The Privacy Commissioner, John Edwards, has told businesses that it's "time to raise your game" and improve the transparency of their privacy practices.
In a recent blog post, the Commissioner sends a clear message that he expects businesses to do more to make sure customers are aware of how their information is being collected and used, especially when the new Privacy Bill becomes law next year.
Common practice is to tell customers how their personal information is handled in a privacy policy, which might be on a website, in an app, and often "agreed to" via a tick box when purchasing products or services.
A privacy policy serves two key legal purposes:
1. It tells people what personal information you are collecting, why, and what you will do with it. This is because the Privacy Act says that agencies need to take "reasonable" steps to ensure people are aware of these things
2. In some situations, if you need broader rights to use or disclose personal information than would normally be legally allowed, a privacy policy can serve as authorisation of those broader rights. This is because the Privacy Act says that when you collect personal information from someone for one purpose, you can only use it for that purpose. There is an exception to this rule where you believe on "reasonable" grounds that the person authorises you to use or disclose their information for something else.
It's important to note that in both situations, you need to do what is "reasonable".
In practice, probably very few people actually read privacy policies in full before ticking "I agree". And if they do choose to read it, they'll probably need around 15-18 minutes' time to spare, and at least a university reading level.
Because of this issue, the Commissioner says that simply putting this information in a privacy policy, and asking customers to click to agree, is not necessarily "reasonable". Instead, he will be looking for evidence that customers have read and understand what is in a privacy policy, and that any authorisation from individuals is genuine and informed.
In our view, this is most likely to come up where the privacy policy is complex, or deals with information uses that are unexpected or unfair.
For example, even without reading a privacy policy, customers will expect businesses to use their personal information to provide them with the products and services that they sign up for. But they probably don't expect their information to be sold to someone else, or for their information to be used by sophisticated tracking and targeting tools on an identifiable basis.
For businesses treating personal information in a way that would be expected, it's unlikely that the Commissioner will take issue with a click-to-agree privacy policy. However, where the policy includes something unexpected, or an "authorisation" for something beyond what would otherwise be permitted by the Privacy Act, the Commissioner has signalled a higher standard.
Although the Commissioner's blog post presents this as a change, we don't think that it is really a shift in the law, or how it is interpreted. The obligations to be reasonable are already in the current Privacy Act, and it's already difficult to enforce unexpected or onerous clauses in standard terms, especially for consumer products and services.
However, we do think this means that the Commissioner will be paying closer attention to these issues, and intends to use his expanded powers under the Privacy Bill to take a stance on this issue. For example, under the Bill, the Commissioner will be able to issue compliance notices, to require agencies to make changes where their privacy practices are not up to scratch.
We think now is a good time for all organisations to review their privacy policies and consider:
- Are they clear and easy to understand?
- Are they presented in a way that encourages people to read them?
- Is there anything unexpected in there that should be brought to people's attention more prominently (eg via a separate tick box)?
- Can you increase customer control over their personal information in some other way (eg using features of "privacy by design")?
Answering these questions will go a long way towards meeting the "reasonable" criteria, and help businesses get ready for when the Bill becomes law in early 2020.
This article was written by Allan Yeoman and Keri Johansson for the NBR (October 2019).
