A word on GDPR

Picture of clear water GDPR blog banner

Update: October 2020

In February the ICO (Information Commissioner's Office) provided an update on guidance that firmly supports our approach. The update pointed to people suffering from ‘consent fatigue’ in a post GDPR world. That constant cookie banners and privacy walls are leading to a situation in which ‘consent is undermined’ - people are no longer providing their informed consent, simply clicking ‘yes’ to get access to each website they visit.

The update also suggests that ‘providers of software’ - your internet browsers and plug ins - should be providing clear user friendly controls for cookies, which is great to hear. Keep an eye on what’s available as more and more easy tools to help you control your data privacy should be appearing and many already exist. 

So while we’re pleased this all supports our existing approach of valuing transparency and control, we won’t be relying on software providers to do our job for us. We will be continually updating our best practices and looking into innovative solutions. We’re currently reviewing a ‘contextual consent’ approach where we ask permission from people for the use of cookies as and when they need it. This will ensure people make informed privacy choices, in situations where we need more permissions to continue providing those simple and intuitive digital experiences.

On the 25 May 2018, the General Data Protection Regulation overhauled the rules for how organisations process and handle personal details, and other data which could be used to identify users. For us, it was very welcome – we recognise that customers value their data and privacy, and we respect it as we would our own.

GDPR is, rightly, a "principles based" regulation. These principles set out the regulations and give businesses the guidance they need to make judgements on how to handle their customers’ personal data. The ICO (Information Commissioner’s Office) is the regulator for data privacy matters in the U.K. and if marketing or other uses of personal data generate complaints it will reactively investigate.

We have carefully reviewed the regulation, and what others are doing in this space, to ensure we are acting in accordance with the principles of the GDPR and with the practice of other respected companies and organisations – to both comply with the GDPR and also to make sure that we are aligned with the industry.

We are a business built on transparency

We don’t ‘tease and squeeze’ with our pricing (where first year prices are low, and then hike the next year), and we strive to enable control (we work hard at giving customers the same self-serve functionality in their online accounts as our staff have in their systems). Transparency and control are also key mandates of GDPR, which means that even before GDPR, we would:

  • Never pass your personal details to any 3rd party for whom it wasn’t totally necessary to provide the service we do (such as sending a meter reader out, or performing a credit check)
  • Make sure you know when we’re collecting data (eg. recording phone calls, or even field sales discussions)
  • Only use data for marketing where we’ve been given permission - for example, we do work with 3rd party companies to phone prospective customers, but only ever use the phone numbers of people who have given permission for their details to be used in that way.

And since GDPR we have gone even further in our pursuit of transparency and control:

  • Every customer can change their preferences for many of the communications we send them via their online account, or by contacting us on any channel.
  • Customers can now access, through their online account, a copy of digital communications we’ve sent to them, and that they’ve sent to us.

On cookies, and cookie policies

One element which is not straightforward is cookie policies. Cookies are not inherently evil (nor inherently good). But they are an essential tool for creating digital experiences that are simple, intuitive and delightful, and we use them to do helpful things, such as submitting your meter reading through our website, or remembering which tariff you’ve selected for your quote.

Like any other well-run company, we also use them to understand how people use our website so that we can improve it. It’s like owning a shop and seeing how people find their way around in order to improve the layout and make things easier to find and understand. It helps us identify which pages customers find useful and which they don’t, and of course commercial things too - such as whether customers drop out in the course of getting a quote or switching.

When is a cookie “essential”?

GDPR makes a distinction between "essential cookies" and "non-essential cookies":

  • Essential cookies enable us to display our website correctly for the device which you're on, or the browser which you are using. Effectively without these essential cookies, we would not be able to deliver our website to you, or process any transactions through our website.
  • Non-essential cookies on the other hand are everything else, including those cookies which help us work out how you navigate around our website, or the analytical cookies which we use to help improve the digital experience we provide to you.

The GDPR requires that we obtain your consent for the non-essential cookies which we utilise on our website.

Some organisations have interpreted these rules in a very heavy handed way and started putting massive “opt-in” boxes – privacy paywalls – on their websites requiring you concede your privacy before you can use the site at all.

Our view is that preventing users from navigating a website without opting into cookies is a too stringent interpretation of the regulations. This will deliver the opposite of the GDPR’s intention to protect people – instead, users will become so accustomed to clicking ‘OK’ as the first thing they do on every website they visit, that they start clicking OK as an automatic reaction - including clicking ‘OK’ to things which might not be so helpful to them.

We want to make the web better not worse, and a key part is empowering people to make informed choices about their personal data, and enabling them to look after themselves.

So the way we do things currently is:

  • When you first visit our website, we set persistent cookies (like much of the industry), and inform you of this and your choices with our cookies banner.
  • We let you know what cookies we will be using – you can see the non-essential cookies which we utilise within our privacy policy.
  • If you don’t like this we give links to let you use your browser to control any cookies we use - including deleting or blocking ones you don’t want.
  • That way, those who wish to control privacy in a granular way can do so - but the vast majority of users are able to use the site easily on any device.

It’s always good to keep abreast of the latest guidance no matter your level of expertise. Here are some of the best instructions we’ve found on how to manage or delete your cookies - definitely worth a read.

And we don’t force any customer or prospective customer to use our website. We are happy to do everything by email or phone if you don’t want to deal with cookies or don’t like our approach.

Published on 29th April 2019 by:

image of Greg Jackson

Greg Jackson


Hey I'm Constantine, welcome to Octopus Energy!