Contents
It’s become increasingly common for businesses to trade in personal information. Maybe it’s even something that you’re looking to incorporate into your own business model. Or perhaps you’re concerned that your business is inadvertently trading in personal information, and you want to be informed about the consequences of doing so.
When you’re working out whether your business is allowed to trade in personal information, it is important to understand your obligations under privacy law. This is a tricky legal area to navigate, and getting things wrong could see you facing hefty penalties!
What’s The Difference Between Personal Information And Sensitive Information?
Before you can determine whether your business will trade or is trading in personal information, it’s first important to understand what ‘personal information’ actually is, and how it differs from ‘sensitive information’.
Personal Information
As a business in the UK, the GDPR is the relevant privacy law to comply with. The GDPR defines personal data any piece of information that relates to an identifiable person.
This can include a broad range of identifiers, including a name, an identification number or online identifier, location data, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual.
The GDPR provides a useful guide to what can be considered personal data here.
Ultimately, whether information will be considered to be ‘personal data’ depends on whether the individual can be identified or is reasonably identifiable in the particular circumstances.
Sensitive Information
Sensitive information is a category of personal information.
It includes information or an opinion surrounding issues such as an individual’s:
- Racial or ethnic origin
- Sexual orientation or practices
- Religious or philosophical beliefs and affiliations
- Political opinions or associations
- Trade association or union membership
- Criminal record
- Health or genetic information
- Biometric information or templates
Sensitive information generally carries a higher level of privacy protection compared to other types of personal information, as mishandling this type of information has the potential to have a bigger detrimental impact on the relevant individual.
Did You Know?
Personal information does not have to be true and can also include information that’s already publicly available. It’s important to remember the definition of personal data is extremely broad, so it’s wise to be extra cautious about how you handle your information.
Does Your Business Trade In Personal Information?
Now that you understand what constitutes ‘personal information’, the next step is to work out what it means to ‘trade in personal information’.
Trading in personal information involves buying or selling personal information without the consent of the relevant individuals. For example, if a business buys or sells a mailing list without the consent of the individuals contained on that list, the business will be trading in personal information.
Whether your business is said to be trading in personal information generally comes down to the question of consent.
If you collect and/or disclose personal information to someone else for some sort of commercial gain without the consent of the individual(s) to whom the information belongs, you will likely be considered to be trading in personal information.
Conversely, if you have the consent of the individual concerned, you will not be trading in personal information. This applies even if you give or receive payment for the personal information.
Another circumstance in which you will not be considered to be trading in personal information is if you are sharing the information because you are authorised or required to do so by law.
What Is The GDPR And Why Do You Need To Know About It?
The European Union (EU) introduced the General Data Protection Regulation (GDPR) in May 2018.
As it turns out, the GDPR applies not only to businesses established in the EU, but also any business that supplies goods or services to, or uses the personal data of, individuals residing in the EU.
So, if your business also conducts activities overseas (for example, as an eCommerce store), then the GDPR is something you need to be very familiar with.
If your website is available worldwide and uses cookies to track the behaviour of users through their personal data, it’s important to ensure you’re complying with the GDPR.
You’re probably only going to need to make a few minor changes to your business’ operations to ensure that you’re abiding by the GDPR. These changes include having a GDPR compliant privacy policy on your website, and understanding how to run your business while being GDPR compliant.
Consent & The GDPR
Under the GDPR, your business will need to show that an individual has consented to their personal data being collected.
An easy way for you to ensure you comply with this requirement online is by getting your customers to click or tick a box stating that they consent to the collection of their personal data in accordance with your business’ privacy policy.
Consumer Rights & The GDPR
The GDPR also provides a more comprehensive list of consumer rights.
These include:
- The right to the erasure of personal data: Your customer can ask you to erase their personal data in certain situations, such as if you no longer require the data for the purpose of initial collection, if they withdraw consent to the processing of their data, or if the data was wrongfully collected.
- The right to data portability: Your customer has the right to ask for you to hold their personal data in a structured, commonly used and machine-readable format.
- The right to object to the processing of personal data: Your customer can, at any time, object to the processing of their personal data.
It’s Best To Get Consent
If you’re still unsure about what you can and can’t do, it’s a good first step to be transparent and honest with the people from whom you collect personal information. Not only does this help your business avoid breaching any privacy laws and regulations, but it can also help you build trust with your customers.
If you have a website, make sure your privacy policy is not only easy to find, but also easy to read.
Your privacy policy should include details relating to what information you may collect, the reasons for collecting the information, and how that information may be used. It’s also a good idea to ask your customers to accept that they have read your privacy policy and agreed to its terms.
We wouldn’t recommend you draft your privacy policy yourself. A lawyer can help draft a privacy policy specific to your business.
Need Help?
Understanding what you can and can’t do with your customer’s personal information can be quite complex.
If you need help drafting a privacy policy – or if you’re not sure where your business stands when it comes to trading in personal information – Sprintlaw has a team of friendly and experienced lawyers who are happy to help!
Don’t hesitate to get in touch at [email protected] or call us on 08081347754 for a free, no-obligations chat.
Get in touch now!
We'll get back to you within 1 business day.
Top 3 Legal Mistakes
Book in a free consultation with us to discuss your legal needs.
0 Comments on "Selling Personal Information: What’s Allowed?"