Data privacy digest series
Why is data collected from websites?
Businesses use websites to collect data from users for a variety of reasons. Generally this will be to enhance user experience by allowing them to personalise website content, target advertisements and optimise website functionality, but data may also be collected for security purposes to verify the identity of a user or to detect and mitigate fraudulent activity, or to allow users to access services online and for e-commerce activities.
The data that is collected may range from personal information such as names and email addresses to technical information such as IP addresses and device information, or to user generated content such as comments and complaints submitted on website forms.
How are websites used to collect data?
Websites use various techniques to collect data from users, including through:
- Cookies and similar technologies: cookies are small text files which are stored on a user's device when they access a website to allow it to recognise the user's preferences and past actions. Similarly, a website may contain tracking pixels which are invisible images or scripts embedded within the website page that record user actions, such as the time and location that the website was accessed.
- Text boxes or forms: which allow users to enter data in order to register their account, complete surveys or contact the website operator.
- Third party services: such as Google Analytics which allow website operators to collect data on website usage patterns.
Some of these techniques will be obvious to the user (in the case of text boxes or forms) and some may not be so obvious, such as cookies.
Key considerations when collecting and processing website data
Where the data collected from users on your website involves personal data you must ensure that this collection and any further processing is compliant with the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) (together referred to in this article as the UK Data Protection Laws). In particular:
- Lawfulness, fairness and transparency: you must collect and process personal data lawfully and must not obtain this information without the knowledge of the user. Your website must inform users about how their data will be collected and stored, how it will be used and who will have access to it. This information should be easily accessible through privacy policies and cookie notices.
- Cookies: you must obtain consent from users before collecting data when using cookies. Consent must be freely given, specific and informed and it must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the user must fully understand that they are giving you consent. This can be achieved through cookie banners or pop-ups that allow users to accept or decline cookie usage.
- Data minimisation: your website must only collect the data which is necessary for the purpose specified by the website and nothing further. You must avoid gathering excessive or irrelevant information to reduce risks and to ensure compliance with the UK Data Protection Laws.
- Storage limitation: you must not keep personal data longer than necessary for which the data was collected. Retention policies should be established to ensure that personal data is not kept longer than necessary and is erased after a certain period of time.
- Security: you must ensure that personal data collected on the website is protected against unauthorised or unlawful access, accidental loss, destruction, or damage to the data by implementing robust security measures to protect this data, through techniques such as encryption, security audits and secure data storage practices.
- User rights: you must ensure that data collected on your website is accurate and kept up to date and any inaccuracies identified must be rectified without delay. Websites should allow users to notify you of any errors or updates which need to be rectified and allow users to delete their data if it is no longer required.
Practical steps to take
In order to ensure that you are managing the data on your website effectively, you should follow a number of practical steps to ensure compliance with UK Data Protection Laws:
- Conduct a data audit: you should review all data collection and processing activities relating to your website to identify what data is being collected, how it is used and where it is stored in order to identify any potential areas of non-compliance.
- Privacy and cookie policies: you should ensure that your website contains privacy policies and cookie policies that clearly explain the types of data that are collected on the website, how that data is collected, stored and who it may be shared with. These policies must be in plain English, easy to understand, and accessible to users.
- Cookie banners: you should ensure that your website contains a cookie banner or pop-up which gives users control over the cookies used on the website. The cookie banner or pop up must contain an option to accept or reject each of the cookies used on the website and any option to reject cookies must be presented with equal prominence to the option to accept cookies and must not be presented in a way in which the user is being persuaded to accept one over the other. If the reject all option is discouraged, this could lead to consent not being freely given or could lead to consent being invalidly obtained.
- Regular review: you must continuously review and update the data collection and processing practices relating to your website to ensure that these practices reflect the current usage of the website, and to ensure that these practices are up to date with current legislation and industry standards.
What are the risks?
The UK Information Commissioner's Office (ICO) has released a statement warning that it is actively looking for any harmful practices on websites. The ICO has stated that it will not tolerate practices which undermine a user's control over their personal data, or which uses language that suggests there is a right or wrong decision in relation to privacy policies.
Failing to comply with the requirement to manage the data on your website in a compliant way can be costly. The ICO has the power to impose fines up to £17.5 million or 4% of an organisation's annual global turnover, whichever is higher. The ICO may also impose fines up to £500,000 for serious breaches of the PECR.
Our data protection specialists are able to advise on and assist with the practical steps required to ensure that your website is compliant. If you would like more information, please contact us.