tel: +44 (0) 207 317 8404 | fax: +44 (0)207 317 8405 | email:

home what we do
internet law
domain name disputes
other internet disputes
for whom how we do it who we are contact us
internet
law
internet
law home internet
regulation internet
privacy internet
TCs white
labels web
design web
hosting

Internet privacy

There is a whole web of UK and EU data protection laws and regulations which apply to online privacy and the collection and use of personal data via websites. These include the Privacy Regulations (full name: The Privacy and Electronic Communications (EC Directive) Regulations 2003.

One key aspect of internet privacy compliance when collecting personal information online is to obtain a sufficient level of consent from the person providing the data ("data subject").

As a starting point, you need to have a detailed website privacy policy which explains in detail what personal data you collect via your website, what you use it for, who you disclose it to, how you protect it, your use of cookies etc. However, in some cases - eg if you want to use personal data so send marketing emails or provide details to third parties for email marketing - you have to go further and get appropriate consent from web users at the point where you collect the data.

There are different and rather complex rules applicable to the privacy consent wording (known as "opt in", "soft opt in" or "opt out") depending on the information you are collecting and what you plan to do with it.

If you don’t get the right level of consent, then amongst other things you can be sued by data subjects or subject to regulatory enforcement action.

Here are some frequently asked questions about the data protection regime in the UK:

What exactly is personal data? Any information that is held on a living individual, and can be used (possibly in conjunction with other information) to identify that individual.

What is data protection? Data protection concerns the protection of personal data. The Data Protection Act 1998 is the main UK law governing data protection. It applies to those who "process" personal data.

What is "processing" of personal data? "Processing" is very widely defined under the Data Protection Act 1998. It covers doing almost anything in relation to data including organisation, retrieval, use or disclosure.

What are the main features of the Data Protection Act 1998? There are eight Data Protection Principles which are at the heart of the 1998 Data Protection Act. These principles state that data processing must be fair and lawful. Amongst other things:

  • You must process personal data "fairly and lawfully".
  • You will often need ‘consent’ for lawful processing of personal data. In the case of sensitive personal data, such as racial origin, political or religious beliefs, health and criminal offences this must be ‘explicit consent’.
  • You mustn’t use personal data for anything other than the lawful purpose for which it’s being processed.
  • You must keep personal data accurate and up to date.
  • You mustn’t keep personal data longer than is necessary for the specified purpose
  • You have to take appropriate security precautions to protect personal data.
  • You must ensure that personal data transferred outside of the EEA (European Economic Areas) is given an adequate level of protection.

Is there any jargon I should be aware of relating to data protection?

The Data Protection Act includes the following terminology

data controllers - those who determine the purposes for which data is processed
data processors - third parties who process data for data controllers
data subjects - individuals whose data is recorded
notification - registration (see below)
Information Commissioner - the official authority responsible for protection of personal data and enforcement of the Data Protection Act (renamed by the Freedom of Information Act)

Do I need to register to process personal data? Yes, although there are certain exemptions. In fact registration is now termed ‘notification’. The register of Data Controllers is held and maintained by the Office of the Information Commissioner. Processing data without notification (where required) is a criminal offence.

What kinds of rights do individuals have in relation to their personal data? Amongst other things, individuals have the right to prevent significant decisions from being made based solely on data processing which is automated, to request that their personal data is not to be processed, or ceases to be processed, for direct marketing purposes and to be given access to their personal data (in certain circumstances).

How can you help? We can advise on all aspects of internet privacy including website privacy policies, consent wording and a web data protection audit. For a free initial chat and more information about online privacy, call Adam Taylor of Adlex Solicitors on +44 (0) 207 317 8404 or email.

See also:

internet law homepage
internet regulation
internet terms and conditions
white label contracts
web design legal issues
web hosting legal issues

© Adlex Solicitors 2001 - 2008 Terms & ConditionsSitemapRegulated by the Solicitors Regulation Authority