Which? privacy notice
In this article
- About this notice
- 1. What information does Which? collect?
- 2. What types of information does Which? process?
- 3. How does Which? use my information, and on what legal basis?
- 4. Who does Which? share my information with?
- 5. What are my data protection rights?
- 6. How long is my information retained?
- 7. Marketing and advertising
This privacy notice was last updated on 16 June 2023 (Version 17).
About this notice
Who we are
Which? is the UK’s consumer champion. As an organisation we’re not for profit and all for protecting consumers – a powerful force for good, here to make life simpler, fairer and safer for everyone.
The Consumers' Association (Company No. 580128) is a charity registered in England and Wales (Charity No 296072) and is the owner of the rest of the Which? group. More information about our charitable aims can be found here.
The Consumers’ Association is the data controller when it uses your information for these purposes. Its registered address is 2 Marylebone Road, London, NW1 4DF.
All our commercial operations are carried out through Which? Limited (Company No 677665) and its subsidiary companies.
Which? Limited is the data controller when it uses your information for these commercial purposes. Its registered address is 2 Marylebone Road, London, NW1 4DF.
The Consumers Association and Which? Limited will together be referred to in this privacy notice as "Which?", "we", "us" or "our". Details of the services and products provided by the Which? Group are detailed in the table below.
Which? Group
The Consumers' Association | Which? Limited |
---|---|
Campaigns, policy work and supporter engagement | Magazines, books, websites and digital products not provided by the Consumers' Association |
Ordinary or associate membership | Which? Trusted Traders |
Which? Connect | Which? Switch |
The majority of the research included in the various Which? publications | Which? Best Buy Guarantee |
Which? Consumer Rights & Which? Later Life Care services | Which? legal advice service, Which? will & power of attorney services, Which? Money Helpline and Which? Computing helpdesk. |
What this notice applies to. This notice applies to personal information we collect about you directly or that we collect from third parties. It sets out:
- what information we collect, and from whom;
- how we use that information;
- who we share your information with;
- how your information is protected;
- your rights in relation to the information we hold about you; and
- how long we keep your information.
What this notice does not apply to. This notice does not apply to any services provided by Which? Financial Services Limited where a different privacy notice applies. This includes Which? Mortgage Advisers, Which? Insurance Advisers and Which? Money Compare. For further details please see the Which?’ Financial Services privacy notice.
Changes to this privacy notice. We keep our privacy notice under regular review. We encourage you to regularly review this page for the latest information on our privacy practices. We will notify you of any significant changes by listing these in Section 12, and via any other appropriate methods.
1. What information does Which? collect?
Information you provide to us voluntarily
You may give us your personal information when you:
- order products and services from us;
- use our products, services and websites;
- provide a comment or write a review on our websites;
- communicate with or contact us;
- enter into any of our competitions, promotions or surveys;
- contact one of our helplines;
- interact with us on social media platforms;
- sign up to one of our newsletters or other communications;
- take part in our research;
- request a call back through our websites;
- apply to become an Ordinary Member;
- apply to become a Which? Trusted Trader;
- get involved with one of our campaigns or blogs; or
- otherwise interact with us or provide information to a third party to be referred to us.
Where we request information from you, this will be explained in the relevant forms or pages, or over the telephone. You may choose to provide additional information when you interact with us or to a third party who refers you to us. We record calls for monitoring, training and analysis purposes. We store customer feedback and information on our customer databases.
Information we collect automatically
We, or the companies working for us, automatically collect some data from visitors to our websites. This includes what pages you have viewed, for how long and where you go on our website.
Information is also collected about how you arrived at our websites in the first place. This includes what links or adverts of ours you have viewed or clicked on to reach us, or any search terms you have used. Where you see a Which? advert outside of our website we, or an ad agency working for us, may place a cookie on your browser. This is so that, when you access our website, we recognise that you have seen an advert of ours elsewhere. Information collected automatically using cookies or other tracking technologies includes your IP address. If you have logged in, this includes your login details.
For further information see our separate cookies and tracking technologies notice.
Information we collect from third-party sources
Sometimes we might get information from another company, for example to supplement the data that Which? already has. Where this happens we will make sure we are confident that your information was collected legally.
