Sure, copy that privacy policy from your competitor … at your peril.
Did you suffer a flurry of ‘We’ve updated our Privacy Policy’ emails recently, many from organisations you don’t even remember dealing with in the first place?
Or have you been forced to click ‘Accept’ on some updated T&Cs just to keep accessing services or apps you have been using for years?
Frustrating as hell for the customer, as well as being hypocritical, spamming us about privacy. Blame the GDPR!
Or, actually…. not so much the GDPR, as misinformation about the GDPR.
There seems to have been a widespread misunderstanding that the commencement of the General Data Protection Regulation (GDPR) in Europe required companies to send everyone on their mailing lists a request to ‘re-consent’ to stay on their mailing lists. What a marketing nightmare! Just imagine how many companies have decimated their contact lists in recent months, having now deleted anyone who didn’t actively opt back in. (Well, I assume they are actually deleting the records of anyone who didn’t opt back in, otherwise the whole exercise would be even more pointless and customer-trust-destroying than I first thought.)
And the parallel misconception about GDPR which prompted all those annoying messages was that as long as an organisation gets its customers to ‘agree’ to its new T&Cs or Privacy Policy, it now has ‘consent’ to do what it likes with their data.
In other words, the twin common reactions to GDPR were:
“OMG we need to get consent from everyone on our mailing list before 25 May or we won’t be able to do anything ever again”, and
“Hey let’s get consent by making people tick this box before they can even log back in”.
Both of these statements are wrong.
If you have read the GDPR, you will know it doesn’t say anything of the sort.
(But BTW if you haven’t read the GDPR, I don’t blame you. It’s no John Grisham page-turner, let me tell you. It’s dense and unstructured. Europeans could learn a lot about legislative drafting from we Aussies.)
The GDPR does not require consent for every marketing message, or for every other instance of using personal data. Just like Australian privacy laws, there are plenty of grounds on which an organisation can collect, use or disclose personal data, without needing to seek the individual’s prior consent.
But if you do need to rely on consent … well, unfortunately the GDPR does not allow you to obtain consent via mandatory T&Cs.
So where do we start sorting out this mess?
First, there are privacy principles (the APPs in Australia, and Article 6 of the GDPR in Europe for example) which say whether or not an organisation can legitimately collect or hold personal data about someone, and how that data can be used or disclosed.
Taking the GDPR rules as an example: having a person’s consent to do something (send them marketing messages, disclose their data to third parties, use it for research, or whatever) is indeed one of the six ‘lawful grounds of processing’, which is GDPR-speak for the authorised grounds on which an organisation can collect, use or disclose personal data. But there are also five other grounds! One of those other grounds is ‘legitimate interest’; and in many cases marketing to customers with whom you have an existing relationship is one such ‘legitimate interest’.
The Australian privacy rules are similar. Consent is but one of the grounds on which personal information can be collected, used or disclosed.
Then there are separate laws which cover the actual sending of electronic messages like email and SMS. Examples include the Spam Act in Australia, and the ePrivacy Directive in the EU. They tend to say that to send marketing messages you need to either already have an existing business relationship with the individual, or get their consent, before sending them an electronic marketing message.
So why is there so much confusion about this stuff?
In a word: America.
The big difference between American privacy law and the rest of the world
I sheet the blame home to the US model of notice and consent.
The USA is the outlier when it comes to privacy law. Most the rest of the developed world has what’s known as omnibus privacy laws. So in most countries there will be legislation called something like the Privacy Act or the Data Protection Act, which will apply to a vast range of organisations, usually covering both government and business. Those laws set out broad privacy principles governing how personal information (known as ‘personal data’ in some countries) can be collected, stored, used and disclosed. Privacy principles also say things about the need to ensure data security and data quality; not keeping data longer than necessary; giving people rights of access and correction; and so on.
But in the US, instead of the omnibus approach they have what is known as a sectoral law approach. They have one piece of legislation that just talks about the privacy of financial records in banks, and another one just for federal government agencies. They have a separate law about the privacy of health insurance records; another law that talks about students’ privacy; and yet another law about the privacy of video rental records. And there is an Act which protects the privacy of children online. So the US has a few privacy laws designed for different sectors.
But what they don’t have is one set of rules that applies to all sorts of different businesses. So as a result the giant data-gobbling tech companies in the US – Facebook, Amazon, Alphabet (Google), Apple, Microsoft, Uber and Air BnB – are for the most part not regulated by privacy legislation. Because of this gap, the default form of privacy protection for most industries in the US, including those industries which matter most in the online world, is consumer protection and trade practices law. This where the ‘notice and consent’ model comes from.
So instead of taking a human rights perspective on privacy law (as much of the rest of the world does), if you come at the issue of authorising data flows purely from a trade practices angle, the chief requirement is to ensure that contracts are not misleading or deceptive. In other words: you just have to tell people up front what you are going to do with their personal information, and then you can go ahead and do it.
What that means is we have this US model where buried somewhere in some fine print will be a complex explanation of what a company is going to do with your data. There are no broad-reaching privacy principles limiting whether they should be collecting your personal information in the first place. There is no limitation on the purposes for which they can use or disclose your data. They simply have to tell you upfront that this is what they are going to do.
And then if you choose to buy the product or use the service anyway, well then, you must have ‘consented’ to whatever it is they plan to do with your data.
