Relying on ‘click to consent’ style privacy statements won’t cut it if you're unable to demonstrate that you've taken ‘reasonable steps’ to ensure that individuals are aware of the matters set out in the statement. So, what steps can an agency take in 2020 towards ‘meaningful’ compliance?

New Zealand’s privacy law is set to be revamped in 2020, with a number of changes to be introduced upon the passage of the Privacy Bill.  You can read about the key changes in our previous insights here and here.

But in addition to new compliance requirements set to be introduced by the new law, agencies that collect personal information should be aware of a different type of – yet ever-increasing – burden: consumer expectation.

As New Zealand inches closer to the enactment of the new Privacy Act, consumers and regulators alike are becoming increasingly anxious about the ‘overcollection’ of personal information on the basis of long and complex privacy statements.

This was demonstrated by a recent controversy regarding Scentre Group Limited’s newly introduced ‘Westfield Plus’ app. Scentre offered customers that downloaded the Westfield Plus app two hours of free parking at the Westfield Newmarket mall in Auckland, New Zealand.

However, by accepting the terms of service of the app, customers agreed to Scentre tracking their movements around the mall. Similarly, by connecting to the Westfield Newmarket free wi-fi, users agreed to Scentre tracking their web activity.

Although relying on fine-print to collect a large amount of personal information isn’t a new phenomenon, the media attention about Scentre’s collection of information has demonstrated two things.

First, the public alarm about the ‘fine print’ signals a shift in consumer attitude: consumers are increasingly demanding more transparent privacy practices and are becoming wary of the purposes for which agencies are collecting their personal information.

Second, with the Privacy Commissioner’s new power to issue public compliance notices set to come into play comes an increased risk of public scrutiny. The regulator has warned that relying on ‘click to consent’ style privacy statements won’t necessarily pass muster if an agency is unable to demonstrate they have taken ‘reasonable steps’ to ensure that individuals are aware of that matters set out in the statement.

So, what steps can an agency take in 2020 towards ‘meaningful’ compliance? We set out our top tips below.

  • Customer journey: Consumer expectation presents an opportunity for agencies. A creative, pragmatic and user-centric approach to privacy, throughout the customer journey, could differentiate you from your competitors that still rely on a traditional ‘click to consent’ model. Take Air New Zealand’s Privacy Centre as an example, which was awarded a Privacy Trust Mark by the Commissioner in 2019. The tool was praised by the regulator as being designed with ‘customer trust and individual privacy front of mind’, and for its accessibility features, including a short YouTube clip.
  • Transparency is key: Make sure you actually understand the way you collect, use, store, and disclose information, and your purposes for doing so. And then make sure those matters are clearly and completely disclosed in your statement. Chances are, if you’re unable to articulate why you are collecting an individual’s date of birth information, it will be difficult to transparently communicate your ‘purpose for collection’ to your customer base.
  • Keep it simple: Avoid using highly technical and ‘legalese’-ridden language in your privacy statement. Long, complicated, and contradictory statements can ‘muddy the waters’ for your customers. Try to use simple and short sentences. If you do need to include a large amount of information, consider placing a short summary of the key points at the beginning oy your policy.
  • Avoid over-collection: While the potential of ‘big data’ can be alluring, the more personal information collected by an agency, the greater the cost of storage – both in terms of server space and risk of a data breach, which makes collecting voluminous amounts of information less attractive in the long-run.
  • Understanding what others are doing for you: Often businesses use external vendors to develop digital solutions like websites and apps.  It is essential that you have clear and detailed discussions with vendors about how those solutions will collect and use information, including information that might be collected incidentally.  Even the best developers may not share your organisation’s commitment to privacy and, in the end, the reputational risk of over-collection, inappropriate collection, or disclosure come back to your organisation.

This article was co-authored by Campbell Featherstone, Senior Associate and Emily Tombs, Solicitor at Dentons Kensington Swan.

In the wake of increased consumer and regulatory scrutiny, now’s a good time to reconsider your privacy practices. If you’d like further advice on your obligations, get in touch with a member of our team.