One of the biggest challenges is to encourage people to read privacy information. People are often unwilling to engage with detailed explanations, particularly where they are embedded in lengthy terms and conditions. This does not mean that privacy notices are merely a formality; it means that they have to be written and presented effectively.
- use clear, straightforward language;
- adopt a simple style that your audience will find easy to understand;
- not assume that everybody has the same level of understanding as you;
- avoid confusing terminology or legalistic language;
- draw on research about features of effective privacy notices when developing your own;
- align to your house style. Using expertise, for example in-house copywriters can help it fit with the style and approach your customers expect;
- align with your organisation’s values and principles. Doing so means that people will be more inclined to read privacy notices, understand them and trust your handling of their information;
- be truthful. Don’t offer people choices that are counter-intuitive or misleading;
- follow any specific sectoral rules as well as complying with data protection law, for example in advertising or financial services sectors; and
- ensure your privacy notices are consistent across multiple platforms and enable rapid updates to them all when needed. Privacy notices can be managed using content management systems (CMS).
Privacy notices for a wide range of individuals
If you are dealing with a wide range of individuals you need to think about the relationships you have with the various groups and whether they will all understand the information. For example, a local authority might use information about eligible people to administer free access to local leisure facilities and information about business proprietors to collect business taxes.
Consider breaking your customers down into different categories and providing separate notices for each. This is likely to make information clearer and easier to understand rather than having a single, catch-all privacy notice.
Privacy notices for vulnerable individuals
If you collect information from vulnerable individuals, such as children, you must make sure those individuals are treated fairly. This involves drafting privacy notices appropriate to the level of understanding of your intended audience and, in some cases, putting stronger safeguards in place. You should not exploit any lack of understanding or experience, for example, by asking children to provide personal details of their friends.
Again, you should try to look at your collection of information from the individual's point of view. You should use your knowledge of the individuals you deal with to decide your approach. In particular, you should try to work out whether the individuals you are collecting information about would understand the consequences of this. If in doubt, you should be cautious and should instead ask the individual’s parent, guardian or carer to provide the information. Alternatively, you could develop mechanisms to prevent vulnerable individuals from going too far if you have already identified concerns, for example on a mobile app or website.
When dealing with vulnerable individuals there may be times when using a combination of the techniques described in this code may not be effective, as it may cause confusion or provide less clarity. If this is likely to be the case, the key point is to focus on providing a clear and understandable privacy notice that has taken into consideration the target audience. The Privacy notices in practice section contains real life examples of privacy notices demonstrating good and bad practice that we have retained from the previous version of this code of practice.
More guidance about consent and children under the GDPR will be made available separately to this code.
Privacy notices for people whose first language is not English
Sometimes you may want to collect information from people whose first language is not English. In some cases you may be obliged by law to provide forms and privacy notices in another language, for example, Welsh. Although you may not be required by law to offer translations, it is good practice to provide your privacy notice in the language that your intended audience is most likely to understand.