We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

Regulators increase focus on website compliance

30 January 2014

A number of recent activities by regulators in Australia, the United States of America, Canada, EU and the UK demonstrate the need for website terms and privacy policies to not only 'say what you do' but more importantly 'do what you say'! 

A number of lessons can be learned from the regulators increased interest in compliance standards on websites namely:

  • ensure that someone in the business has responsibility for regularly reviewing and keeping up-to-date website compliance
  • ensure that your website Terms and Conditions and Privacy Policies are your own and accurately reflect how you run your business, comply with applicable laws and manage personal data
  • periodically and regularly assess your business practices including outsourcing and cloud usage against publicly available statements that you make on your website to ensure that you not only 'say what you do' but also 'do what you say'
  • ensure that your registration or filings with regulators are accurate and kept up-to-date and be aware of new laws or changing laws in jurisdictions where you carry on business both physically and online.

During 2013 the Office of the Australian Information Commissioner released the results of a 'privacy sweep' of approximately 50 websites as to their compliance with accessibility, readability and content in terms of their Privacy Policies. 

This 'privacy sweep' was part of a global initiative with regulators from the EU and Canada and in general the results were that many Privacy Policies were ambiguous, written in confusing language and in some cases describe privacy practices that did not specially relate to the nature of the website business nor indeed the data collection activities.

An EU wide screening in 2013 of 330 websites selling digital content (such as books, music, films, videos and computer games) across the European Economic Area revealed some significant non-compliance.

The European Commission 'sweep' was intended to assess whether:

  • information on key characteristics of a content was obvious and not hidden in small print
  • the providers contact details were made easily available to consumers and the website had in place fair and lawful terms and conditions.

Of the 330 websites, 172 were found to be non-compliant and the consequence were contacted by the European Commission with a view to ensuring that compliance was put in place.

The typical areas of non-compliance were:

  • lack of mandatory information by law such as the name and address of the website owner, the method by which they could be contacted and a complaints and dispute resolution mechanism
  • unclear or unfair legal terms and conditions
  • unclear or confusing information about how purchases could be cancelled, goods could be returned and general rights of rescission.

In 2013 the UK Office of Fair Trading carried out an investigation into how online businesses used consumer information to influence online activity and highlighted that transparency and the ability for consumers to opt out of the collection of information is "crucial to developing and maintaining trust in online markets".

The investigation by the Office of Fair Trading found that consumers were not presented with simple options to either opt in or opt out of the use of cookies and nor were online businesses fully compliant with consumer laws, accessibility laws and rules on online behavioural advertising.

Since May 2012 the UK Information Commissioner's Office has promoted a reporting system to enable consumers to report the way in which websites did or did not post transparent cookie information in Privacy Policies and has published names of websites that have been under review.

Finally, the Federal Trade Commission (FTC) in the United States of America has just settled with 12 companies falsely claiming to comply with the international Safe Harbor privacy framework. 

The investigation by the FTC followed complaints that websites of a number of businesses in the retail, accountancy, professional sports and technology sectors were deceptively claiming that they held current certifications under the US - EU Safe Harbor framework and/or under the US - Swiss Safe Harbor framework.

In a number of cases the websites concerned were claiming in their privacy policies that they were in compliance with Safe Harbor and were using the Safe Harbor logo at times when their Safe Harbor certifications had lapsed. It appears that all in cases the misrepresentations made by these businesses were as a result of poor administration.

For more information please contact Robert Bond, Partner

T: +44 (0)20 7427 6660