Simply creating a privacy policy and putting it on your website for individuals to find won’t be enough to discharge your legal obligations under data protection law. The Information Commissioner’s Office (ICO) makes it clear that policies should not be hidden away on a website, and that businesses must actively draw individuals’ attention to relevant parts of it at the time that they provide their personal data. We’ve set out some examples of how to display a privacy policy on your website below.
Contents
Displaying a privacy policy on a website
How to present your privacy information
The ICO recommends that, rather than simply presenting your privacy policy as a big block of text, you present the information in a variety of ways to make it easier to understand.
For example, if you are collecting personal details through an online order form, the form could explain why you need each piece of information and what it will be used for as the customer goes through it, and provide a link to your full privacy policy (or relevant part of it) for more detail.
Alternatively, you could provide an accessible short summary of the key points in your privacy policy, with links to expand on each point to give full information.
The Government recommends that, in order to help improve customers’ understanding of privacy information, businesses could consider the following approaches:
- Using a FAQ format to present key terms, eg ‘What will you use my email address for?’
- Illustrating key terms with icons
- Providing terms in a text box that the customer can scroll through
- Providing certain privacy information when it is most relevant (eg when a customer provides their email address, explain to them there and then what it will be used for)
- Using illustrations and comics to explain certain processes (this may be particularly relevant if children will be using your website – see below)
- Letting customers know how long it will take to read your privacy policy
- Telling them when it is their last chance to read it before they complete their purchase
Bear in mind that your policy itself must be written in plain language so that it is clear, concise and easily accessible. Use our template to create a customised privacy policy for your website.
You can find guidance about when to provide your privacy policy in this blog.
How to display a privacy policy on your website: Customer awareness
Once you’ve decided how to display your privacy policy on your website, the ICO recommends that you carry out user testing across a sample of your customers. This will help you to understand whether users are aware of your policy, how they accessed it, whether they easily understood it and/or whether they noticed any errors. You can use the results of any feedback to help ensure that your privacy information is achieving its purpose.
Updating your privacy policy
You should keep your privacy policy under regular review to ensure that it continues to accurately reflect your use of personal data.
If you change the way you use personal data, for example if you want to use it for a purpose that isn’t currently set out in your privacy policy, you’ll need to update your policy first. When you’ve updated it, you must proactively bring the changes to your users’ attention.
Bear in mind that in some instances, if the new way you want to use someone’s personal data is not compatible with the original reason you collected it, you will need to get their consent first.
Privacy policies and children
If your ecommerce website is likely to be accessed by children then, in addition to the above, you must make sure that you provide your privacy information in a way in which children can understand it. You should also make sure you comply with the ICO’s Age Appropriate Design Code, which makes the following recommendations when providing privacy information to children:
- Provide privacy information in a clear and prominent place on your website and present it in a child friendly way (eg using pictures, symbols or interactive content).
- Provide ‘bite-size’ explanations at the point at which children give you their personal data or at other appropriate times (also called Just-in-time notices). You might also suggest that they check with an adult before proceeding, depending on their age range.
- Make sure you use child-friendly explanations alongside any legal language.
- Consider how you can tailor the information to the age of your users (ie will one set of privacy information work for everyone or do you need to consider different developmental needs?). For example, if your service is likely to be accessed by very young children, you are more likely to need to rely on parental support and to encourage children to check with a trusted adult before proceeding.
Equally, if you provide parental controls on your website or app, you must give children age appropriate information about this (eg by providing them with an obvious sign that they are being monitored). The ICO also recommends that you provide the parents with information about their child’s right to privacy.
To find out more about the Age Appropriate Design Code, see our Q&A on Privacy and Children.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.