| Contents |
|---|
There is a growing trend for websites to store more user information (known as personal data) and to download information (known as cookies) to users' devices. The purpose of a privacy policy is to set out the types of personal data stored on your website and how you will use that personal data. This includes telling users about the cookies used by your website and getting their consent for such use.
You should ensure that a link to your privacy policy is clearly signposted at least on those pages where users enter your website. It is advisable to create an intermediary page in every sale requiring the customer to confirm they have read the privacy policy and terms and conditions of sale. For more information, see our 'Terms and conditions' section. You should also designate one employee as the Data Protection Compliance Manager, and ensure that he or she answers any queries relating to your privacy policy.
Users of your website (known as data subjects) have a right to ask you whether you are processing any personal data about them and, if so, to be given:
The eight data protection principles are central to the Data Protection Act 1998. The Data Protection Act is the main body of legislation setting out data protection law in the UK and is based on a European Community Directive. You must comply with these principles at all times in your information-handling practices. The most practically relevant principles say that personal data must be:
(a) Processed fairly and lawfully
(b) Obtained only for one or more specified and lawful purposes and not processed in a manner incompatible with those purposes
(c) Adequate, relevant and not excessive
(d) Accurate and kept up-to-date
(e) Not kept for longer than is necessary
(f) Processed in accordance with the rights of data subjects under the Act
(g) Gathered and processed only where appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
(h) Not transferred to a country or territory outside the European Economic Area unless that country ensures an adequate level of protection for the processing of personal data
Cookies are text files containing small amounts of information. They are downloaded to a user's device when they visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user's device.
Any website using cookies must:
For example, a website could use a pop-up message to let users know that the website uses cookies. The pop-up could contain a link to a separate webpage with further information on the cookies, plus two buttons for the user to either accept or decline the cookies. If the user accepts the cookies, then the consent will be express consent. If the user clicks away from the pop-up without accepting or declining, then consent is implied because the user will have seen the message and then continued to use the website.
Another way of getting implied consent is to include the cookies information in the website's terms of use and require a user to tick a box to indicate that they accept those terms.
