Further results on the global internet sweep on privacy policies

August 20, 2013 |

I have posted on the Australian Privacy Commissioner’s findings of his review of privacy policies on the internet (found here).  It was part of a global internet sweep by privacy authorities.

The Canadian Privacy Commissioner’s office also released its findings which are as broadly similar to the Austrlian Privacy Commissioner’s findings but much more detailed.  The picture is not particularly good.  Too many policies are poorly drafted, incoherent and generally do not “get” what a privacy policy should do.

The Findings are set out below (and found here):

Privacy policies should be easy to understand and provide meaningful information, Privacy Commissioner says after the Office of the Privacy Commissioner of Canada and other global data protection authorities sweep more than 2,000 online privacy policies.

OTTAWA, August 13, 2013 — From tweet-sized privacy statements to legalistic privacy policies simply cut and pasted from legislation, the first-ever Global Privacy Enforcement Network Internet Privacy Sweep has highlighted shortcomings in how some online organizations provide information about their privacy practices.

“While we did see some good examples that demonstrated it is possible to create transparent privacy policies,” says Jennifer Stoddart, Privacy Commissioner of Canada, “unfortunately, we also found some sites with no policies, or that offered only brief, over-generalized statements about privacy.”

“A particularly disappointing example for my Office was a paternity testing website with a privacy statement so skimpy it would fit into a tweet. We also found a major fast food chain collecting personal information, such as photos, addresses and dates of birth, for various initiatives, and yet the privacy policy was just 110 words,” says Commissioner Stoddart. “At the other extreme, we saw long, legalistic policies that simply regurgitated – word for word in some cases – federal privacy legislation.” 

“Neither approach is helpful to Canadians—nor necessary, as demonstrated by the many privacy policies we saw that were able to strike a balance between transparency and concision,” adds Commissioner Stoddart.

The Internet Sweep results offer some insights into how organizations are informing consumers about their privacy practices, and a number of specific examples illustrating these trends can be found in a blog postexternal on the OPC’s website.  The Commissioner determined it was in the public interest to share specific results from the Sweep because she felt that the examples would help Canadians to better understand the observations.

The first Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep, from May 6-12, 2013, was an example of privacy enforcement authorities working together to promote privacy protection.  Nineteen privacy enforcement authorities participated, looking at the privacy policies of more than 2,000 websites and apps. 

This year’s theme was Privacy Practice Transparency. Transparency is a fundamental privacy principle common to privacy laws around the world. 

“This inaugural Sweep has highlighted the importance for organizations to be open and transparent about their privacy practices.  People need this information to make meaningful decisions in exercising control over their own information,” says Commissioner Stoddart.

Office of the Privacy Commissioner of Canada Results

Some key trends observed by the Office of the Privacy Commissioner of Canada during its Sweep of over 300 websites included:

  • Almost one in 10 had no privacy policy or equivalent information. Another 10 percent had a privacy policy that was hard to find, in some cases because it was buried in a lengthy Legal Notice or in the Terms and Conditions.
  • Approximately 20 percent of sites reviewed either listed no privacy contact, or made it difficult to find contact information for a privacy officer. In one case, website users were invited to send privacy questions by email, yet no email address could be found.
  • More than 20 percent of privacy policies raised concerns with respect to the relevance of the information provided.  For example, some simply quoted portions of Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) verbatim instead of explaining how personal information is actually collected and used.

International Results

Sweep participants in other countries identified similar trends and concerns.  Globally, almost one quarter (23 percent) of the more than 2,000 websites and mobile apps examined had no privacy policy available.  Meanwhile, approximately one-third of the privacy policies found raised concerns with respect to the relevance of the information in them.

Detailed information about the international results is included in a Backgrounder.

The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Rather, it was meant to replicate the consumer experience by spending a few minutes per site checking for performance against a set of common indicators

About the Office of the Privacy Commissioner of Canada
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations engaged in commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.

The associated backgrounder provides as follows:

Results of the 2013 Global Privacy Enforcement Network Internet Privacy Sweep

OTTAWA, August 13, 2013 – The first Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep was an example of privacy enforcement authorities working together to promote privacy protection around the world.

Nineteen privacy enforcement authorities from around the globe participated in the 2013 Sweep, which took place May 6-12, 2013.  Over the week, participating authorities searched the Internet in a coordinated effort to assess privacy issues related to a common theme – Privacy Practice Transparency.  Preliminary Sweep results are now available.
Major global trends observed

  • Participants found too many websites with no privacy policy whatsoever.  Among the total 2,276 websites and mobile apps examined, 23 percent had no privacy policy available. A greater proportion of large organizations typically had privacy policies on their websites, in comparison to small and medium-sized organizations.
  • One-third of policies raised concerns with respect to the relevance of the information provided.  In some cases, sites would make brief over-generalized statements about privacy while offering no details on how organizations were collecting and using customer information.

