Lessons From UK’s ICO Revised Privacy Disclosure Guidance

The UK Information Commissioner’s Office (ICO) recently released a revised code of practice to guide businesses about communicating privacy practices to individuals. As part of enforcing the Data Protection Act 1998 (DPA), the ICO has released these materials to assist businesses working to comply with the law. The Code recommends that organizations map out what information is collected, how it flows through an organization, and what type of data processing occurs. This could be done, for example, through a privacy impact assessment for which the ICO has provided guidance. Privacy notices should then, at a minimum, identify who the organization is, what the organization is going to do with consumer information, and who it will share the information with. In situations where consent is required, organizations must determine how to obtain and record consent. The ICO provides a privacy notice checklist to assist companies in the development of privacy notices. Similar to encouragement in the U.S. from the FTC, the ICO urges companies to use “clear and straightforward language” and to avoid legalese.

TIP: This new Code provides helpful insight into the UK ICO’s expectations around the content of privacy notices, as well as the process companies would go through to create one.