Apart from being a bit mean, it goes against the basic principles of data protection and consumer law in the UK. The Data Protection Directive 95/46 EC places obligations on the data controllers and processors to take appropriate steps to protect the information from unauthorised disclosure or access, the burden is not on the data subject. Further, the Consumer Rights Act 2015 (“the Act”) was drafted with the aim of increasing fairness and transparency for consumers, which includes in respect of digital content. The Act “greylists” certain limitations of liability and considers “transferring inappropriate risks to consumers” unfair and potentially unenforceable. Were this clause to be analysed in conjunction with the Act, it is unlikely the Competition and Markets Authority and/or Trading Standards would let this slip thought the net.
In response, the ICO stated that when handling people’s personal data, organisations are responsible for keeping that data secure. It is unclear whether there will be formal consequences for VTech, but if they do not change the wording, they could come under further scrutiny.
Information about millions of people is collected for behavioural targeting, a type of marketing that involves tracking people’s online behaviour for targeted advertising. It is hotly debated whether data protection law applies to behavioural targeting. Many behavioural targeting companies say that, as long as they do not tie names to data they hold about individuals, they do not process any personal data, and that, therefore, data protection law does not apply to them. European Data Protection Authorities, however, take the view that a company processes personal data if it uses data to single out a person, even if it cannot tie a name to these data. This paper argues that data protection law should indeed apply to behavioural targeting. Companies can often tie a name to nameless data about individuals. Furthermore, behavioural targeting relies on collecting information about individuals, singling out individuals, and targeting ads to individuals. Many privacy risks remain, regardless of whether companies tie a name to the information they hold about a person. A name is merely one of the identifiers that can be tied to data about a person, and it is not even the most practical identifier for behavioural targeting. Seeing data used to single out a person as personal data fits the rationale for data protection law: protecting fairness and privacy.
Availability: Proximity of the necessary infrastructure required for access.
Affordability: The cost of access relative to income.
Relevance: A reason for access, such as primary language content.
Readiness: The capacity to access, including skills, awareness and cultural acceptance.