Collecting Personal Information Using Web sites

July 1, 2007

With a good business plan, a Web site business can be a lucrative and relatively straightforward method of running a business or assisting with the marketing of an off-line business such as consultancy services.  However, there are many small businesses using Web sites which are not fully aware of their obligations with respect to personal data. 


The Information Commissioner’s Office recently issued a Good Practice Note (the Note) covering collecting personal information using Web sites.  The Note does not cover collecting personal information for marketing purposes which is dealt with in the separate guidance note on the Privacy and Electronic Communications Regulations 2003.  The ICO points out that personal information must be processed fairly so Web site operators must always make sure that individuals from whom personal information is directly collected are aware of:


1                    the identity of the person or organisation responsible for operating the Web site and of anyone else who collects personal information through the Web site;

2                    what their information will be processed for; and

3                    any information needed to make sure the processing is fair to individuals taking account of the specific circumstances.  This would include informing individuals if information about them will be disclosed to third parties, including where the disclosure is to other companies within the same corporate group.


Privacy Statements


Information like this is generally set out in a privacy statement.  This statement should be accessible to individuals before personal information is collected from them.  It is important that there is a link to the privacy statement from any page where personal data is collected, as well as from the homepage.  Furthermore, where other organisations may be involved in collecting personal information through the site, such as through banner advertising or a secure payment system, those parties should also be identified. 


It is not sufficient simply to point Web site users to the privacy statement.  Wherever personal information is collected, the basic description of the use of the individual’s information must be provided.  The ICO advocates using a “layered notice” which will usually consist of three linked notices which are increasingly concise.  The longest one will be the full notice and should include all legal provisions.  The condensed notice contains the main information, usually organised under sub-headings and the short notice merely draws attention to how personal information will be used in the broadest terms.  The notices should be clear and easy to read and understand and placed wherever personal information is collected.  The Organisation for Economic Co-operation and Development (OECD) Web site has a privacy policy generator which will create layered notices.




When using cookies, Web site users need to consider data protection legislation if they intend to link profiles which have been generated using cookies to a name and postal address or an e-mail address.  Under reg 6 of the Privacy and Electronic Communications Regulations 2003, visitors to a Web site must be informed wherever a cookie or other tracking system collects information and a user must be given the opportunity to refuse the continued use of a cookie. 


IP Addresses


In theory, the position is the same regarding IP addresses.  However, in practice it is difficult to use IP addresses to build up personalised profiles.  There is the distinction between ‘dynamic’ IP addresses which change each time a user connects to their internet service provider and a ‘static’ IP address which can be linked to a particular computer.  However, it is not easy to distinguish between dynamic and static IP addresses so there is limited scope for using them for personalised profiling.  Similar considerations apply to web bugs which are used to monitor the time, type of web browser being used, and IP address of a computer when accessing a web page or viewing an e-mail message.


Use of Personal Information


A question which often arises is whether Web site operators can use personal information generally available on the Internet for their own purposes.  The ICO points out that any Web site operator should be careful when obtaining personal information from a source other than the individual and that using such information will generally be covered by data protection legislation.  If an individual puts his or her e-mail address into the public domain, for example in a web form, that does not mean that their address can be used for any purpose.  Web site operators need to be clear that they are likely to breach the Data Protection Act unless they use the information for the same reasons as it was provided originally.  If a Web site operator obtains information from a third party, it still has a duty to ensure that any subsequent processing of the information is fair.  This may involve ensuring that the individual knows that you hold his or her information and what you are using it for.  It would be difficult to claim that contacting the individual would involve ‘disproportionate effort’ as it is very easy to provide information to individuals online, for example by sending automated e-mails.




The Note also deals with Web sites directed at children.  It points out that Web sites that collect information from children must have stronger safeguards in place to ensure any processing is fair.  Privacy notices must be appropriate to the child’s level and should not exploit any lack of understanding.  The language used should be clear and appropriate to the age group the Web site is aimed at.  It will often be necessary to seek verifiable consent from a parent.  A child is generally considered to be a person aged 16 or under, but there is a general requirement not to use information from children under 12 without first obtaining the permission of a parent or guardian.  Parental consent must be verified.  It will not usually be enough to ask children to confirm that their parents have agreed by using a mouse click.  The ICO goes as far as to say that if parental consent is required but verifying the consent would involve a disproportionate effort then the proposed activity should not be carried out.


Security and Data Protection


Web site operators need to remember that they are responsible for processing personal information securely and therefore must adopt appropriate technical and organisational methods to protect that information.  Any sensitive personal information or information that would pose a risk to individuals such as credit card numbers should not be held on a Web site server unless it is properly secured by encryption or similar techniques.  If a Web site operator uses another company to host their Web site, they need to ensure that the host or operator complies with the Data Protection Act.  The Information Commission has produced a Good Practice Note for businesses wishing to outsource processing to other companies. 


Another issue which often arises is whether personal information can be placed on a Web site.  It will often result in the transfer of data to countries outside the UK as a Web site can be accessed anywhere in the world.  It may be necessary to obtain an individual’s informed and freely given consent to having his or her personal information placed on the Web site.  Consequently, Web site operators must explain the issues carefully to their users.




If Web site operators wish to change their use of personal data they may not simply change their privacy statement.  If you wish to change the way you use personal information you must obtain the individual’s consent.  Therefore you must explain what you wish to do with the information and wait for the individual to indicate positively that he or she agrees.  Not responding to an e-mail message does not amount to consent.  An example of where this could occur would be if an individual has agreed to marketing activity but the Web site extends the types of products that it sells, so for example, it may have started out selling books but now wishes to market financial services.  As the products are not related, it is unlikely that the Web site operator could rely on the original consent by the individual and it would need to seek new consent.  The significant issue is the customer’s expectations of what the information will be used for.  Depending on how much the new use differs from reasonable expectations, customers should be asked to opt in rather than opt out.


If a Web based company merges or is taken over, it will need to let individuals know that the merger is taking place.  There may be a problem with disclosure if it has previously reassured individuals that it will not disclose their personal information, in which case a specific consent will be needed.  However, generally a new owner will in effect take over the existing business and the personal information will be used in the same way as before.




The ICO points out that if a Web site operator is processing personal information it will generally need to notify the Information Commissioner’s Office.  It reminds Web site operators that it is a criminal offence not to notify.  If a Web site operator is located outside the UK, it will generally be subject to separate data protection legislation.  However, there are circumstances where an operator located outside the UK might be subject to UK legislation, for example if it uses equipment in the UK to process the information.  Generally if a Web site is used only for personal use, the Data Protection Act will not apply and notification will not be required.  However, if a personal site is also used for business purposes, this may not be the case.


Comment and More Information


The Note is relatively comprehensive and is helpful, although in some respects it raises more questions than it answers, particularly in relation to the sale of web businesses etc.  The guidance is available on the Information Commissioner’s Web site at sites_v1.0.pdf.



Helen Hart is a Senior Associate in the Corporate and Commercial department at Stevens & Bolton LLP in Guildford.  Previously she worked in-house at Palm Europe Limited, as well as at the AA and British Gas.  She can be contacted on or 01483 734238.