legal documentation ebook
TRANSCRIPT
Legal Documentation – who cares?Why your business needs legal documentation right now!
Terms and Conditions
Legal Documentation - Who Cares? 2
Contents
Introduction
Limiting your liability
Sabotaging your business
Cookie Policy
List of relevant government policies
Conclusion
Terms and Conditions
Legal Documentation - Who Cares? 3
Introduction
Do you think legal documentation is irrelevant to your business? Think again. We all think we can manage to ignore certain aspects of the ‘boring stuff’ until it’s too late.
We are all told it’s relatively cheap and easy to set up an online business bit does anyone ever say that it’s essential to make legal documentation a part of your set up costs? We would hazard a guess that it would be rare to have that kind of conversation. So, if you find yourself with a website and no legal documentation then we suggest you read on and see just why you need to amend that as a matter of urgency.
To outline the major types of documentation required you are likely to need:
• Website terms and conditions
• Cookies Policy (with notification)
• Privacy policy
The main reasons for having this is that
a) Compliance with the law is not negotiable
b) Limiting your liability is essential
c) Staying ahead of the competition by protecting your business and increasing the value
d) Making business easier online with the correct legal documents in place
e) Building visible trust online.
You are probably not alone if you are not in possession of these basic documents.
So if your cage is rattled and you need to attend to your website’s legal documentation, even if you aren’t selling online directly, then this booklet will help you understand the situation and then make the changes easily and quickly.
Legal Documentation - Who Cares? 4
Limit your liability
If you have to ask yourself the question, “Does my organisation engage in data processing?” the answer is “quite probably.” How do we know that? Well, any marketing or sales analysis you do based on information collected from customers is classified as data processing. It may seem like a simple, innocent and everyday practice but its official title is ‘data processing’ and that comes with a set of responsibilities.
Think about it this way, you would hope your data is protected when you give it to online companies. How annoyed would you be if you knew it was being sold on to unscrupulous companies or misused in some way?
Article 2(b) of the Data Protection Directive defines data processing as anything included in the following:
collecting, retrieving, recording, organising, storing, disclosing and making available data.
New EU legislation is about to tighten the screw on the unauthorised uses of customer data. What they mean is: anything for which the customer did not give their unambiguous consent.
We should all be vigilant about which third parties we pass on the data with which we have been entrusted. Be aware of its intended use, and be sure if you are selling database information that the organisation is licensed. Selling personal data without an ICO licence can constitute a criminal offence. That’s not surprising if you give it just a little thought.
Terms and Conditions
Legal Documentation - Who Cares? 5
There is an infamous case that clearly illustrates the problems. This was the case of Google Spain SL v Agencia Española de Protección de Datos
This case demonstrated just how easy it can be for a plaintiff to find a corporation liable for misuse of an individual’s data. For example, Google’s search engine spiders, in the automatic process of indexing websites and connecting them with what it deems their keywords and subject, picked up an unflattering article about the original plaintiff Mario Costeja González.
When his name was searched on Google, pages appeared from La Vanguardia newspaper, announcing a real estate auction. This was as a result of proceedings for recovery of social security debts owed by Mr Costeja Gonzalez. He argued successfully that this was a misuse of his personal information. The complaint against La Vanguardia newspaper was upheld, even when Google appealed the verdict, as it had published the information lawfully.
While this finding by the European Court of Justice was an unusual event, it did set an important legal precedent. There is increased scrutiny and companies have the increased responsibility to hold themselves accountable for all the uses which personal data is put to under their watch. They should also take measures to prevent emotional or financial damage to the individuals concerned. If not, they lay themselves open to civil lawsuits as well as punitive fines when the General Data Protection Regulation (GDPR) comes into force in 2018.
The problem is, of course, that even when results are deleted from search engines within the EU you can still access them elsewhere. So if you are specifically looking for something you just search via a non-EU country. Therefore people have started asking serious questions about these anomalies so universal responses occur everywhere.
Legal Documentation - Who Cares? 6
So, think about whether both your terms and conditions, alongside your privacy statement. Cover every contingency against the possibility that someone claims an infringement of his or her rights, or a breach occurs. These legal documents will need updating soon to remain compliant with the new provisions of the GDPR. Therefore there is no time like the present to put your house in order and organise or implement your legal documentation.