For example, we use Google Analytics and New Relic to collect information about how customers use our websites. This includes how long customers spend on our websites, how often they return and what demographic categories they fall into. For further information about how Google uses data, please visit www.google.com/policies/privacy/partners/.
Information which is available publicly
Your personal information may be available to us from external publicly available sources. For example, geo-demographic information and information from public registers such as listed directorships, information from the electoral roll and press reports. Depending on your privacy settings for social media services, we may also access information from those accounts or services.
2. What types of information does Which? process?
We collect, store and use the following types of information:
- your name and contact details (including your postal address, telephone number, email address(es), your membership number and social media identity);
- financial information such as bank details or credit/debit card details where you provide this to make a payment;
- details about the products and services we provide to you;
- details about how you use our products and services;
- information you provide on other people (for example dependants);
- information provided when you use our products or services, including where you are seeking guidance or advice;
- communication you have had with us;
- comments and reviews you have left on our websites;
- your contribution to research you take part in;
- information about your computer / mobile device, for example your IP address;
- information about your visits to our websites and how you use them; and
- any other information shared with us as described in section 1 above.
In order to receive certain services via the websites (eg access to our Best Buys and Don't Buys recommendations), you will need to create a Which? ID. The information that you provide when setting up your Which? ID includes your name, address, email address and payment card details. If you register to set up a Which ID, you will also have a unique password which enables you to access your account.
Special category and criminal offence data
Special category data includes:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Data concerning health; or
- Data concerning a person’s sex life or sexual orientation.
Criminal offence data can include:
- criminal convictions and offences;
- unproven allegations;
- information about an absence of convictions
We do not routinely collect this type of data. We will usually only do so if you choose to disclose it to us or provide explicit consent. For example, if you take part in our research, tell us about any reasonable adjustments you need, or contact us about your consumer experience, including reporting a scam. In all instances, we will only collect this type of data if there is a valid and legal reason for us to do so.
3. How does Which? use my information, and on what legal basis?
The following sections describe in more detail how Which?, or one of the companies working for us, may use your information. This also sets out the legal grounds we rely on when processing your data.
What we use your personal information for
We use the information collected for a number of purposes. These include:
- to provide our products and services;
- to verify your membership;
- to make and manage payments;
- to manage our relationship and communicate with you;
- to provide you with advice or guidance about our products and services;
- to respond to complaints and seek to resolve them;
- to enhance your online experience;
- to conduct and commission research and surveys;
- to develop and carry out marketing activities and competitions;
- to develop and manage our products and services;
- to test new products and services;
- to better understand our customers and consumers in general;
- to study how our customers use products and services from us and other organisations;
- to research consumer views and experiences for research and editorial purposes, including through requests for help and surveys;
- to respond to individual experiences shared with us and for editorial content;
- to understand your website journey, including what pages you have viewed and for how long;
- to show you adverts on other websites about our products, services or campaigns that you’ve shown an interest in;
- to communicate with regulators, legislators and corporate stakeholders;
- to keep our website safe, secure and up to date;
- for internal operations, such as data analysis, testing, research, statistical and survey purposes;
- to train our staff and measure the quality of the service we give you; and
- to obey laws and regulations that apply to us.
The legal grounds we rely on to process your information
There are a number of legal reasons why we are allowed to process your personal information. These include:
- to fulfil our contractual obligations (for example to provide the products or services requested and to contact you if there is a problem);
- to pursue our legitimate interests
- your consent; and / or
- to fulfil a legal duty.
Legitimate interests
We rely on our legitimate interests for the following purposes:
- keeping our records up to date;
- developing, marketing and charging for our products and services;
- running our websites and keeping them safe and secure;
- presenting our content and communications in the most effective and sustainable manner for you and your devices;
- helping you use our websites, including obtaining products or services;
- measuring how you use our websites and improving their content and accessibility;
- measuring and understanding how effective our adverts are;
- tailoring our content, communications and adverts so that they are relevant to you;
- carrying out campaigns work and developing Which? policy;
- complying with legal and / or regulatory requirements;
- identifying consumer trends;
- understanding products, services and the consumer experience; and
- informing and generating content (for our editorial outputs and other channels).
- developing and administering member engagement initiatives.
- to provide insight and analysis into how our social media channels are used and how they are performing.
