The wonderfully named Balls of Kryptonite LLC1 recently got into some very hot water over their website. Their website woes arose out of their failures to comply with data protection legislation. In contrast, a substantial amount of cold water was poured onto a claim based on website statements in the case Patchett v Swimming Pool & Tiles Trade Association Ltd2. Today we’re going to take a look at websites and the content which you should (and should not) have on them.
Most of you will have a company website. How often do you check this to make sure it’s up to date and accurate? Once a website is built, there is a tendency to leave it there, occasionally adding news or events but wholescale reviews tend to be few and far between. However, your website is your face to the online world and you could face significant liabilities for what’s said there.
Let’s start with data protection. If you collect information about people who visit your website, this may well trigger responsibilities under the data protection legislation. Often the mere mention of the term ‘data protection’ causes people to shudder and understandably so. The legislation is lengthy and complicated, with its own family of complex legal terms and concepts. However, the legislation can be boiled down into a relatively straightforward set of statements. In simple terms, it is aimed at ensuring that personal information is handled safely and securely, in a responsible fashion and in as unintrusive a way as possible.
If you handle information about people, there is every chance that you will be a ‘data controller’ under the legislation and, as such, required to register with the relevant authority. In Guernsey this is the Office of the Data Protection Commissioner. Your notification must set out what information (data) you handle, what you do with it and where you send it. If you do handle data, the law sets out 8 principles which you should comply with and these form the foundation of the data protection regime.
We won’t set out the principles here but copies of legislation and detailed guidance can be found in the data protection section of the States of Guernsey’s website at www.gov.gg.
In relation to your website, you are obliged to give certain information to visitors, if you collect any information about them. Usually this is done by way of a privacy notice or statement. Guidelines for Privacy Statements on Websites were issued by the Guernsey Data Protection Commissioner in 2007. These explain what is required. The Guidelines begin by explaining what a privacy notice or statement is: ‘A public declaration of how an organisation processes personal data on its website… By its public nature it should be concise and clear’.
The Guidelines require that relevant information which is processed through your website must be handled in accordance with the 8 data protection principles referred to above. In particular, any processing of that information must be fair and lawful. For this requirement to be satisfied, the person whose data is being processed will need to be told:
- Who is processing the data
- For what purpose
- If the data might be disclosed to a third party
- That there is a right of access and rectification in respect of the information.
The legislation also contains provisions regarding confidentiality of e-communications, prohibiting the storage or accessing of information stored on a website (often called ‘cookies’), except in 2 circumstances. The first is that the person using the website is provided with clear and comprehensive information about why the information is being stored and accessed. The second is that the person using the website is given the opportunity to refuse storage and access.
As a result, you will need a privacy statement if your website involves collecting information, for example by asking visitors to fill in forms, or by using cookies or web beacons, or if your website covertly collects information such the visitor’s internet address or email data. At any point where personal information is requested, you can choose to alert visitors to this fact by the use of the ‘information padlock’, a symbol which can be downloaded free of charge from the Commissioner’s website.
A privacy statement doesn’t need to be lengthy but it should be specific to what you do with information you collect and should contain enough detail to let the visitor decide whether or not to proceed. As a minimum, the statement should specify:
- Who you are, including contact details
- Why you are collecting data (even if this is for obvious purposes)
- Whether you will be disclosing data to third parties
- The person’s right of access to the personal data collected / stored
- The right to have personal data rectified or erased
- The extent to which data will be processed e.g. the use which will be made of cookies
Your privacy statement should be situated in a prominent and obvious place on your website. The Guidelines suggest the upper half of the entry page, although in practice many businesses include these details in a ‘terms and conditions’ section. However, if you adopt this course be careful that the privacy statement is easily spotted and understood, and is not lost in lengthy text.
What if you don’t have a privacy statement on your website? Various consequences could ensue. The Commissioner may issue an enforcement notice. Failure to comply with an enforcement notice is a criminal offence. In addition, the courts can require that all or any of the data collected on the website is deleted. Additionally, a person whose details have been collected and who has suffered damage as a consequence, may have a right to compensation.
A good example is the company we referred to at the start of this article – Balls of Kryptonite. Balls of Kryptonite is a Californian company which trades through www.bitesizedeals.co.uk and www.bestpricebrands.co.uk selling consumer electronic products such as computer software, cameras and computer games to customers in the UK. By using websites ending in ‘.co.uk’, stating prices in pounds sterling and referring to the Royal Mail, Balls of Kryptonite were alleged to have created the false impression that they were physically located in the UK. Why was this a problem? Because many consumers who used the website thought they were protected by the UK consumer protection legislation when, in fact, they were not.
The court found that some of the website contents included a privacy notice which appeared to contain false representations about data protection. Specifically, it was claimed that the privacy notice falsely represented that the company had complied with the US equivalent for data protection, the Safe Harbor Program. This, combined with the erroneous impression given by the websites that Balls of Kryptonite was UK based, was enough to persuade the Californian court to put a temporary freeze on the company’s operations. The court didn’t stop there, however, but also ordered that Balls of Kryptonite should deliver financial statements to the FTC to enable to FTC to asses the amount of ‘ill-gotten gains’ derived by the company, provide the FTC with access to books and records and comply with US mail order rules regarding representations as to the company’s true business location.
The case highlights the action which enforcement authorities can take against companies on the data protection front. We are now going to look at the other case we referred to, which highlights the liabilities companies can incur to users of their websites.
In the Patchett case, Mr and Mrs Patchett wanted to install a swimming pool in the garden of their house. They did a Google search and found the website for the Swimming Pool & Allied Trades Association Ltd (‘the Association’). The Association’s website published a list of member companies and contained a statement that members belonged to ‘SPATASHIELD’, a bond and warranty scheme which provided insurance that pool installations would be completed to the Association’s standards.
Mr and Mrs Patchett contacted a pool contractor whose details were taken from the list of members and entered into a contract for the installation of a swimming pool. Shortly thereafter, before the pool was completed, the contractor became insolvent.
Contrary to the statements made on the Association’s website, it transpired that the contractor was not a full member of the Association and so the contractor’s work was not insured. The Patchett’s sued the Association for their losses on the basis that the Association’s website contained a negligent misrepresentation. The claim was defended on the basis that the Patchetts should have made independent enquires of the contractor and that, in any event, the website recommended that customers contact the Association for information packs before engaging a contractor, which the Patchetts had not done. These information packs contained a contract checklist of questions which customers should ask a would-be contractor, which would have addressed the insurance situation.
Court of Appeal’s decision
The court held that whether or not a duty of care arose depended on the statement actually made and the way in which it would be objectively understood. In this case it was reasonably foreseeable that people wanting to install a swimming pool would act on the representations which the Association had given on its website.
However, it was reasonable to expect that potential customers would have regard to all the information potentially available from the Association’s website and not just part of it. Therefore, even though the recommendation concerning information packs was on a different section of the website to the one containing the list of members, it was reasonable to expect that customers would read the section advising customers to request an information pack.
Importantly, the court held that, although the Association produced its website to give information for people like the Patchetts, this was not sufficient to establish an adviser / advisee relationship so that no higher duties of care were owed by the Association to the Patchetts.
These 2 cases show the increasing scope for liability in respect of what you say on your website. Administrative tasks of this nature can often slip down the ‘To Do’ list as customer and client demands dominate your time. However, these cases demonstrate how important it is to get your privacy notice and terms and conditions right and how costly it can be if you get them wrong.
We recommend that you review your privacy notice and terms and conditions regularly. This will help to ensure maximum protection for your business, not just at the present time but also as your business grows and develops.