Does it frustrate you seeing inaccurate or unjustified claims such as "this website is secure", "we use a secure server" and "your privacy and security is paramount to us". Or privacy-related claims like "your personal data is stored safely, securely and anonymously" and "we will not share your data with any other organisation". How are misleading claims about a software application's security any different to misleading claims about medical benefits or eco-friendliness, inaccurate descriptions, and unsubstantiated testimonials, etc of other consumer products and services? I don't believe they are.
Without a standard kite mark or agreed security, privacy and trust labelling standards, how do consumers know what is the truth about the security of the web sites, mobile apps and other software applications they are using. Well, for the moment we could do with some more accuracy & honesty about security and privacy claims.
So, apart from the requirements to secure personal data (Principal 7 of the Data Protection Act) and to protect privacy in electronic communications (Privacy and Electronic Communications Regulations responsibilities and obligations), and other sector-specific regulations concerning information security and privacy such as from the Financial Services Authority (FSA), Medical Research Council, and Payment Card Industry Security Standards Council (PCI SCC), marketing claims themselves are regulated. Therefore a claim about security or privacy is regulated.
The relevant sections in the Committee of Advertising Practice's UK Code of Non-Broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code) seem to be:
- Misleading advertising
- 3.1 Marketing communications must not materially mislead or be likely to do so.
- 3.2 Obvious exaggerations ("puffery") and claims that the average consumer who sees the marketing communication is unlikely to take literally are allowed provided they do not materially mislead.
- 3.3Marketing communications must not mislead the consumer by omitting material information. They must not mislead by hiding material information or presenting it in an unclear, unintelligible, ambiguous or untimely manner. Material information is information that the consumer needs to make informed decisions in relation to a product. Whether the omission or presentation of material information is likely to mislead the consumer depends on the context, the medium and, if the medium of the marketing communication is constrained by time or space, the measures that the marketer takes to make that information available to the consumer by other means.
- 3.7 Before distributing or submitting a marketing communication for publication, marketers must hold documentary evidence to prove claims that consumers are likely to regard as objective and that are capable of objective substantiation. The ASA may regard claims as misleading in the absence of adequate substantiation.
- 3.11 Marketing communications must not mislead consumers by exaggerating the capability or performance of a product.
- Database practice
- 10.1 Personal information must always be held securely and must be safeguarded against unauthorised use, disclosure, alteration or destruction.
Complaints can be made to the ASA concerning advertisements within their remit, including the online remit which includes "marketing communications on companies' own websites". And the companies don't need to be using a .uk domain — they just have to be registered in the UK.
If you are an organisation with online marketing material and are UK-based, you need to ensure your security & privacy copy does not contravene CAP to avoid possible sanctions and adverse publicity, and at the same time builds user trust, and encourages them to report suspicions & concerns to you as easily as possible in a timely manner.
As a consumer, if an online channel has any marketing claims about security & privacy which you think contravene CAP, the ASA's complaints process can potentially be used to improve standards in this area.
Posted on: 24 February 2012 at 07:52 hrs