Acm.nl uses cookies to analyze how the website is used, and to improve the user experience. Read more about cookies

This article is part of ‘Guidelines on the protection of the online consumer’. View full guideline

How to provide information about the use of personal data

Explain to consumers what exactly you do with their personal data, for example that you sell the data or use it to determine prices or marketing messages, or that you use it to personalize prices. Consumers must be able to make a well-informed decision about what to purchase and from which business they make that purchase. To that end, consumers need to know how your business uses their data. In that way, consumers are also able to compare purchases on the basis of the use of data (personal or otherwise) as well.

Is it difficult for consumers to find or understand information about the use of their personal data, or to do so in a timely manner? If so, they will not be able to take that information into account in their purchase decisions. As a result, consumers could make decisions that they would not have made if they had known everything. This can be a misleading commercial practice. Unfair commercial practices are prohibited. ACM enforces compliance with these rules laid down in consumer law.

Information about the use of personal data is thus important information that you are required to provide under consumer law. The General Data Protection Regulation (GDPR) explains exactly what information you have to provide regarding the use of personal data. The GDPR stipulates how you are allowed to process personal data and how you can ask consumers for consent for the collection thereof. The Dutch Data Protection Authority (AP) enforces compliance with the GDPR. The AP and other European data protection authorities are members of the European Data Protection Board. They have drawn up guidelines (in Dutch) on, among other things, the way in which you have to inform about the use of personal data and the privacy options that consumers have.

What is required and what is not allowed?

  • Give consumers complete information about the way in which you collect and use their personal data. Consumers will then be able to take this into account when deciding to purchase a product from you or from another business.

  • Comply with the GDPR when collecting and using personal data.

  • Does your website use cookies that are not necessary for the functioning of the website, such as tracking cookies, and does the use of such cookies have consequences for the privacy of consumers? Tell consumers, on the first page they see when visiting your website, how you collect and use that information. Offer them the choice to consent to this or not. Make sure that you offer the options ‘accept’ and ‘refuse’ in a neutral way, for example by showing both options in a large, noticeable font and colors.

  • Do not leave out any information about the use of personal data. You can, for example, include this information in a privacy statement.

  • Do not provide consumers incorrect information on how you handle their personal data.

Tips

  • Inform consumers in easy-to-understand language about what you do with their personal data. Do not make the information too long or complicated. Make sure that the information is easy to find for consumers.

  • Test whether consumers understand the information you provide.

Examples

Example: Information on the use of data (personal or otherwise) in app stores

An app store informs consumers about various characteristics of the apps, such as the developer, customer ratings, price, compatibility, and age restrictions. However, information on the way in which the apps use data (personal or otherwise) only appears at the bottom of the page. This is a misleading practice, and is therefore not allowed.

If the app provider acts on its own behalf, it must provide this information itself. The information must be easy-to-find for consumers. This means it cannot be presented in the fine print at the bottom of the page. Consumers should not need to scroll or swipe to find it either. It is fine, in any case, if the information is presented near the price.

Relevant regulations

Explanation of regulations

Enforcement

The German competition authority imposed far-reaching restrictions on a social media platform for its processing of personal data.

Together with other consumer authorities in 26 countries, ACM called on two app store providers to adjust their app stores. App providers had to inform consumers better about their app’s use of data. One provider as well as the other app store provider answered this call.