4. Who does Which? share my information with?
We, or one of the companies working for us, share your personal information with the following third parties:
Data processors
We share your personal information with certain third parties who provide services to Which? or act on Which?'s behalf. For instance:
- other parts of the Which? Group;
- vendors, IT and other suppliers;
- research agencies;
- payment processors;
- financial institutions;
- shipping companies or postal authorities.
We only authorise these companies to process your personal information so they can provide the requested service. Which? group companies are all based in the United Kingdom (“UK”).
We use Worldpay to process your Direct Debit payments. More information on how Worldpay processes your personal data is available here. This includes information about your right to object and other data protection rights.
Group companies
We share your information between companies in our group for the following purposes:
- providing you with our products and services;
- responding to requests to exercise your rights;
- responding to complaints and seeking to resolve them;
- keeping our records up to date;
- charging for products and services;
- developing products and services; and
- informing and generating content.
We may also share your information with other members of our group if you have indicated to us that you would like to hear about their Which? products and services.
All members of our group treat your information with similarly high standards. They will use it only for the purposes set out in this privacy notice. A full list of companies/brands within our company group is available here.
Social media companies, search engines and advertising platforms
We may use personal information about our existing customers, such as your full name, to better understand who our content appeals to (our target audiences) on social media sites, search engines and advertising platforms (such as Google, Facebook, and Pinterest).
The personal information is encrypted (put into a code so that it's secure) before it is uploaded to those platforms. The platforms will then attempt to match your profile in their database so that they can establish whether you hold an account with them. If you have an existing account with those platforms, the information will be used to understand how many of our customers have been shown a Which? advert on these platforms so we can measure how well our adverts are performing, to better understand the interests, demographics and behaviours of our target audience and to promote our services. It may also be used to identify users of the social media site that have a similar profile to you so we can show them adverts.
The information we provide to the social media platform is destroyed once the matching exercise is complete.
If you do not wish your personal data to be used for targeted social media advertising or marketing, please email preferences@which.co.uk.
You can also amend your social media provider’s advertising settings to prevent your data being used in this way.
A social networking widget may be found in many of our pages. This widget gives you the tool to bookmark our websites, blog, share, tweet and email our content to a friend. Cookies from these social media companies may be placed on your system when you interact with this widget, or when you are on the same webpage while being logged into these social networking services. Our cookie and tracking technologies notice provides further information about this.
Third parties involved in corporate transactions
Which? may share your information with third parties involved in any reorganisation, restructuring, merger or sale, or other transferring of assets. Which? will only share your personal information with a third party that agrees to treat it with the same high standards set out in this Privacy Notice.
Other third parties
These third parties may be companies who help us provide our products and services to you, companies you have contacted Which? through, or companies you ask us to contact on your behalf.
Other circumstances in which we will disclose your information
In some circumstances we are legally obliged to share information. For example under a court order, to regulators or law enforcement authorities, or to investigate security breaches, fraud or other crimes. In any scenario, we’ll make sure that we have a lawful reason to share the information and document our decision.
We will also disclose your information to establish, exercise or defend legal claims, For example:
- to enforce our terms & conditions;
- to ensure the safety and security of our users, consumers and third parties;
- to protect our rights and property of Which?, of our website visitors, consumers and third parties.
Location of third parties
In some instances we may need to send your information to third parties outside of the UK. These countries and territories may not have the same data protection laws as those in the UK. If we do transfer your information outside the UK we will take appropriate steps to protect that information. These include:
- transferring to third parties in countries and territories that the UK Government has determined offer adequate protection for your information. Information about these adequacy decisions is available here; or
- entering into an agreement with the recipient of the data which includes clauses that the UK Information Commissioner’s Office has determined offer adequate protection for your information (more detail is available here).
