The data subject has the right to be informed. If all you’ve done is obfuscate, bore, deceive or puzzle them then you have achieved the exact opposite of what GDPR requires and must now go all the way back to the beginning and start redrafting your privacy info.

 

StalkerChimps

This morning, I was spending my leisure time researching options for email newsletters. Just to be clear, this isn’t something I would necessarily choose to do for fun, but is linked to my role as Digital Officer for a certain professional association for information rights professionals.

All of the reviews I read seem to hold MailChimp up as cost-effective, easy to use and feature-rich. “Great”, I thought and then the privacy nerd in me started muttering….I wasn’t surprised to see that MailChimp are a US company, as their inability to spell common words such as “realise” and “harbour” had already clued me up to this, but that doesn’t necessarily present an insurmountable data protection problem for a UK organisation looking to use their services (setting aside the current kerfuffle about Safe Harbour/Privacy Seal/NSA etc etc). I thought as a prospective customer of their services, I’d check out the privacy policy (nothing more embarrassing than accidentally using personal data unfairly or unlawfully when you’re acting as a professional organisation for privacy enthusiasts…..).

And I found this:

(for the record; the annotations are mine).

Which basically translates to:

“We are going to follow you all over the web, conducting surveillance on you without telling you and then use what we have discovered to try and predict the best ways to manipulate you in order to make money for our customers, clients and suppliers.”

Oh yeah, and there’s also this: “As you use our Services, you may import into our system personal information you’ve collected from your Subscribers. We have no direct relationship with your Subscribers, and you’re responsible for making sure you have the appropriate permission for us to collect and process information about those individuals. We may transfer personal information to companies that help us provide our Services (“Service Providers.”) All Service Providers enter into a contract with us that protects personal data and restricts their use of any personal data in line with this policy. As part of our Services, we may use and incorporate into features information you’ve provided or we’ve collected about Subscribers as Aggregate Information. We may share this Aggregate Information, including Subscriber email addresses, with third parties in line with the approved uses in Section 6.[screenshot]”

Now, I have most definitely had emails from businesses that I’ve used in the past, which – upon unsubscribing – I have discovered are using MailChimp. No-one has ever told me that when I gave my email address to them, they would pass it on to a US company who would then use it for stalking and profiling me. Well, hur-hur, it’s the Internet, what did I expect?

Wait. Being “on the internet” does not mean “no laws apply”. And in the UK, for UK-registered organisations, the UK Data Protection Act does most certainly apply. You cannot contract out of your organisation’s responsibilities under DPA. Now, for those of you reading this who aren’t DP geeks (Hi, nice to see you, the party’s just getting started!), here’s a breakdown of why I think using MailChimp might be a problem for UK organisations….

The UK Data Protection Act has 8 Principles, the first of which is that “personal data shall be processed fairly and lawfully”. Part of “fair and lawful” is that you must be transparent about your use of personal data, and you mustn’t breach any of the Principles, commit any of the offences or use the data for activity which is otherwise inherenty unlawful (like scams and fraud, for example). One key requirement of being “fair and lawful” is using a Fair Processing Statement (a.k.a “Privacy Notice“) to tell people what you are doing with their data. This needs to include any activity which they wouldn’t reasonably expect – and I would think that having all of your online activity hoovered up and used to work out how best to manipulate you would fit squarely into that category. Or am I just old-fashioned?

Anyway, using MailChimp for email marketing if you don’t tell people what that implies for their privacy? Fail No.1.

Then there’s the small matter of MailChimp’s role in this relationship. Under DPA, we have Data Controllers and Data Processors. For the sake of user-friendliness, let’s call them respectively “Boss” and “Bitch”. The organisation that is the Boss gets to make the decisions about why and how personal data is used. The organisation that is the Bitch can only do what the Boss tells them. The terms of how the Boss-Bitch relationship works needs to be set out in a contract. If the Bitch screws up and breaches privacy law, the Boss takes the flak, so the Boss should put strict limitations on what the Bitch is allowed to do on their behalf.

