Teal blue graphic

Privacy notices: ICO consults on revised code of practice

The ICO has revised its privacy notices code of practice with the aim of helping organisations to make privacy notices easier to understand in the eyes of the public.

Compliance with the GDPR

The requirement to ensure individuals have a clear understanding of what is done with their personal data is a fundamental point of the Data Protection Act. However, the ICO has developed the fresh guidance with one eye on the enhanced requirements in the forthcoming EU General Data Protection Regulation (GDPR).

One of the key components of the GDPR is an increased emphasis not just on when and where privacy information is provided, but how clearly that information is communicated.

Specifically, the GDPR makes reference to the need for privacy information to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

ICO recommendations

The ICO is concerned that that privacy notices are often "too long, overly legalistic, uninformative and unhelpful" and that individuals are "instantly put off" when they see lengthy notices. As such, too many individuals are simply ignoring information about how their personal data is processed.

The ICO hopes that organisations can provide information in a "clear and engaging way" by complying with the recommendations in its code of practice. These include:

  • Adopting a "layered approach". The ICO wants organisations to provide key privacy information immediately, with more detailed information available elsewhere for those that want it. At present many organisations include all the information together in a single document or body of text, which is often hard to navigate. 
  • Using "just-in-time notices". Just-in-time notices work by appearing on the individual’s screen at the point where they input personal data, providing a brief message explaining how the information they are about to provide will be used. For example, a notice may pop up telling an individual why their email address is needed when they are filling out an online form. The ICO also recommends greater use of symbols, icons and multimedia to help make information more accessible as a part of a layered approach.
  • Mobile devices. There are recommendations to help organisations ensure information is clear and readable on smart phones and tablets, where screen space is reduced considerably. The ICO again proposes adopting a layered approach and condensing key points into just-in-time-notices or other multimedia formats.
  • Third party consent. The ICO has produced a best practice standard wording for organisations to use when seeking consent for marketing, which the ICO has tested with members of the public.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all