5. What are my data protection rights?
You have the following rights regarding your personal data:
- Access: The right to request access to and a copy of your personal information. This is called a data Subject Access Request, or SAR;
- Restriction: You can ask us to pause processing your information in certain circumstances (eg you don’t think it is correct);
- Rectification: You can have any inaccuracies in your personal information corrected;
- Deletion: You can ask us to delete all your personal information in certain circumstances;
- Objection: You can object to us processing your personal information in certain circumstances;
- Objection to marketing: Please see section 7 (Marketing and advertising) below, for information about how to opt-out of direct marketing communications;
- Portability: You can ask us to transfer your information electronically to you or another organisation in certain circumstances;
- Withdrawal of consent: Where we rely on your consent to process your information, you can withdraw consent at any time. Note this will not affect our use(s) of your personal information before you withdrew your consent; and
- To lodge a complaint with the Information Commissioner’s Office (“ICO”) or other relevant supervisory authority: You can complain to the ICO (ico.org.uk/global/contact-us/email) or other relevant supervisory authority about any aspect of how we handle your information.
More information about the right to complain can be found at https://ico.org.uk/for-the-public.
Please be aware that you are under no obligation to provide us with your personal information. However, in some instances, if you don’t provide certain information then we may not be able to provide you with products and services, or otherwise interact with you.
When exercising your data protection rights we may ask you to verify your identity to help us respond to your request.
If you would like to exercise any of the above rights, please contact us using the details outlined in the table below.. All of these rights are free to exercise. We will do our best to respond to you as quickly as possible and within one month of receiving your request. We will inform you within one month of receiving the request if we will need longer to respond, for example if the request is complex.
We want to make sure that your personal information is accurate and up to date. Please always let us know if you think that it is not and needs updating.
Action | Contact |
Request that we do not share your data with social media companies, search engines and advertising platforms for targeted advertising purposes | Email: preferences@which.co.uk |
Make a data subject access request or SAR (right to access your personal information) | Email: sars@which.co.uk Phone: 029 2267 0000 Write to: General Counsel, Which?, 2 Marylebone Road, London, NW1 4DF |
To exercise any of your other privacy rights, such as deletion or to let us know your details are incorrect | Email: dataprivacy@which.co.uk |
6. How long is my information retained?
Whenever we collect or process your personal data, we will only keep it for as long as we need it.. At the end of that retention period, your data will either be deleted or anonymised. Examples of our retention periods are in the following table.
Type of data | How long we keep your data for |
Membership | For the duration of your membership and for up to 3 years after you stop being a member |
Financial | For 10 years from the date of payment where we have financial reporting obligations |
Legal claims, advice or complaints | For 7 years from the end of the legal claim, matter or complaint |
7. Marketing and advertising
We may use the information you provide to send you communications about Which?'s products and services and/or Which?'s campaign work. This might be by email or SMS, with your consent, or by telephone or post.
You can change your marketing preferences or unsubscribe from receiving any further marketing communications at any time by:
- clicking on the “unsubscribe” link in the footer of our emails
- writing to us (General Counsel, Which?, 2 Marylebone Road, London, NW1 4DF)
- emailing us (preferences@which.co.uk)
- phoning us (029 2267 0000)
We use tracking technology (by way of a clear image gif) within our emails to improve our future interactions with you. This means we are able to capture information including (but not limited to) the time and date you open our emails and the type of device used to open the email.
We use this information primarily to understand, at an aggregate level, whether our emails are opened and what links are clicked on by our audiences. We then use this information to improve the emails that we send or display to you, and the services that we provide, and to evaluate the effectiveness of our campaigns.
You can turn off email tracking by disabling automatic picture download within your email client's settings.
We use profiling and screening techniques to make our communications to you more relevant and appropriate, and to improve your experience. When building a profile, we may analyse geographic, demographic and other information relating to you to better understand your interests and preferences. We may use additional information from external sources to help us do this.
We engage in the following forms of advertising on other websites.
Performance advertising
We use a form of advertising on other websites and on our websites which is called ‘performance advertising’. This is where we only pay the advertiser when our advert is successful.
We have a series of partner sites or ‘affiliates’ who will host our adverts and links. If you come to our website and decide to buy something from us via those adverts or links, then we will then pay them a small fee. We do this either using cookies, with your consent, or by sharing protected, pseudonymous customer order information with them. The affiliates cannot use this information to identify you.
To understand what information is being collected and why, please see our cookie and tracking technologies notice. .
We link to a variety of external websites and retailers where you can buy products or services featured on our websites. This includes large retailers such as Amazon and John Lewis and smaller ones which may be specialists. Links are normally provided by an affiliate but we also work directly with retailers in some cases. Please note that a retailer link alone does not constitute an endorsement of the retailer by Which?. We are not able to show every possible retailer and cheaper prices may be available.
