Under the General Data Protection Regulation (GDPR), data controllers are required to provide information to data subjects about their processing in a concise, transparent, intelligible and easily accessible form. The enforcement of the GDPR falls within the remit of the relevant data protection authority, eg the Data Protection Commission. In addition to scrutiny of privacy policies by data protection regulators, we are seeing increasing efforts by consumer groups and regulators across the EU to apply consumer protection law to privacy policies. These efforts have been successful in Italy and Germany. To the extent consumer law applies to privacy policies, the effect of failing to comply with these laws could be significant. Fines for breaches of consumer law will become much more substantial in 2022 with the coming into force of the Enforcement and Modernisation Directive. We have outlined these changes here.

BEUC Complaints

The European Consumer Organisation (BEUC) has been active in this space in recent years and, notably, has submitted complaints to the European Commission on the privacy policies of global social media companies. In one complaint, BEUC alleged that the privacy policy did not clearly provide necessary pre-contractual information on the collection of user data as required by the Consumer Rights Directive. In another complaint, BEUC alleged that their proposed update to the company's privacy policy constituted misleading and aggressive commercial practices.

Unfair commercial practices

Under the Unfair Commercial Practices Directive, as implemented in Ireland through the Consumer Protection Act 2007, unfair business-to-consumer commercial practices are prohibited. There are two main types of these practices:

  • Misleading commercial practices, and

  • Aggressive commercial practices.

Misleading commercial practices constitute either misleading information or misleading omissions.

This means that a trader may be committing an offence under consumer law if they give information which is likely to:

  • Deceive the average consumer,

  • Cause them to make a transactional decision which they would not otherwise have made, or

  • Omits or conceals material information which the average consumer would need.

Hiding material information or providing it in an unclear, unintelligible, ambiguous, or untimely manner may also amount to misleading information. To mitigate against the risk of a privacy policy being found to be “misleading”, data controllers should ensure that all material information concerning the processing of personal data is provided in a clear, concise manner to data subjects.

An aggressive commercial practice is one which significantly impairs or is likely to significantly impair the average consumer’s freedom of choice or conduct. It may not be immediately apparent how this could apply to a privacy policy. However, in one of its recent complaints BEUC alleged that the content of the notifications to users together with their nature, timing and recurrence placed undue pressure on users impairing their freedom of choice.

Unfair terms

The Unfair Contract Terms Directive, as implemented in Ireland by SI 27/1995 Unfair Terms in Consumer Contracts Regulations (UCTR), applies to the terms of standard consumer contracts. The UCTR requires, among other things, that companies comply with the requirement of good faith. It also requires companies to ensure that contracts do not cause a significant imbalance of the parties’ rights and obligations under the contract, to the detriment of the consumer. If legal developments mean that privacy policies are considered contractual terms, data controllers should ensure that privacy policies are drafted in plain, intelligible language in order to mitigate against the risk of a privacy policy being found to be “unfair”.

Consumer Rights Directive

Data controllers take the view that their privacy policies are non-contractual. However, differing views are taken in other jurisdictions and ultimately it may depend on the language of the policy itself.

Under the Consumer Rights Directive, as implemented in Ireland by SI 484/2013 European Union (Consumer Information, Cancellation and Other Rights) Regulations, consumers must be provided with certain information before being bound by a distance contract including the main characteristics of the goods or services. These Regulations also dictate the timing of when information is provided to consumers, as well as how it is communicated. If legal developments mean that the view is taken that a privacy policy is contractual in nature, and the use of personal data is a core aspect of the goods or services, it may require that the consumer is able to read and understand the main elements of the privacy policy before being bound by the contract. For example, when signing up to a subscription or ordering products online.

Conclusion

At present, the extent to which these rules may apply to privacy policies in Ireland is unclear. Some of the legislation discussed in this article only applies to contracts between businesses and consumers and data controllers take the view that their privacy policies are non-contractual. It remains to be seen how this area will develop. We recommend that companies keep this issue on their radar, particularly in the context of the imminent overhaul of consumer law in Ireland generally, and consider whether your privacy policy would benefit from a consumer law review.