Privacy statements often overlooked
Whenever I fill in a form or buy something on-line, I am letting the website record my personal data. But what happens to my data afterwards? What is the company running the website allowed to do with it? It's a question that few internet users ask, but that anyone whose website gathers personal data really ought to consider.
Why have a privacy statement?
To protect internet shoppers and other website visitors, Dutch law requires anyone who gathers personal data on line to inform people before taking the data (Data Protection Act, Section 33). That requirement can be met by providing a privacy statement for the customer or visitor to read. The statement can be included in the organisation's terms and conditions, or it can take the form of a separate document. In the privacy statement, a website controller has to explain clearly what is going to happen to your personal data. Unfortunately, a lot of companies don't actually provide privacy statements. Either they don't know about the requirement, or they misinterpret it. A common mistake is not drawing the visitor's attention to the statement until after the personal data has been submitted.
Study of privacy statements in .nl
Last year, SIDN investigated the situation with privacy statements in the .nl zone. The study involved trawling through the entire zone. Using a 'crawler' and Chamber of Commerce data, we began by establishing how many .nl websites gathered personal data. We then counted the number of sites that had content that looked as if it could be some form of privacy statement. We took a broad view of what might be a privacy statement: we included terms and conditions documents, for example. We did not consider the quality of the content in question.
Most sites don't have privacy statements
Does your website comply with the Data Protection Act?