We provide these links to make it easier for you to complete your purchase and so we can earn commission from referring you. This revenue is used to support our not-for-profit mission. To help us do this, we track your activity using cookies. For more information, and to easily manage your cookie settings, please see our cookie policy.
All our research, testing and recommendations are 100% independent. We’re not influenced by third parties and we don't accept freebies from product manufacturers or retailers.
Display/contextual advertising
We advertise our products and services on other websites.
We work with an advertising company who decides where it’s best to place our adverts. We usually don’t know where our adverts will appear. The advertising company will place a cookie on your device when you see the advert. This is so they can monitor how effective the advert is and not show you the same advert too many times.
Retargeting
We work with third-party advertising networks and search platforms, such as Google, to show you adverts on other websites or search platforms. These adverts will be about things you’ve previously shown an interest in on our website. The adverts may highlight other products or services we think you’d be interested in, too. Cookies (as well as tools such as Google Tag Manager) help us to do this.
Messaging platforms
We also work with messaging platforms that may deliver messages to your devices on our behalf. We only do this if we have your express consent. These messages will be tailored to the pages and content you have shown interest in. You have the option when each message is delivered to opt out of all future communications.
8. Links to other websites and social media
We may provide links to other websites where you can find more information about the particular topic. The other websites are outside our control and are not covered by this privacy notice. If you access other websites using the links provided, the operators of these websites may collect information from you. Your information will be used by them according to their privacy notice which may be different to ours.
On some pages of our websites, we use third parties to provide content, applications or plug-ins. We may use these third parties to track how you use the content, applications and plug-ins and customise these for you. For example, when you share an article using a social media sharing button on our websites (e.g. Facebook or Twitter), the social network that has created the button will record that you have done this. For more information on social media plug-ins on our Website, see our cookie and tracking technologies notice.
9. Use of our website by minors
If you are aged 13 or under, please get your parent's or guardian's permission before you provide information to us. Users without this consent are not allowed to provide us with information. Ifthey do so, we will stop processing their information as soon as we find out.
10. How can I contact Which? about its privacy notice?
We want you to feel in control of your data. The table below outlines how you can make changes to reflect your preferences.
Action | Contact |
Request that we do not share your data with social media companies, search engines and advertising platforms for targeted advertising purposes | Email: preferences@which.co.uk |
Make a data subject access request or SAR (right to access your personal information) | Email: sars@which.co.uk Phone: 029 2267 0000 Write to: General Counsel, Which?, 2 Marylebone Road, London, NW1 4DF |
To exercise any of your other privacy rights, such as deletion or to let us know your details are incorrect | Email: dataprivacy@which.co.uk |
Change your marketing preferences or unsubscribe from receiving any further marketing communications | Email: preferences@which.co.uk Click on the “unsubscribe” link in the footer of our emails |
To find out more about Which? and who we are, please look at the 'About Us' section of our general terms.
If you are a former Which? Group employee and are seeking to understand how we process your personal data, please contact Which? directly.
11. Glossary
- Cookie - A cookie is a tiny text file placed on your computer, tablet or mobile phone by websites that you visit. Cookies do lots of useful jobs. They help make websites work smoothly, provide information about how people browse, and make sure any adverts you see are as relevant as possible.
- Data controller - a person, public authority, agency or other body which determines why and how the personal data is used.
- Data processor - a person, public authority, agency or other body which processes personal data for the controller.
- IP address - An IP address is a label which is used to identify one or more devices on a computer network, such as the internet. It can be compared to a postal address.
- Personal data - any information relating to a person who can be identified, directly or indirectly. For example, by their name or an identification number.
- Widget - an application that enables a user to perform a function or access a service. For example, allowing users to share Which? content on social media.
12. Changes to this Privacy Notice
Which? may need to update this Privacy Notice from time to time. You can see when the Privacy Notice was last updated by checking the date at the top of the page. A summary of the most recent change can be found in this section, along with the date they were made.
If we make any important changes, like how we use your personal information, we’ll let you know.
25.10.2022 - clarification on how we use your interactions with us on the Which? social media channels
23.01.2023 - amendment made to the definition of criminal offence data
16.06.2023 - clarifications made to our use of profiling and screening techniques