Cookie consent pop-ups among the ICO’s intended topics of discussion at the recent G7 meeting

Cookie consent pop-ups need to be tackled in order to provide more meaningful consent and a better browsing experience, according to the ICO.

 

At a recent meeting for the data protection authorities of G7 countries, the ICO decided to tackle the topic of cookie consent pop-ups. The ICO has mentioned that there have been complaints among the general population about the need to constantly interact with cookie consent pop-ups when arriving on a website. More importantly, the ICO believes that these cookie consent pop-ups, especially when configured awkwardly, tend to have the effect of causing people to consent to giving more personal information than they would like. The ICO released a statement earlier this month discussing their intent to bring this topic up at a recent G7 meeting.

 

The ICO is of the opinion that currently, cookie consent pop-ups may cause individuals to consent to more use of their personal data than they would have liked.

 

Cookie consent pop-ups and requirements have been a topic of conversation for quite some time, not only among the general population on the interwebs, but also by relevant data protection authorities. Recently we published an article discussing the best practices for cookie consent pop-ups and banners, as outlined by the Malta DPA. In preparation for the virtual meeting on September 7-8, the ICO expressed interest in discussing this with fellow G7 data protection and privacy authorities. The Information Commissioner expressed a belief that, in their current form, some cookie consent pop ups and banners may cause individuals to consent to more access to and use of their personal data than they would have liked.

 

While the current model is already compliant with data protection law, the ICO believes that the G7 authorities have the power to influence further development.

 

The ICO has recently announced several intended changes to their data protection model, and cookie consent pop-ups were one of the key points the authority expressed interest in. While the current model is already compliant with data protection law, the ICO believes that the G7 authorities have the power to influence further development. The ICO holds a vision for the future where web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing, instead of having to do that through pop-ups each time they visit a website. This may allow individuals to be more intentional in their selections, rather than selecting whatever they feel that they need to, in order to get past a banner. This approach is definitely already technologically possible and compliant with data protection law as well, however the ICO believes that more can be done to effect change and promote more privacy oriented solutions.

 

The current regulations governing cookies are split between the GDPR and the ePrivacy Directive, which together ensure the protection of natural persons with regard to cookie consent pop-ups and banners.

 

The current regulations governing cookies are split between the GDPR and the ePrivacy Directive. There are several types of cookies, which in most cases users can choose from. For example, a user can choose to only allow the storage of necessary cookies, and reject any additional cookies for marketing or preferences. Recital 30 of the GDPR, does make mention of the importance of cookies, insofar as they can be used to identify individuals, especially with the amount of information on a user, which can be stored through the use of cookies. The ePrivacy Directive is sometimes known as the “cookie law” as it has been very instrumental in influencing the current use of cookie consent pop-ups, and ensuring that consent is ethically sourced for the use and storage of cookies. The rules regulating cookies are continuously being set, and cookies themselves are continually evolving, which means maintaining a current cookie policy will naturally be a continuous job.

 

 

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Children’s Code Standards

Children’s Code Standards on use of their online data

The ICO has outlined the Children’s Code standards on use of their online data.

 

The ICO has recently put the limelight on the Children’s Code standards to give greater clarity to organizations regarding their use of children’s data. For online businesses, there are a few important points to keep in mind. In all actions taken by organizations operating online, children’s best interest should be given prime consideration per the United Nations Convention on the Rights of the Child (UNCRC). Children’s Code standards include several guidelines on how best to collect and handle children’s data, as well as provide the best level of protection for children against abuse and other forms of exploitation. 

 

The Children’s Code standards outline several measures which must be taken in order to protect children and their data. 

 

Children should be kept safe from any commercial exploitation, including personalized features for revenue, personalized advertisement, use of children’s data for monetization, and age-inappropriate and fraudulent products. Businesses should also abide by standards set by the Committee of Advertising Practice. Children should always be protected from abuse when they interact with others. These organizations are expected to prevent all automated data sharing on children, to ensure that their data will not end up in the hands of any exploitative individual or organization. It is recommended to use high privacy settings and make sure that children are informed on how their data is being used. 

