10 Things to Tell Your Customers About Privacy

An average consumer’s data is held by 350 brands and it’s making them nervous. Here’s why it’s important to be transparent about what you do with your customers' personal information

By Emma Sheppard


November 2023

Last weekend, the Observer newspaper reported the medical research company, UK Biobank, has opened up its vast database to insurance companies. Those companies allegedly then used that data to create digital tools that predict a person’s risk of getting a chronic disease. The database had been populated by the personal information of half a million UK citizens, who had donated it to Biobank for medical research. And, the Observer notes, Biobank had made several public commitments not to share the information with the insurance sector. The Information Commissioner’s Office is now considering the matter. 

High profile news stories like this are becoming more common. And it highlights the danger of not being clear with your customers and service users when it comes to privacy. In another example, Google picked up a €50m fine from the French regulator in 2019 for not being open about how data was collected and used for targeted advertising. 

Beyond substantial fines, there’s also the question of reputational damage. People want to deal with businesses that are transparent and trustworthy. Research has found an average person’s data is held by 350 brands, and people are becoming less willing to share private information for fear of it being sold or used for other purposes. 

Our third Privacy Promise is about transparency, and it’s a key part of building customer trust. If your customer doesn’t believe you’re looking after their data, they’re more likely to report you to the regulator, or stop doing business with you altogether. 

One of the easiest ways to show your commitment to privacy is through your privacy notices. We have three templates in the Privacy Compliance Hub – one for staff, one for customers, and one for job applicants – but all of them are an opportunity to show how you’re taking privacy seriously. 

Here are 10 things to tell your customers about privacy: 

1. What you do with their data 

Your privacy notice should be written in plain, easy to understand language and explain all of the ways you use personal data. That could include purposes such as marketing, order processing and staff administration, or perhaps you’ll collect customer account information or browsing history to help you improve products. TikTok’s £12.7 million from the ICO this year was partly due to its failure to provide clear and understandable information to users (particularly children) about how their personal data is collected, used and shared. You can also explain what the benefits are – customers may be more happy to share data if they receive more personalised products and services, for example. 

2. Your lawful basis for processing 

If you’re collecting and processing personal information, you need to have a lawful basis for each processing operation. A lot of organisations rely on consent (which must be of the standard required by law to be valid), or legitimate interests. Remember, personal information should not be collected for one purpose and then used for another. This can be particularly pertinent in the case of artificial intelligence, where data might be repurposed and used for algorithmic training. 

3. Who you will share data with 

It’s important to identify the names of the organisations (or specific categories they fall into) that you will be sharing data with. The online counselling service, BetterHelp was fined $7.8 million in the US earlier this year after it shared its users’ sensitive health data for advertising purposes after promising to keep it private. Make it clear that you only share personal information with third parties that are taking the same steps as you are to keep it safe. You will also need to identify where you’re sending personal information to  if the recipient organisation is outside of the UK or EEA and set out the safeguards in place to keep that information safe. 

4. How long you’ll keep someone’s information for

Be definite about how long you’ll keep someone’s data for, or the criteria you’ll use to determine when that data is no longer required. Reassure them that you’re collecting the minimum amount of data necessary, and that you’ll keep it for the shortest time possible. 

5. The rights of individuals in respect of processing

Tell people what legal rights they have in relation to your use of their personal data such as the right of access to the data you process about them (known as a subject access request or SAR). People have an absolute right to object to direct marketing (such as receiving offers from you) at any time which must be complied with. Giving customers control over how much data they share and when they do so helps build trust. 

6. The right to withdraw consent

Let people know they can withdraw consent to your processing of their personal data at any time and tell them how to do it. Consent must be as easy to withdraw as it is to give. In July 2022, for example, the EU forced Amazon to revamp its complicated Amazon Prime unsubscription process to one that allows users to unsubscribe in just two steps. Remember this does not apply where one of the other lawful bases such as legitimate interests is being used (although the right to object to processing does apply here).

7. The right to lodge a complaint

Tell people they can complain to a supervisory authority (the regulator). Individuals have the right to raise a complaint with the supervisory authority in the member state where they live, where they work, or where the infringement took place. It’s good practice to include the contact details of the supervisory authority individuals are most likely to complain to – in the UK, for example, it’s the Information Commissioner’s Office.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

8. The contact details of your data protection officer (DPO) if you have one

Under the UK GDPR, organisations must appoint a DPO if they are a public authority or body, your core activities require large scale regular and systematic monitoring of individuals, or your core activities consist of large scale processing of special categories of data. But you can still appoint a DPO or key privacy contact person even if you aren’t required to. Those details should be included in any privacy notice.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

9. How you’re using artificial intelligence

Companies using AI need to explain to people how they use it, particularly where you’re making decisions solely based on automated processing. You need to give people meaningful information in simple terms about the logic involved in the process (which can be tricky) and explain the expected consequences. If personal information is going to be used to test and train an AI system, that must also be included. The UK government has published an Algorithmic Transparency Recording Standard which helps public sector organisations provide clear information about the algorithmic tools they use and why they use them, which may be helpful for other organisations.

10. When there are changes to your privacy notice

You may need to alert your customers and/or users when there is a change to your privacy policy. This might be an email or an alert posted in a conspicuous location on your website. Merely replacing your privacy notice with the updated one is not good enough.

More to watch and read