Data Protection, On-Line Dating Sites And The ICO

The ICO is asking some serious questions about the terms and conditions used by major on-line dating websites in the UK.  You might think that if you don't run an on-line dating agency, that this isn't relevant to you, but if you've got a website which collects data about your customers, we think you'll want to know what the regulator is saying.

What's Happening?

We said that we would keep you up-to-date with trends and hotspots in terms of regulatory activity in the UK, and as we always try and keep our word, here's the latest update - the ICO has confirmed that it has surveyed several major UK dating websites and is concerned about their website terms and conditions, including:

  • No transparency - the terms and conditions which provide the website operator with consent to use personal data aren't clearly visible to users (the DPA operates on the basis of transparency and consent, a clear privacy policy and data collection process is key to a compliant website).
  • No control - the terms and conditions grant permanent licences to the on-line dating agencies (the DPA operates on the basis that website operator only retains data for as long as is necessary to fulfil the purpose for which it was provided and the concept of data minimisation is also fundamental to the proposed new data protection regulation).
  • No responsibility - the terms and conditions confirm that the website operator isn't responsible for any damage to or loss of personal data (the DPA requires data controllers to implement and maintain appropriate technological and organisational measures to keep data secure).
  • No.....excuse really - users are required to provide personal data before the terms and conditions confirming how their data may be used are provided (as above, transparency and consent are key to DPA compliance - if you don't tell people how you're going to use their data before you collect it, you're going to find it incredibly difficult to demonstate that your data collection practices are fair, lawful and compliant with the DPA).

The action is confined to small players with limited resources -many of the sites are household names and the ICO has written to eHarmony,, Cupid and Global Personals requesting a formal response to the issues summarised above (as well as the trade body that represents the on-line dating sector).  The ICO has also confirmed that it has received relatively few complaints aboute on-line dating sites and is encouraging users who are concerned about the way in which their data is being used to contact them.

I Don't Run An Online Dating Site - Why Should I Care?

The wider issue for any organisation that collects user data through its websites is that the issues set out above are not uncommon, particularly 'standard form' t's and c's which seek to protect the website operator against claims relating to loss, damage or corruption of data  (this is also a key concern of the regulator, that privacy policies should be used to provide transparency to users and not to protect website operators). 

Similarly, terms and conditions which grant permanent licences for the website operator to use personal data for a wide variety of purposes are not uncommon particularly in social media sites, but they can cause adverse reactions from user communities (remember the incredibly negative reaction to Instagram's change to its terms and conditions). 

It's a good example of how care needs to be taken to ensure that terms and conditions around general service provision don't become confused with a data controller's obligations under the DPA and the commitments it makes in its privacy policy as to the data it will collect, how it will use it, who it will share it with and the steps it will take to keep data accurate, up-to-date and secure.  It also demonstrates that complaints from users are not the only criteria which the regulator will use to determine whether to investigate data protection compliance in a particular sector.

So, the bottom line is that if you run a website and collect user data through your website, the ICO is actively looking at whether or not your site complies with basic Data Protection requirements and it isn't afraid to name and shame websites which don't comply.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.