 

Children should remain protected from misinformation, while understanding and controlling the information they share with others. 

 

Moreover, according to UNCRC, children have the right to unbiased information so they can ensure that their best interests remain protected. They should be protected from misinformation. In addition to these, the UNCRC also provides for the right to play for children. Children’s data can therefore be used for improving child-friendly gameplay. However, children should have the freedom to join and leave groups on their own will and without consequence. Children should be aided in understanding and controlling the information they share with others.

 

Organizations are required to remain up to date with guidance from the ICO with regards to dealing with children’s data. 

 

All online organizations and services are prohibited from using children’s personal data in a way that is detrimental to their wellbeing. For this purpose, they are required to conform to all detrimental use standards set under UK GDPR, industry code, regulatory provisions, and government advertisement. They are expected to give timely updates. Online businesses, before marketing, should ensure that they follow all guidelines issued by the ICO as well. Businesses are expected to implement various codes of practice and the relevant provisions from the ICO, from time to time, outlined in its blogs.

 

Companies who collect data from children should adhere to the principle of data minimisation and only use data in the ways in which it was intended. 

 

When collecting data from children, online businesses are also expected to collect only the least amount of data that serves the purpose for the limited time frame. The collection should be isolated for each element of service while the children should be empowered to decide which element they want. Companies should avoid using data for other purposes particularly when it is used for personalized user experience.

 

Observing these guidelines while handling children’s personal data is imperative to fulfilling basic obligations towards children under the law and avoiding any sanctions.

 

Does your company offer online services likely to be accessed by minors? If so, it will be imperative that you adhere to the UK Data Protection Code once it starts to apply. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

The ICO has fined three companies for nuisance marketing

The ICO has fined three companies for a total of £415,000 due to nuisance marketing practices after receiving several complaints.

 

The ICO has fined three companies a total of £415,000 for nuisance marketing. Colour Car Sales Limited, Solarwave, and LTH Holdings were fined for various offenses including unsolicited calls and spam text messages. Many of the individuals receiving phone calls complained that they had been on the telephone preference service and should not have been receiving them. In all cases, the companies lacked the valid consent required in order to send direct marketing to customers. This is a violation of the Privacy and Electronic Communications Regulations (PECR). Under the PECR, the ICO has the power to impose a fine of up to £500,000 on a data controller for various violations of privacy rights in relation to electronic communications.

 

Colour Car Sales Ltd was found to have been sending spam text messages directing people to various car finance websites.

 

A credit intermediary for used car finance, Colour Car Sales Limited of Stroke-on-Trent was found to have sent several spam text messages between October 2018 and January 2020. These messages were sent to numerous people directing them to various car finance websites. Several complaints were made by the recipients of those text messages, to the ICO. This was a violation of regulation 22 of the PECR. Regulation 22 applies to the transmission of unsolicited communications via electronic mail to individual subscribers. This regulation prohibits the sending or initiating of unsolicited communications for the purposes of direct marketing by email. This form of communication is only allowed in instances where the contact information was received from the individual during the course of negotiations or a sale, and the recipient has been given a free and simple means of refusing the use of their contact details for those purposes.

 

Solarwave Ltd was fined for making unsolicited marketing calls about solar panel maintenance to people registered with the TPS.

 

Solarwave Limited, a Solar energy company in Grays, Essex was found to have made over 73,000 unsolicited marketing phone calls. These calls were made between January and October 2020. These calls were made to people who should not have been receiving phone calls at all, as they were all registered with the Telephone Preference Service (TPS) list. This list clearly outlines those individuals who have rightfully opted out of receiving unsolicited marketing calls and it is imperative to ensure that this list is adhered to, so as to avoid violating that right. Various complaints were made against the company, claiming that the company consistently called customers and even ignored stop requests. The company was found to have violated regulation 21 of the GDPR. This regulation applies to the making of unsolicited calls which can only be made if an individual has given their consent to that company to receive such calls, if the number is registered with the Telephone Preference Service.