Unfortunately the business practices that flourish under that lack of proper privacy laws in the US have spread throughout the rest of the world, like an insidious virus.
Thus we have this business culture that designs its customer experience to be that whenever you’re dealing with an organisation online, downloading an app, looking at a website or whatever, you have to tick a box that says ‘I agree to the T&Cs’; or you will be presented with a statement to the effect that ‘By using our website, you are agreeing to our Privacy Policy’. In those examples, American law has been satisfied.
The problem with this approach is that companies can bury whatever they like in those terms and conditions – which, let’s face it, nobody ever reads. Or if the customer does read the fine print, they probably don’t understand that phrases like ‘share data with our partners to personalise your experience’ means the kind of privacy-invasive profiling practices on which data brokers thrive.
There have been some really neat illustrations of the problems with this US model, like the Londoners who ‘consented’ to give up their first born child when signing up for free wifi, or the privacy terms for a fitness app which are so long that the Minister for Consumer Affairs jogged 11km in the time it took for the terms to be read out to her.
But what about consent?
Another failing of the US model of notice and consent is that what Americans mean by consent is different to what most of the rest of the world means by consent. The American model is to have terms and conditions that are compulsory to be ticked, and then (if you are lucky) the business will say something like, ‘by accepting these terms and conditions you are consenting to X, Y, and Z’.
The Facebook / Cambridge Analytica scandal shows these practices as based on an absurd legal fiction which can no longer stand. It is not only utterly ridiculous to suggest that the 87 million ‘friends’ of the 270,000 users who downloaded the app used to scrape data for Cambridge Analytica consented to the collection or use of their data; I doubt many of the 270,000 original users even gave a consent that would be considered valid under Australian or European privacy laws.
Having one line in the standard Facebook T&Cs which says that by signing up to Facebook users are ‘consenting’ to the use and disclosure of their data ‘for research’ (the basis on which the data was shared with Cambridge Analytica) makes a mockery of the law of consent, as well as established ethical rules regarding research activities.
So should we ask people to agree to our Privacy Policy?
I had a discussion recently with a potential client who wanted to know if they could just copy the privacy policy of a competitor. This is what the introduction to that policy said:
“By using or accessing our Website or the Services in any manner, you acknowledge that you accept the practices and policies described in this Privacy Policy, and you hereby consent that we may collect, use, and share your information as described herein. If you do not agree with our policies and practices, your choice is not to use our Website or our Services.”
Here’s what I said in response:
No no no no no, that is absolutely not compliant with either Australian or GDPR law. No one needs to agree with a policy. (Would you ask your customers to agree with your anti-bullying policy, or your Casual Friday policy?) But more importantly telling people they are ‘consenting’ to something simply because they use a website is not a valid consent. Not even remotely.
That’s not how privacy law works in Australia, and it’s not how privacy law works in most of the rest of the world. The GDPR will claim the credit for the coming revolution in how ‘consent’ is managed, but it’s the same position as we have had here for decades. Australian privacy case law, and guidance on the meaning of ‘consent’ from Privacy Commissioners both state and federal, has been consistent on this point, but Australian privacy law just doesn’t get the kind of airplay that the GDPR does.
Under Australian privacy law, for consent to be valid, as the legal basis on which an organisation can collect, use or disclose personal information, it must have five elements: it must be voluntary, informed, specific, current, and given by a person with capacity.
So here’s my summary of what Australian privacy law actually requires.
Nine truth bombs about privacy law in Australia
If you are a business regulated by the Australian Privacy Act, you should know this:
1. You must have a Privacy Policy on your website.
2. Your Privacy Policy is not magic. It cannot authorise you to do anything that the privacy principles don’t already allow. Your Privacy Policy is solely there to inform people, in general terms, how you handle personal information. See APP 1 for what your Privacy Policy should include.
3. Don’t ask your customers to acknowledge, agree or consent to your Privacy Policy. It’s pointless. Don’t draft your Privacy Policy like a contract. It’s annoying. And pointless.
4. Every time you collect personal information, you must give your customers a collection notice, specific to that collection. Your Privacy Policy is not a collection notice. See APP 5 for what a collection notice should include.
5. To be valid under privacy law, consent must be proactive: voluntary, specific, informed, current, and given by a person with capacity. It must be as easy to withdraw consent as to give it. It cannot be a condition of doing business with you.
6. A collection notice is not consent. Your Privacy Policy is not consent. Clicking on mandatory T&Cs is not consent. Offering an opt-out is not consent. Pre-ticked opt-in boxes are not consent. You cannot gain, infer or imply your customer’s consent to something simply because you mention it in T&Cs, a collection notice or your Privacy Policy.
7. BUT YOU DON’T NEED CONSENT TO DO MOST THINGS. Consent should only be necessary if you are planning to do something well beyond your primary purpose, and outside your customers’ expectations, or if you are planning to collect particular types of data known as ‘sensitive’ information. Read APPs 3 and 6, which outline loads of different circumstances in which personal information can be collected, used and disclosed, without needing to seek the customer’s consent.
8. Make sure you have separated out your collection notices from your consent forms and your Privacy Policy, and know when each one is needed and what they should include. They are three different things, serving three different purposes. (Check out our template documents if you need assistance.)
9. But understand that none of them offer an exemption from the requirement to only collect personal information that is ‘reasonably necessary’ in the first place. And that can be the biggest challenge of all.
Photograph (c) Adobe
