ICO Study Deems Website Privacy Notices Are Too Vague And Inadequate

National statistics suggest that 87.9% of all adults in the U.K. use the internet. With some 45.9 million internet users, almost all Britons have access to the internet at work or for leisure.

Most of us carry a smartphone or an internet-connected device and are regularly checking the news, making purchases, watching videos, or logged in to social media. In one day, we may have visited over 20 sites, and the question is: how many of these take information about you and use it without your knowledge or consent? How many websites are truly safe?

The Information Commissioner’s Office set out to see whether websites across different sectors were doing enough to inform visitors about exactly what personal data they were extracting from peoples’ visits. A review of 30 U.K. websites was made, looking into a variety of sectors including:

Retail
Banking and lending
Travel
Finance price comparison sectors

Here are the ICO’s key findings:

26 out of 30 didn’t specify how and where any collected personal information would be stored
26 websites failed to give clear information on whether visitor’s personal information would be shared with third parties and what they would do with it
24 websites didn’t give visitors information about removing, or the option to remove, their personal information from the site
Seven didn’t have clear information about how a visitor could access the data held about them (i.e through a Subject Access Request).

These findings clearly make for bad reading. As reflected by the number of data breaches constantly being reported, data protection is not being afforded the respect it deserves. Companies are not adequately fulfilling their data protection responsibilities in informing their website visitors of what happens to the information they gather through visitor clicks, searches and inputted information.

This study is part of a global investigation led by the ICO, with 23 other data protection regulators from around the globe also participating in it. They concluded that, “there is significant room for improvement in terms of specific details contained in privacy communications.”

The Global Privacy Enforcement Network (GPEN) also provided the following findings over 455 websites reviewed:

Privacy notices tended to be vague
On the plus side, most did tell users that it was going to take information from the user
Unfortunately, most organisations didn’t tell users what was going to happen to that data
Many didn’t specify if personal data would be shared with others and if so, what for
Many organisations didn’t offer any information about the security of the data it collected

A lot of websites still referred to outdated laws that no longer applied or had been updated. Bigger organisations that provided services to more than one country often didn’t say which jurisdiction’s laws were applicable.

Research Group Manager for our ICO, Adam Stevens, said:

“These findings suggest that people using those websites that we and our international partners examined are generally not very well informed about what happens to their data once it has been collected. That just won’t do. It is important that it is clear to people how they can control their information online.”

As the General Data Protection Regulation (GDPR) looms in the near future, organisations need to step-up on their cyber security measures and provide the public with relevant information about how it takes and works with consumer data. Consumers have a right to be informed so that they’re aware of how their personal data is used, and how they can maintain control over it.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.

Create A Call Back

Information on how we handle your data is available in our Privacy Policy.

The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.