The Information Commissioner, Richard Thomas, is fast approaching his departure date, and opportunities for major announcements must be dwindling. However, today’s announcement of a Code of Practice (CoP) for Privacy Notices would not make a bad coda.
First, there’s no doubt that guidance is needed: many sites still publish privacy notices whose goal seems to be a blend of FUD (Fear, Uncertainty and Doubt) and covering the corporate backside with enough legalistic paper to ensure that they can do what they want with your data without risk of a serious challenge.
Second, the guidance given here is actually pretty good: there are practical suggestions as to what you should do, complemented by examples of good and bad practice.
It’s not perfect: for instance, real life is often not as simple as the examples might make out… if I use Google Analytics to track traffic on my website, then the privacy-respecting promises I make to my users depend, in some respects, on the policies and behaviour of a third party.
Also, although it recommends a “layered” approach to informing users (short, clear introductory information backed up by links to more detail), it stops short of current US Govt research findings, which suggest that the best way to do this in practice is by judicious use of tabular layouts.
However, balancing that, there is detailed guidance here for small businesses, presented in a way which makes it approachable and clear. The ICO’s Code of Practice deserves to be read, and end users deserve to get better privacy outcomes as a a result.