INFORMATION WE MAY COLLECT ABOUT YOU:
In order to ensure that consent to processing is "informed", information should be provided as to the types of data which the site will process. In most cases this will be obvious, but the policy should also refer to any data which are automatically collected (such as e-mail addresses, and times and dates of visits to the site) or which are collected from chat rooms or discussion groups. It should also refer to data which are not collected directly from the data subject (for example, data collected from other websites).
A question arises as to whether an Internet Protocol (IP) address can constitute personal data. An IP address is a 4 to 12-digit number (such as 184.108.40.206) that identifies a specific computer connected to the internet, and which can usually be converted into a more memorable 'real' text address known as a domain name (such as www.practicallaw.com). Various internet server computers located around the internet have a database conversion table that automatically converts a domain name into the numeric address of the relevant host site and vice versa. There are also "who is" services offered by sites which, upon the user providing a domain name or IP address, offer information about the owner of that name or address (for example, www.allwhois.com/cgi-bin/allwhois.cgi). The Commissioner's view is that an IP address may fall within the definition of personal data under the DPA where it can be linked to an individual user perhaps through other information held or from information that is publicly available on the internet. This issue is not specifically addressed in the DPA.
In many cases, website operators will be permitted to process IP address under the legitimate interest condition set out in paragraph 6(1) of Schedule 2 to the DPA. However, the website operator's interest must be balanced against the legitimate interest of the user in his privacy. Website operators should therefore exercise caution and process IP addresses only when necessary.
Cookies are small data files which most website operators place on the browser or hard drive of their user's computer. Cookies may gather information about the user's use of the website or enable the website to recognise the user as an existing customer when he returns to the website at a later date. More recently, cookies have also been used to collect information about the user which allows the website operator or a third party to create a profile of the user, his preferences and his interests for the purpose of serving the user with targeted, interest-based advertising.
Most browsers now currently automatically accept cookies by default, although they can be set so that cookies are accepted by clicking an "accept" button but users can change those settings to block some or all cookies.
CLEAR AND COMPREHENSIVE INFORMATION:
Browser setting are specifically envisaged in Recital 66 of the Citizens Rights Directive (2009/136), which amended the E-Privacy Directive and which was implemented in the UK through regulation 6(3A) of the revised 2003 Regulations. Regulation 6(3A) provides that as a general rule "consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent". The ICO and the Department for Culture, Media and Sport (DCMS) have published initial guidance on the changes to the cookie regime. Both agree that at present most browser settings are not sophisticated enough to allow online providers to assume that the user has given their consent to allow a website to set a cookie. However, the government is currently working with the major browser manufacturers to address this issue.
If a user accepts cookies from the site, it might makes sense for the website operator to store that preference (for example, by setting a "cookie acceptance" cookie on the user's browser or hard drive), to avoid the need to obtain consent again when the user next visits the site.
The 2003 Regulations allow website operators to make the user's access to certain web pages dependent on his acceptance of cookies. As a matter of good practice, the user should be informed, however, that restrictions on his use of the website apply if he decides to reject cookies.
Where we store your personal data
USES MADE OF THE INFORMATION:
Specific requirements apply to the provision of direct marketing information by electronic means (e-mail and SMS). Before the adoption of the Regulations, advertisers (including website operators) in the UK were permitted to send unsolicited commercial communications on an "opt-out" basis: that is, they could send them until the addressee expressly required them to refrain from sending such communications in accordance with their rights under section 11 DPA. Under the Regulations this right has been severely limited. Regulation 22 provides that anyone wishing to send unsolicited direct marketing information by electronic means can only do this on an "opt-in" basis (that is, with the prior consent of the recipient) unless:
The recipient's contact details were obtained in the course of a previous sale or negotiations for a sale; and
The communication is in respect of the sender's goods or services that are similar to the ones purchased in the context of that previous sale.
E-businesses wishing to use data they collect online for the purpose of direct marketing should also be aware of the Consumer Protection from Unfair Trading Regulations 2008, which implement Directive 2005/29/EC concerning unfair business-to-consumer commercial practices. Regulation 12 (implementing paragraph 26 of Schedule 1) provides that a trader is guilty of an offence if he makes persistent and unwanted solicitations by telephone, fax, email or other remote media except in circumstances and to the extent justified to enforce a contractual obligation. Penalties for contravention can amount to an unlimited fine or a prison term of no more than two years (Regulation 13).
Note that if there is a change in the purposes for which visitors' data are collected, the policy will require amendment, which in turn will need to be notified to data subjects. Website owners should therefore give careful consideration to any future uses to which they are likely to put the data they collect, so as to avoid or minimise the risk of having to seek further consents.
Disclosure of your information
Information should be provided as to whether the data will be accessed by, disclosed or sold to, third parties, and for what purposes (such as for credit card clearance, credit reference, order fulfilment, delivery, data analysis or customer support) (paragraph 2(3)(d), Part 2, Schedule 1, DPA). Some website owners sell customer lists, for example to advertisers. It is particularly critical for the data controller to have the right to transfer data on a sale of the business.
There is nothing in the legislation which prevents consents from being withdrawn at any time. However, except in the case of direct marketing by electronic means, there is no legal requirement to include a provision reminding users that they may at any time object to processing for the particular purposes to which they consented. Including such a provision may help to promote confidence in the site, although some website owners may prefer not to bring the right to withdraw consents to the attention of visitors to the site.
ACCESS TO INFORMATION:
Pursuant to section 7 of the DPA, an individual can make a written request:
To be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller; and
Where that is the case, to be given by the data controller a description of the personal data, the purposes for which they are processed and the recipients to whom they may be disclosed ("subject access request").
Piranha Trading Limited, Quadrant House (Floor 6), 4 Thomas More Square, London E1W 1YW.