The information commissioner has launched a draft code to help businesses that collect consumers' personal details online protect themselves better against possible lawsuits under the Data Protection Act.
The move comes after the European Commission said it would take the UK to court over its handling of Phorm, the firm that uses deep packet inspection to build up profiles of users' behaviour and apparent preferences to serve online advertisements as they browse the web.
Speaking at the personal information online conference in Manchester, information commissioner Christopher Graham said people should have control over what happens to their personal information online, whether it was to correct inaccuracies, delete profiles or choose the privacy settings that suit them.
"Customers can always vote with their feet and punish organisations that they feel have let them down," he said. This was reminder that getting privacy online wrong was risky, he said.
The new draft code aimed to provide firms with a common sense approach to protecting individuals' privacy online. It said how the law applies and calls on organisations to give people "the right degree" of choice and control over their personal information.
This included giving users clear opt in or opt out choices, and making it easier to erase personal information at the end of a browsing session.
Iain Bourne, head of the ICO's data protection projects, said the heart of good privacy protection was to collect information in the proper way, telling users what happened to their personal information and how they could access it and keep it accurate.
The code also gives practical advice about technology such as cloud computing, where organisations may not know the location of information they are responsible for.
The consultation begins on 9 December 2009 and ends on 5 March 2010.
Do's and don'ts in privacy protection
Organisations can minimise the risk of disclosing the individuals' personal information under their control if the follow these common sense guidelines, says the ICO.
• Do not be secretive or deceptive in how you handle people's personal data.
• Do not try to gain an advantage by using personal data in a way that people wouldn't expect or might object to.
• Do not collect unneeded personal data. This cost more and exposed firms to extra risk if there was a data loss.
• Do get the best affordable security. A big data loss or a loss of sensitive personal data could undermine public confidence in the firm cause great commercial damage.
• Do not assume that as a firm based in the UK you can ignore other countries' laws.
If you use equipment in another country or collect personal data about people outside the UK, you may need to comply with other countries' laws, the ICO said.
Firms must be able to justify the collection of information that identifies an individual.
Questions to ask were
Is it possible to achieve my aims without collecting information that identifies people?
If not, what sorts of identifiers do I need to collect; obvious ones, such as names and addresses, or less obvious ones, such as the IP addresses of the devices used to access my site?
Which data items do I really need? Do I really need individuals' dates of birth or just their contact details?