Any website that collects a customer’s financial data lays themselves open to responsibility for identity fraud. Any website collecting personal data such as that pertaining to medical or relationship history is also potentially problematic. Even, now, fitness levels are causing some outrage. This is because a number of US employers have started a trend of providing healthcare perks in return for workers’ submitting to fitness tests. The results are then submitted in a ‘random, anonymous sample’, for data analysis by specialist companies such as 23&Me in Mountain View, California. Castlight, based in San Francisco, offers employers predictions as to the probability of workers’ getting pregnant or requiring expensive surgery, based on healthcare searches and insurance claims on its app.
So what might happen if a company fired an employee who disclosed a health problem? You’d be facing quite a costly lawsuit. It’s one thing collecting data but if you choose to make use of it you need legal documentation in place and permissions too.
To read more about this kind of data processing click here
If all that is not enough to scare you into doing your due diligence, this story of an ICO raid on a house in Sheffield should persuade you that illegal data usage is a real threat. The organisation under suspicion emailed countless companies and institutions offering to buy and sell databases – including, rather ironically, the ICO! But it was doing so without a licence. Not only this but it was planning to sell the data to companies which would use the information to make nuisance calls.
It is so easy to inadvertently violate data protection regulations. So protect yourself now.
Legal Documentation - Who Cares? 7
Don’t Sabotage your Online Business by Neglecting Your Legal Documentation
You need to cover your legal bases before you can start operating an e-commerce business, for data processing activities, as well as just the terms and conditions of sales and operations.
Are you using cookies on your website? If you don’t already know, these are electronic devices that are stored on a user’s computer and record their access information or browsing habits. If you do use them you have to inform visitors this is happening. If you are passing their data onto a third party, you should ideally obtain their consent and justify your reasons for doing so. You’d expect someone to do that to you, so therefore your responsibilities should be the same.
The government’s guidelines on so-called ‘privacy notices’ or, in the simpler terms it advice for customers, ‘How we will use your information’ notices, are complex. Even after wading through them you are not guaranteed to produce a bulletproof legal defence if their personal information is in any way abused.
You are obliged to tell the user or subscriber – whichever’s preference was last recorded or indicated – what you intend to do with their data. If you are only storing data, your duties are quite straightforward. Chances are though, you will want to do some analysis, and any form of ‘data processing’ must meet one of the conditions laid out in Schedules 2 and 3 of the Data Protection Act.
The commercially applicable conditions come first. This explains that the processing is necessary in relation to a contract the individual has or wants to enter into. Second, that the activity meets their ‘legitimate interests’ such that it is legal and will not have a disproportionately adverse effect on them. The third commercial condition is that they have ‘consented’ to the processing. However, under the new General Data Protection Regulation, an EU-wide initiative effective as of May 2018, consent will not be enough. You will have to explain to them your ‘legal basis’ for conducting the data processing activity.
Say, if a debt collection agency hired to recover social security debts routinely sold on information on the individuals it ‘serviced’ to a company offering high-interest short-term loans, who then bombarded those individuals with phone calls. The idea that doing so was in their ‘legitimate interest’ is contentious. If they had not sought the individual’s consent, they could be breaking the law. This is an extreme example but it can occur on a much smaller scale.
Legal Documentation - Who Cares? 8
Want a Cookie?
The guidance on notification of cookie usage states that you have to ask permission to place tracking devices on user’s computers, with specified exemptions. You must also explain what they are there for, and naturally that they are in fact there. Consent must involve an affirmative action, but it need not be explicit unless the personal data or subject matter is sensitive.
Many firms engage in the practice of ‘remarketing’. This is where an individual’s consumer preferences or purchases, or simply sites or products they have browsed, are recorded. Afterwards adverts for related products stalk people as they browse around the Internet. While a highly effective method of swaying the undecided consumer, if the site recording the data has not informed website visitors in some capacity this is commercial exploitation. Their browsing activity is not a company’s right to exploit. Without asking explicit permission companies may end up in a questionable legal position.
Legal Documentation - Who Cares? 9
Cookie rules
The rules on cookies are in regulation 6. The basic rule is that you must:
• tell people cookies exist on your site;
• explain what the cookies are doing and why;
• get the person’s consent to store a cookie on their device.
As long as you do this the first time you set up cookies, you do not have to repeat it every time the same person visits your website. However, bear in mind that devices may well be used, by different people. If there is likely to be more than one user, you may want to consider repeating this process at suitable intervals.
What else is covered, apart from cookies?
Although this guide focuses on cookies, regulation 6 actually applies to anyone who stores information on a user’s device or gains access to information on a user’s device, by any method.
