This post was also written by Chris Cwalina, Nick Tyler and Frederick Lah.
Consumers increasingly demand transparency into how companies use their personal information. We’ve seen a number of responses to this. One has been legislative; for example, the accounting requirement under the Dodd-Frank Act and California’s Shine the Light Act. For our previous analysis of the latter, please click here. Regulators have also responded, with both the U.S. Department of Commerce and the Federal Trade Commission (“FTC”) suggesting that the privacy practices of companies need to be more transparent. There have been enforcement actions as well; for example, Facebook’s settlement with the FTC requiring better disclosures on data use and sharing.
Now we are seeing the market respond with a niche industry of privacy testers and raters arising to meet consumer demand for this information. One such rater getting recent attention on both sides of the Atlantic is PrivacyChoice (through its new Privacy Score product). According to its website, Privacy Score “estimates the privacy risk of using a website based on how they handle your personal and tracking data.” The site awards websites scores out of 100. Close to 1500 sites have been scored so far. The site also offers a list of every company “tracking” consumers visiting a particular site.
By its own admission, the Privacy Score given to a company’s site is just a “rough measure.” The scores are based solely on the representations made on the site’s privacy policy, and the amount of “tracking” purportedly being done on the site. Therefore, the scores may not accurately reflect the actual privacy practices of a company, especially considering the fact that many companies tend to use safer and broader language in their privacy policies to avoid any risk of over-promising and under-delivering. In other words, companies should not overreact if they see an especially low score (of which there are very few), nor should they find any real sense of comfort if they are given a high score.
The concept of privacy testing and rating is not new. TRUSTe has been issuing seals of approval for privacy policies for years. In addition, the Wall Street Journal has released a “What They Know” series about the tracking activity of marketers on websites, and has rated the level of “exposure” for a number of sites (using Privacy Choice data as part of its methodology). Nevertheless, this concept of testing and rating is a direct response to the growing demand from consumers to know how companies are using their personal information, and it is not going away anytime soon.
From the European perspective, these scores/ratings are of little value to consumers. They do not provide any reliable assessment of compliance with the more stringent and long-established legal requirements for transparency and fair information handling under European data protection legislation and codes of practice.
You should prepare for your company’s disclosures (privacy policies, terms of use, etc.) to be heavily reviewed in a high-scrutiny environment. This means being well-informed about what is happening on your site and mapping your disclosures accordingly. If you believe you’ve been mis-reviewed by Privacy Choice, consider whether you think it’s worth speaking out and/or pursuing correction. On a more macro-level, consider how you can better present yourself to consumers to meet their increasing demand for transparency. In light of this growing trend, it’s not just a matter of compliance with law – it’s a commercial imperative to protect your brand.