Over the course of the next 12 months, all UK-based websites will need to ensure that they are fully compliant with the Information Commissioner Office’s (ICO) legislation on data collection.
The legislation demands that all websites must make sure they have informed consent from visitors before they can collect any form of personal data. The implications of failing to comply are huge. Businesses risk fines of up to £500k, as well as reputational damage.
But getting it right is not easy. In fact, the ICO’s own website recently implemented its own guidelines, and saw a dramatic 90% fall in visitors. So if the ICO can’t get it right, what hope do British companies have if they wish to avoid the same mistakes?
Here are my top tips for organisations that want to strike the right balance of enticing visitors, but remaining compliant with this complex piece of legislation.
Don’t bury your head in the sand
Ignoring the legislation and hoping it will go away will just not work. There is a world-wide, and in our opinion unstoppable, momentum towards the implementation of legislation aimed at protecting the rights and privacy of consumers.
And as responsible players in the market, web site operators and technology providers alike should applaud this. Not only will it help to avoid hefty fines, but it will go a long way in helping to build lifelong, trusted relationships with customers.
Start with an audit
The ICO recommends that site owners start with an audit of what cookies and other data they are collecting from, or storing on, users’ devices. Tackle this head on and consider how “essential” this information is to your business and how “intrusive” it is to visitors’ privacy.
Once this is determined, you can then create a plan to gain consent for the data you do need, and stop collecting the data that is not directly benefiting your business.
Be transparent, but be smart and explain the benefits
Make sure that your customers and visitors know what data you are gathering, what you are going to do with their data and why you are doing this. But don’t just plaster the site with big red warning notices, or bombard users with endless requests to opt-in or allow each minor feature.
Typically what you are doing is to benefit the customer in some way – whether that is to provide more relevant content or to offer a free service – and if you explain this benefit to the customer and convince them that you are not doing a “bad thing” then they will happily opt to allow you to proceed.
If you can’t explain the benefit they receive, then you are probably not going to get their informed consent, and that typically means you need to think harder about how you are going to deliver a benefit in return for their data.
If your customers are entrusting data about themselves to you, your obligation (in law and in common sense) is to look after this data, hold it securely, use it in the ways you told them you would, and only share it with others if the user has consented to this. Provide robust controls on data access; use secure databases and ensure the supplier is a reputable and accredited firm.