Why your privacy notice needs attention

It is not surprising that there is a growing awareness of data protection rights amidst this digital age. More people are demanding to know how businesses are using their personal data. However, as per the rules set out in the EU and UK GDPR, the shift away from traditional methods of processing personal information and the organisational complexities present challenges to ensuring privacy notices are clear and detailed.

A recent example of such a challenge can be seen in Whatsapp’s new privacy policy. The proposed update sparked many privacy concerns amongst users that led to a backlash. High profile figures, including Elon Musk (Chief Executive Officer of SpaceX and Tesla), encouraged the public to switch to social messaging rivals such as Signal which offer users more privacy features. The outcry was caused by an ultimatum issued by Whatsapp to its users where Whatsapp intended to reserve the right to the data it collects about its users with the broader Facebook network. This raises privacy concerns because Facebook shares data with the United States Government for surveillance purposes, violating fundamental rights to privacy.

As a result, Whatsapp has issued several statements to reassure the public that only specific information will be shared with its parent company, Facebook. Whatsapp needed to issue such statements because its new privacy policy did not differentiate between personal and business accounts. Had Whatsapp clearly explained in its new privacy policy that personal messages would not be affected by the new update, it would have avoided misunderstandings. However, by this point over 800,000 new users had signed up to Signal. An increase of almost twenty times the amount of new accounts from two days prior.

The re-issued statement clarified that the aim of the new privacy policy is to address business accounts and the new e-commerce features hosted by Facebook, such as Shops - a new feature within the app where businesses can display their goods.  This means that the new privacy policy does not impact consumers’ chats between friends or family.

If users choose to interact with businesses that are interacting with those features, their data could be shared with Facebook to personalise ‘users’ experience and ads. Examples of the type of data are:

• IP addresses;
• Account registration details (e.g. phone number); and
• Transaction data, service-related information and the way users interact with others using Whatsapp’s services.

The privacy concerns arising from Whatsapp’s new privacy policy are not unfounded. Whatsapp tracks what you do; although it does not have access to the content of users’ chats, it tracks other information such as users’ location, the duration of the chat and who the users are chatting with. Users should also think twice before agreeing to back-up their chat history on Google Drive or iCloud because that is when the end-to-end encryption Whatsapp is so famously known for, stops. It therefore comes as no surprise that Ireland’s Data Protection Commissioner has issued a draft penalty where Whatsapp could be facing a fine of between €30m and €50m for not living up to transparency requirements under the GDPR.

What can businesses take from this?

1. Businesses need a proactive approach to drafting and presenting their privacy notices.
2. Business should foster trust with customers by being clear and transparent about what and how their personal information is being processed - GDPR sets out the type of information of which businesses need to inform their users.
3. Businesses that use Third Party hosted services should understand the implications of their new privacy policies and inform customers of the changes and update its own privacy notices.

How can you achieve transparency in your privacy notices?

• Avoid using words such as “may”, “might”, “some”, “often”, etc as they are purposefully vague.
• Use headings to structure information clearly.
• Consider the multiple channels your privacy notice could be communicated such as email, social media posts and website notices.
• Use a variety of techniques to convey key privacy information (e.g. using layered approach, videos, images or automated phone system).
• Establish different privacy notices for different types of service offerings.
• Have a clear privacy tab and FAQ on your website, not a link at the bottom of a web page

It is vital to understand that both your company’s privacy policy as well as how it handles personal data can have a real impact on brand reputation, product and services sales. Failure to do so can not only result in heavy fines imposed by your local data protection authority but also loss of sales to competitors. Getting a clear stance on data privacy at early onset is better than scrambling to recover later on. It also prevents misunderstandings from customers on how your company is handling their personal data thus avoiding reputational damage.

Get in touch

Please get in touch directly with Ann Lee, a Data Privacy Consultant or drop an email to the privacy team for more information at privacy services or visit privacy and data protection.

Contact us today