A plea for clear guidance on privacy policies

EDITORIAL: Barely a day goes by without Google or Microsoft or some other company with vast vaults of our personal data tweaking its privacy policy.

This confused me: was the Commissioner now saying that a link was compliant? I phoned his office and was told no, the old guidance held true: a link is not enough. The report was not an endorsement of Microsoft’s first layer. A reader could not possibly know that so it is no surprise that a link to a policy is the most common approach today.

You see the problems faced by Google et al? Come June 2007, though, the ICO issued brand new guidance for website compliance (9-page / 69KB PDF). It was time to sound the trumpets, clarity was at hand.

Well, not quite. It cleared up the previous issue by insisting that a simple privacy policy link is insufficient. But it caused heads to be scratched anew with its muddle on layered notices, which it again advocated as best practice.

“This usually consists of three linked notices which are increasingly concise,” it said. But it went on to say that the short notice “is used where there is not enough space for the other layers, so will not usually apply to websites.” So the current recommendation for websites is a three-layer notice, one layer of which is unsuitable for websites. Clear as Conrad Black’s name.

There is another fundamental ICO mistake: it can declare all it likes that links to privacy policies are not enough, but has it ever taken action against, or even criticised, a company only employing such a link? No.

Companies will think, therefore, that the requirement is trivial. The Commissioner could stop a company from using its customer database because the collection was unfair, a massive sanction in these data-driven days. That could seem to many firms to be a bolt from the regulatory blue. For the sake of fairness, if today’s standard practice breaks the law, the Commissioner must say so, loud and clear.