This means the same rules apply to any similar technologies – such as Local Shared Objects (sometimes called Flash cookies) – and can also cover other types of technology, including apps on smartphones, tablets, smart TVs or other devices.
These rules also outlaw spyware or any similar covert surveillance software that downloads to a user’s device and tracks their activities without their knowledge.
Legal Documentation - Who Cares? 10
Are there any exemptions?
There is an exemption if:
• the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
• the cookie is strictly necessary to provide an ‘information society service’ (e.g. a service over the internet) requested by the subscriber or user. Note that it is essential to fulfil their request. Please remember, cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.
However, you are unlikely to need consent for:
• cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
• session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – e.g. online banking services;
• load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.
Complying with the law on data protection is not as easy as ‘click this box’ consent forms.
The free-for-all in data sale and collection will be cut short abruptly in two years. This is when all companies involved in data collection and processing will have to comply with the General Data Protection Regulation (GDPR).
The British version of the EU-mandated General Data Protection Regulation (GDPR) will apply from 25 May 2018 onwards. Although the GDPR was technically in force from 24 May 2016, EU member states have until 6 May 2018 to transpose it into their national law.
Legal Documentation - Who Cares? 11
What has changed?
In addition to the requirements already in place under the Data Protection Act, companies will have additional responsibilities regarding minors. For example, they will need to get parental consent to collect children’s data.
Crucially, the privacy guidelines and terms and conditions will need to expand. Under the GDPR, where individuals give consent to use of their data they must be informed of their right to withdraw this consent at any time. Where they are giving up sensitive data, this consent must be “explicit.”
Data controllers must be able to demonstrate that when consent was taken it was
“freely given, specific, informed and unambiguous, shown either by a statement or a clear affirmative action which signifies agreement to the proceeding.”
according to Article 4 of the GDPR.
Legal Documentation - Who Cares? 12
Potential problems
There are some additional considerations from a compliance perspective that companies must factor into their privacy statement and terms and conditions. This paper by Allen and Overy summarises the key issue.
The agreed text states that in assessing whether consent
has been freely given, account shall be taken, for example,
of whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract.
It points out that this could affect a number of e-commerce services. Simply requesting any additional ‘demographic’ information other than contact details will have to be justified. If creating a login to a site, or establishing a profile, is dependent on the individual’s stating, for example, if they prefer tea or coffee and if they are a custard cream or a chocolate digestive person, would not be permitted unless this information was relevant to their application.
If the privacy notice stated the organisation had a legal basis for setting a series of seemingly random questions about their consumer preferences that might well be ok. For example a PR firm might be trying to assess the applicant’s personality type and suitability for a job position.
If no explanation was made and the website sold an unrelated product like hardware and home appliances, it would be assumed they were collecting the data to sell to a third party without the individual’s consent.
The fines for breaching the conditions of the GDPR could demand up to 4% of a company’s annual worldwide turnover. This would apply to major offences like those relating to international transfers, or the essential principles of processing like conditions for consent. This could profoundly affect a company’s margin. Other specified breaches could exact a fine of up to 2% of annual global turnover. This is serious and should be treated accordingly.
Legal Documentation - Who Cares? 13
Conclusion: Data Protection – we are all responsible!
The Culture, Media and Sport Select Committee have just produced a report outlining plans to ensure there is a ‘robust system of escalating fines’ for any company that fails to report a breach in security. They also suggested that a two-year jail sentence would be appropriate. In addition they have called for CEOs’ pay to be linked to the quality of the online security put in place within their organisation.
What this paper suggests is that it’s time for everyone to wise up to the fact that cybercrime is not victimless and that we all need to take responsibility for data – both our own and those we harvest as a company.
In the past it might be fair to say that lines of accountability were somewhat slack, if they existed at all. MPs have said that people need to be have day-to-day responsibility towards cyber security as well as adopting robust processes and strategies. Without these in place security breaches such as the one at Talk Talk, where 156 000 people’s accounts were hacked and affected, are likely to continue.
The problem is that cyber crime has reached such heights that it’s difficult to control. Therefore we cannot blame ignorance. Every company and individual has to take responsibility to stay ahead and close the front door to our digital data. 90% of companies have reported breaches so it affects almost everyone in one way or another. Jesse Norman MP, chairman of the committee, said: “Failure to prepare for or learn from cyber attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent. “
Therefore it is clear that anyone with a website and who collects data for one reason or another has to take responsibility, put processes and strategies in place and organise the appropriate legal documentation so everyone is protected as far as humanly possible. You have been warned!
June 2016
ThatLegalStuff.com