29th April 2019
A word on GDPR
Greg Jackson, Founder
On the 25 May 2018, the General Data Protection Regulation overhauled the rules for how organisations process and handle personal details, and other data which could be used to identify users. For us, it was very welcome – we recognise that customers value their data and privacy, and we respect it as we would our own.
GDPR is, rightly, a "principles based" regulation. These principles set out the regulations and give businesses the guidance they need to make judgements on how to handle their customers’ personal data. The ICO (Information Commissioner’s Office) is the regulator for data privacy matters in the U.K. and if marketing or other uses of personal data generate complaints it will reactively investigate.
We have carefully reviewed the regulation, and what others are doing in this space, to ensure we are acting in accordance with the principles of the GDPR and with the practice of other respected companies and organisations – to both comply with the GDPR and also to make sure that we are aligned with the industry.
We are a business built on transparency
We don’t ‘tease and squeeze’ with our pricing (where first year prices are low, and then hike the next year), and we strive to enable control (we work hard at giving customers the same self-serve functionality in their online accounts as our staff have in their systems). Transparency and control are also key mandates of GDPR, which means that even before GDPR, we would:
- Never pass your personal details to any 3rd party for whom it wasn’t totally necessary to provide the service we do (such as sending a meter reader out, or performing a credit check)
- Make sure you know when we’re collecting data (eg. recording phone calls, or even field sales discussions)
- Only use data for marketing where we’ve been given permission - for example, we do work with 3rd party companies to phone prospective customers, but only ever use the phone numbers of people who have given permission for their details to be used in that way.
And since GDPR we have gone even further in our pursuit of transparency and control:
- Every customer can change their preferences for many of the communications we send them via their online account, or by contacting us on any channel.
- Customers can now access, through their online account, a copy of digital communications we’ve sent to them, and that they’ve sent to us.
On cookies, and cookie policies
One element which is not straightforward is cookie policies. Cookies are not inherently evil (nor inherently good). But they are an essential tool for creating digital experiences that are simple, intuitive and delightful, and we use them to do helpful things, such as submitting your meter reading through our website, or remembering which tariff you’ve selected for your quote.
Like any other well-run company, we also use them to understand how people use our website so that we can improve it. It’s like owning a shop and seeing how people find their way around in order to improve the layout and make things easier to find and understand. It helps us identify which pages customers find useful and which they don’t, and of course commercial things too - such as whether customers drop out in the course of getting a quote or switching.
When is a cookie “essential”?
GDPR makes a distinction between "essential cookies" and "non-essential cookies":
- Essential cookies enable us to display our website correctly for the device which you're on, or the browser which you are using. Effectively without these essential cookies, we would not be able to deliver our website to you, or process any transactions through our website.
- Non-essential cookies on the other hand are everything else, including those cookies which help us work out how you navigate around our website, or the analytical cookies which we use to help improve the digital experience we provide to you.
The GDPR requires that we obtain your consent for the non-essential cookies which we utilise on our website.
Some organisations have interpreted these rules in a very heavy handed way and started putting massive “opt-in” boxes – privacy paywalls – on their websites requiring you concede your privacy before you can use the site at all.
Our view is that preventing users from navigating a website without opting into cookies is a too stringent interpretation of the regulations. This will deliver the opposite of the GDPR’s intention to protect people – instead, users will become so accustomed to clicking ‘OK’ as the first thing they do on every website they visit, that they start clicking OK as an automatic reaction - including clicking ‘OK’ to things which might not be so helpful to them.
We want to make the web better not worse, and a key part is empowering people to make informed choices about their personal data, and enabling them to look after themselves.
So the way we do things currently is:
- When you first visit our website, we set persistent cookies (like much of the industry), and inform you of this and your choices with our cookies banner.
- If you don’t like this we give links to let you use your browser to control any cookies we use - including deleting or blocking ones you don’t want.
- That way, those who wish to control privacy in a granular way can do so - but the vast majority of users are able to use the site easily on any device.
Looking further ahead, we’d like to see standardised and more consistent support for data privacy choices in the browser, where the user is truly in control, specified and overseen by the W3C.
It’s always good to keep abreast of the latest guidance no matter your level of expertise. Here are some of the best instructions we’ve found on how to manage or delete your cookies - definitely worth a read.
And we don’t force any customer or prospective customer to use our website. We are happy to do everything by email or phone if you don’t want to deal with cookies or don’t like our approach.
Hey I'm Constantine, welcome to Octopus Energy!×Close window