We're watching you...
Personal information is often one of the most important assets of a business. It can help analyse and enhance its offering by understanding how users interact with products, services and websites. A business may also generate revenue by selling its information to advertisers. You only need to look at the price Facebook paid for Whatsapp ($19 billion) to understand that personal information means big money for businesses.
However, such activities are not outside the law. The Data Protection Act 1998 ("DPA") sets out eight underlying principles which a business must comply with in collecting and using personal information. The first principle is that personal information is processed fairly and lawfully. But what does fair and lawful processing mean?
The Legal Requirements
Secondly, processing must meet one of the conditions listed in the DPA to be fair and lawful. One condition that is routinely relied on is obtaining a data subject's consent to the processing. We see examples of businesses aiming to meet this condition when it gains consent to collect and use personal information for a specific activity through a "tick box" or an acceptance button on its website.
"Consent" has not been defined under the DPA; although the European Data Protection Directive, which the DPA is based on, states that consent to the processing of personal information must be "freely given specific and informed".
Data Protection vs Privacy Erosion
The battle continues between businesses requiring more of our personal information to be innovative, seamless and user-friendly against the rigorous, inhibitive and potentially outdated data protection laws. To avoid a constant challenge from regulatory authorities, it is imperative for businesses to be open and clear with its users about who they are and why and how they process personal information. The message is clear – get this wrong and it can be expensive for a business, both in the financial penalties that may arise and the reputational damage it can cause.
For further information on this matter or data protection generally, please contact Noor at firstname.lastname@example.org.