    Many policies used boilerplate language which did not take into account the relevant privacy jurisdiction.  Too often, there was limited information on how organizations were collecting, using and disclosing personal information as it related to their business model.

  • Approximately 33 percent of privacy policies viewed raised concerns with respect to their readability. Many of these policies quoted directly from applicable legislation. In doing so, these policies provide limited benefit to the average consumer seeking a clear and concise explanation of how their information is being collected and used.
  • Mobile app privacy policies lagged those found on traditional websites. Some 92 percent of mobile apps reviewed in the sweep raised one or more concerns with respect to how they present information about their privacy practice, and 54 percent had no privacy policy at all. In some cases, organizations simply provided links to privacy policies for their websites which did not specifically address the collection and use of information within apps.

Best practices observed

  • Many organizations had privacy policies that were easily accessible, simple to read, and contained privacy-related information that consumers would be interested to know, which demonstrates that it is possible to create transparent privacy policies.
  • Many described what information is collected, for what purposes it is used, and with whom it is shared.
  • Some of the best examples observed during the sweep were policies that made efforts to present the information in a way that was easily understandable and readable to the average person. This was accomplished through the use of plain language; clear and concise explanations; and the use of headers, short paragraphs, FAQs, and tables, among other methods.
  • A majority of organizations (80 percent) ensured that their privacy policy included contact information for the particular individual with responsibility for privacy practices within that organization. Providing more than one option for contacting that individual (e.g. mail, toll-free number and/or e-mail) is a thoughtful way of ensuring there are no barriers to contacting an organization about its privacy practices.
  • Some policies we observed had been tailored for mobile apps and sites, going beyond simply providing a hyperlink to an organization’s existing website privacy policy. Recognizing that explaining privacy practices can be difficult on a mobile platform with a small screen, we encourage organizations to find innovative ways of conveying their privacy policies on mobile devices. 

About the GPEN Internet Privacy Sweep

The goals of the Sweep initiative included: increasing public and business awareness of privacy rights and responsibilities; encouraging compliance with privacy legislation; identifying concerns which may be addressed with targeted education and/or enforcement; and enhancing cooperation amongst privacy enforcement authorities.

The purpose of the Sweep was not to conduct an in-depth analysis of the privacy practice transparency of each website, but to replicate the consumer experience by spending a few minutes per site checking for performance against a set of common indicators.

The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches.  Rather, the initiative was meant to help participating authorities identify sites or apps which may warrant further assessment or follow-up after the Sweep and/or identify trends which might guide future education and outreach.

GPEN Privacy Sweep efforts are ongoing.   Several enforcement authorities have already taken follow-up action and several more are in the process of following up directly with organizations whose website privacy policies (or lack thereof) were of concern.  Follow-up actions could include outreach to organizations and enforcement actions.

Sweep Results at a Glance
Global (Websites) Global (Mobile apps) OPC (Websites)
Total number of websites or apps searched* 2,186 90 326
Sites/apps for which no Privacy Policy or equivalent was found 21% (464) 54% (49) 9% (29)
Sites/apps for which a concern was identified with respect to find-ability 23% (493) 60% (54) 12% (39)
Sites/apps for which a concern was identified with respect to contact-ability 19% (419) 30% (27) 15% (49)
Sites/apps for which a concern was identified with respect to readability 31% (688) 58% (52) 21% (67)
Sites/apps for which a concern was identified with respect to relevance of information provided 28% (620) 91% (82) 21% (69)
Overall percentage of sites/ for which one or more concerns was identified** 50% (1,091) 92% (83) 47% (152)

*It is possible that some websites were examined by more than one participant.  Two participants looked at mobile apps, while the other participants, including the Office of the Privacy Commissioner of Canada (OPC), looked at websites.  

** The percentage of websites/apps for which concerns were found varied significantly among participants.  For websites, the range was between 25 percent and 90 percentIt is important to note that participants used different criteria in assessing websites.

 

With the amendments to the Privacy Act taking effect on 12 March 2014 the failure by organisations to comply with the Act, including having an accessible, coherent and informative privacy policy,  will have financial consequences if they are the subject to civil penalty actions in the Federal Court.

 

 

 

 

Leave a Reply