Now, I haven’t seen the Ts and Cs that MailChimp are using or whether there is any mention of Data Controller/Data Processor relationships but I doubt very much if they could be considered a proper Bitch because they use a lot of subscriber data for their own ends, not just those of the organisation on whose behalf they are sending out emails. So if MailChimp aren’t a Bitch, then they are their own Boss – and so giving personal data to them isn’t the equivalent of using an agency for an in-house operation, it’s actually disclosure of the information to a third party to use for their own purposes (which may not be compatible with the purposes you originally gathered the data for). Now one of the things you’re supposed to tell people in a privacy notice is whether you are going to disclose their data, what for, and to whom. You’re also not supposed to re-purpose it without permission. Oops again (Fail No. 2)

I’m gonna skirt past the 8th Principle (don’t send data overseas without proper protection), because there’s just so much going on at the moment about the implications of sending data to the US, we’ll be here for hours if I get into that. Suffice to say, if the Data Controller (Boss) is a US firm, you have no rights to visibility of your data, control over its accuracy, use, security or anything else (Principles 2-7). None. Kthxbye. That might be fine with you, but unless you are informed upfront, the choice of whether or not to engage with the organisation that’s throwing your data over the pond to be mercilessly exploited, is taken away from you. Not fair. Not lawful. Fail No.3.

Aaaaand finally (for this post, anyway) there’s the PECR problem. Simplified: PECR is the law that regulates email marketing, one of the requirements of which is that marketing by email, SMS and to TPS-registered recipients requires prior consent – i.e., you can’t assume they want to receive it, you must ask permission. It does however contain a kind of loophole where if you have bought goods or services from an organisation, they are allowed to use email marketing to tell you about similar goods and services that you might be interested in (until you tell them to stop, then they can’t any more). This means that where the soft-opt in applies, you can send people email marketing without their prior consent (it’s a bit more complicated to that, but this isn’t a PECR masterclass – more info here if you’re interested)

However, PECR doesn’t cancel out DPA or contradict it, or over-ride it. You must comply with both. And this means that any company relying on the soft-opt-in to send email marketing via MailChimp is almost certainly in breach of the Data Protection Act unless they at the time they collect your email address have very clearly a) stated that they will use it for email marketing purposes and b) obtained your permission to pass it to MailChimp to use for a whole bunch of other stuff. Ever seen anything like that? Nope, me neither. Fail No. 4

So how come this is so widespread and no-one has sounded the alarm. Well, based on my observations, here are some reasons:

  1. No-one reads terms and conditions unless they are corporate lawyers. Even if tTs and Cs were read and alarm bells were rung, chances are that the Marketing department or CEO will have a different idea of risk appetite and insist on going ahead with the shiny (but potentially unlawful) option anyway.
  2. By and large, very few organisations in the UK actually ‘get’ the Data Protection Act and their responsibilities under it. They also don’t really want to pay for DP expertise either, since it will undoubtably open a can of worms that will cost money to fix and cause extra work for everyone. Much easier to take the ostrich approach and rely on the fact that….
  3. …the vast majority of UK citizens don’t understand or care about data protection either. Sometimes there is a gleam of interest when the word “compensation” pops up, but mostly they see it as a hurdle to be sneaked around rather than a leash on a snarling mongoose. Every now and again there is a spurt of outrage as another major breach is uncovered, but these are so common that “breach fatigue” has set in.
  4. Data-trading makes money, and ripping off people’s data/spying on them without giving them a choice/share of the cut/chance to behave differently makes more money than acting fairly and ethically.
  5. Fundamental cultural differences between the US and the EU’s approach to privacy. If you read this blog post by MailChimp’s General Counsel/Chief Privacy Officer, the focus is mostly on data security and disclosure to law enforcement. There’s little about the impact on personal autonomy, freedom of action or principles of fairness that EU privacy law is based on. Perhaps that’s because most of that stuff in in the US Constitution and doesn’t need restating in privacy law. Maybe it’s because the EU has had a different experience of what happens when privacy is eroded. Maybe he ran out of time/steam/coffee before getting into all that.

Anyway, if you got this far, thanks for reading – I hope there’s food for thought there. I’m not advocating that anyone boycott MailChimp or anything like that – but if you’re gonna use them, you should consult a data protection expert to find out how to protect a) your organisation b) your customers and c) the rest of us.

Right, back to web design research it is……

 

WARNING - this site sets cookies! Unfortunately, I am unable to disable some of the inbuilt tracking without killing the site content. tell me more

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close