Having spent many, many hours reviewing privacy notices lately – both for the day job and for my own personal edification – I’m discouraged to report that most of them have a long way to go before they meet the requirements of Articles 13 and 14 of the GDPR, let alone provide an engaging and informative privacy experience for the data subject.
Because I am a nerd who cares passionately about making data protection effective and accessible, but also a sarcastic know-it-all smartarse, I created this bingo scorecard to illustrate the problems with many privacy notices (or “policies” as some degenerates call them) and splattered it across social media. Hours of fun.
I am not just about the snark
However, I am also a geek who would much rather there was no need for my hissy fits of piss-taking and so in that spirit, I shall deconstruct here; why the items on the bingo scorecard are Bad Things to find in a privacy notice.
A privacy notice is a communication that needs to convey useful information, not a guessing game. If you say you ‘may’ do something, I’m left in the dark as to whether you’re actually doing it to MY data, and when that might be, if so. If you’re going to do something, say you do it. If you’re going to do something but only under particular circumstances, then describe those circumstances. If you’re not going to do it, don’t even mention it.
“Personally Identifiable Information”
This is not the same thing as personal data, it’s a subcategory of personal data. When I see this in a privacy notice, it immediately says to me that either the organisation is either oblivious to the premise and requirements of EU privacy law, or that they are trying to pull a fast one by doing all kinds of stuff with de-identified personal data that they don’t want me to know about. More about the differences between “PII” and ‘personal data’ here:
You will not find the word “citizens” anywhere in the text of the GDPR. Feel free to do a search on the text if you don’t believe me. That’s because data protection rights are human rights, and residency status is not a variable for ascertaining humanity. It’s about data subjects located in the EU, Data Controllers carrying out activities in the EU or Data Controllers who are offering goods and services to people located in the EU, or who are monitoring the activity of people located in the EU. People. Not just citizens. If a citizen of the EU goes to a third country, they lose the protection of EU law.
“by <….>, you consent to this processing”
Consent must be informed, freely-given, specific and unambiguous. That means the data subject needs to take some kind of positive action to indicate their consent to processing which has been described to them, in circumstances where they have a genuine choice and where the consent for processing is not tied to an unrelated activity. By browsing a website and reading the privacy notice, I consent to……nothing at all. By wearing my socks on my ears, I have nice warm ears and look a bit daft but am still not consenting to anything at all.
If I were to provide my email address on a company’s website to enter into a prize draw, I would be consenting to having my email addressed used to select and notify the winner of the prize and that’s all. If the company wants to use my email address to send me marketing then they have to get entirely separate consent from me to do so.
More about consent for data processing here:
“General Data Protection Regulations“
Just one Regulation. A big beast, to be sure – but a singular one. If an organisation can’t even get that right, what are the chances that they’ll be paying proper attention to what it actually says? Not great, I reckon.
You’re not allowed to use the ICO’s logo without their permission. If a website owner uses the ICO’s logo without permission then they are acting unlawfully by breaching copyright. If they are willing to act unlawfully in regard to intellectual property, what makes you think they will be any more ethical or diligent about processing your personal data, eh? At best, they are clueless. At worst, they are being deliberately deceptive. Either way, their privacy notice is not to be trusted and neither are they.
Refers to the DPO as the “Data Controller”
A Data Protection Officer is an individual who performs the functions described in Articles 37-39 of the GDPR for an organisation (either in-house or on an outsourced basis). A Data Controller is the organisation which determines the purpose and means of the processing of personal data. Even if the Data Controller is a sole trader, there would probably be a conflict of interest disqualifying them from being the DPO anyway (there’s one for the DP geeks to gnaw on). If an organisation doesn’t even know the difference between DPO and Data Controller, then the chances of them knowing enough about data protection obligations and rights to be able to process your personal data fairly and lawfully, are pretty slim.
“We keep your personal data as long as necessary”
See also; “as long as required by law”. More guessing games. How long is that then? Unless it’s something outrageous, unexpected or high-risk; why even bother to tell me about it? What is “necessary” and how do you justify it?
Oh, and if you’re saying there’s a law that requires you to do something with my personal data, please cite that actual law. Making a statement saying “we comply with the law” gets you no Brownie points – the whole point of the law is that you have to comply with it. You might as well make sure you say “We don’t chop off annoying people’s heads with axes” too.