 

Over the course of a year, LTH Holdings was found to have been making unsolicited calls selling funeral plans to people who are registered with the TPS.

 

1.4 million calls were made between May 2019 and May 2020 by LTH Holdings, a telephone marketing company from Cardiff. The ICO also received 41 complaints against this company and has reported that the company’s marketing techniques had become persuasive, aggressive and coercive which raised much concern. What was found to be of particular concern is the fact that the target market possibly included people who tend to have been more vulnerable. LTH holdings was also found to be in violation of regulation 21 of the PECR. The ICO commissioner maintains a list of registered numbers belonging to subscribers who have notified them that they do not wish to receive unsolicited calls at the moment, under regulation 26 of the PECR. The TPS is a limited company who operates on the commissioners behalf maintaining this register. Businesses a.m. to make direct marketing phone calls can subscribe to the TPS for a fee, and stay up-to-date on this list to ensure that they do so within regulation.

 

The companies were fined a total of £415,000 for the various offenses.

 

After receiving several complaints of misconduct against the three companies the ICO issued enforcement notices ordering them to stop marketing until consent has been obtained. A fine of 170,000 pounds was imposed on Colour Car Sales Limited for the spam text messages, while Solarwave and LTH Holdings were fined £100,000 and £145,000 respectively, for making unsolicited phone calls. This is a total of £415,000 which the ICO has fined and will be working to recover from the three companies. Under the PECR, the ICO has the power to impose a fine on a data controller of up to £500,000 on individual companies.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Children’s Code - transitionary period

Children’s Code transitionary period ends in less than 6 months

The children’s code transitionary period, which saw its inception on 2nd September 2020, ends in less than 6 months. All online services are expected to be in compliance with this code by September 2021. 

Last year, we reported that the Children’s Code, then known as the Age Appropriate Design Code was about to come into effect on September 2, 2020. Since then, we have been in a transitionary period during which all online services are expected to come into compliance with this code. The ICO has just released a statement urging businesses to ensure that they are in full compliance by the end of this transitionary period, in less than 6 months. 

This code is a statutory code of practice laying out 15 standards which are aimed at ensuring children’s best interest online.

The Children’sCode lays out 15 standards to ensure that children’s best interest is at the forefront. These standards include principles governing the best interest of the child, data protection impact assessments, age appropriate application, transparency, detrimental use of data, policies and community standards, default settings, data minimization, data sharing, geolocation, parental controls, profiling, knowledge techniques, connected toys and devices, and online tools. During this transitionary period, online services are expected to take steps to bring their services into full compliance with this code, ensuring that all principles are considered and that their services support the rights of the child.

This code applies to any online product or service likely to be accessed by children and is not limited to only those aimed at children.

This code will apply to every online service that is likely to be accessed by children. This means that not only are services made for children expected to come into compliance but every service that may be accessed by children will need to as well. Online services may take a risk based approach to recognizing the age of their individual uses to ensure that the standards in this code will be applied to child users. Unless the age of the individual users can be established with a level of certainty, this code should be applied to all users on the platform.

The ICO has launched initiatives to detect businesses’ readiness for compliance with this code, as well as educating and sensitizing on the topic of the children’s  code. 

The ICO recently conducted a survey to gauge general understanding of the age-appropriate design code. Some 500 services were part of this survey from which findings show, so far, that about 75% of businesses are aware of this code. The ICO has set up what is called the Children’s Code hub with a range of resources for organizations to understand the code and to know whether they are in the scope of it. The regulator has also been holding webinars and will also be hosting a workshop at the Festival of UX and Design 2021 to help raise awareness within the design community and explain how this code can be applied to innovative projects. The ICO has also launched a call for transparency champions which will consist of organizations, designing projects using privacy information in a way that is tailored to children’s understanding. 

Does your company offer online services likely to be accessed by minors? If so, it will be imperative that you adhere to the UK Data Protection Code once it is effected. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance. Aphaia provides GDPR adaptation consultancy services and CCPA compliance, including EU AI Ethics assessments. Contact us today.