One loooooong page/doc
The harder it is for me to read your privacy information, the more likely it is that I will suspect you’re up to no good and make the effort to scrutinise it. Now, that’s just me because I’m a suspicious-minded nitpicking smartarse, but even for people who don’t spend their leisure time examining privacy notices, the point of the whole exercise is – as I mentioned above – to effectively communicate information to people about what’s going on in relation to their personal data. The GDPR even says in Recital (39) that “The principle of transparency requires that any information and communication relating to the processing of [..] personal data be easily accessible and easy to understand”. Making me scroll through acres of dense small print until my brain turns to mulch, is basically doing the opposite of what the GDPR requires.
(NB: If you want to see an absolutely beautiful privacy notice, have a look at this. Seriously. It’s the best bit of UX I have ever seen. I am a little bit in love……and probably need to get out more)
“From time to time…”
This is a phrase which conveys absolutely nothing in the way of useful information. Which times would those be? 3 times a year? Once a week? Under what circumstances? Every time I [example redacted in the interests of good taste and public decency]?
It reeks of ‘we couldn’t be bothered to think about this too hard’….or even ‘we daren’t tell them what’s really going on’. Either way – not a good look. A waste of pixels/printer ink.
Lists purposes separately to legal basis
This might keep auditors happy when they review your privacy notices so they can tick the ‘Article 13 requirements” boxes, but unless there is a clear narrative for the data subject to follow in relation to their personal data; it’s not actually going to meet the obligations of transparency. I want to know what’s happening with my data, under which circumstances, and why you think that’s allowed. Separate lists will not allow me to do that. Tell me that you’re going to use my postal address to send me news about your latest offers and that you reckon this is in your legitimate interests. Tell me that you have to keep Gift Aid declarations for 6 years because the Tax and Finance Act (or whatever) says you have to. Don’t tell me that there are a number of potential purposes for processing my personal data then make me have to try and figure out which one of the potential legal basis you’ve listed somewhere else is being used to justify the processing activities that you’ve described in yet a third separate list. Not transparent. Not helpful.
Administration is an activity not a purpose. It is not an end unto itself. No-one gets up in the morning and goes “ohhh, my whole reason for living is to administrate!” What is the administration activity and why is it being carried out? Perhaps you need to make sure my contact details are up to date so that you can chase me for my membership dues, which are a requirement of my agreement with you. Maybe you need to make sure that your event tickets are not sold to more people than the venue can accommodate. Obviously, there are some legal obligations your organisation must fulfil. So please tell me about them rather than skulking behind the diaphanous skirts of “administration”
“including, but not limited to….”
If it’s worth mentioning, it’s worth telling me all of it. Examples are helpful but they do not replace the legal obligation to describe the processing, the purposes and the legal basis for the processing. If your organisation doesn’t actually know what you’re going to do with my data then I don’t want you to have it. If you know but you’re worried about telling me, then I really don’t want you to have it!
Looks and sounds like a contract.
Oh, do piss off.
Encryption is a tool to mitigate a particular type of risk. It is not always the appropriate tool and like any other tool, is only as good as the implementation and competence of the people using it. You could be using 3DES to protect the negotiation for your public key exchange, with your own CA in a bulletproof box, but if your sysadmin’s password is “Password” or you’ve mixed up your public and private keys, then you wasted a lot of time and money (rather like buying a rocket launcher then using it to bash your own head in).
If you couldn’t make head or tail of that last paragraph, then don’t worry – the people who write “military-grade encryption” into a privacy notice don’t know what any of it means either.
“We take data protection very seriously”
See previous comment on boasting about not axe-murdering people.
A privacy notice isn’t there to cover your arse. Yes, it’s a legal requirement but the purpose of that is not simply to make you jump through hoops like a Peke at Crufts. The purpose of the legal requirement to provide privacy information is not to give you something to point to to tick off the ‘transparency’ principle, it is the transparency principle. The data subject has the right to be informed. If all you’ve done is obfuscate, bore, deceive or puzzle them then you have achieved the exact opposite of what GDPR requires and must now go all the way back to the beginning and start redrafting your privacy info.