This post was also written by Chris Cwalina, Nick Tyler and Frederick Lah.
Consumers increasingly demand transparency into how companies use their personal information. We’ve seen a number of responses to this. One has been legislative; for example, the accounting requirement under the Dodd-Frank Act and California’s Shine the Light Act. For our previous analysis of the latter, please click here. Regulators have also responded, with both the U.S. Department of Commerce and the Federal Trade Commission (“FTC”) suggesting that the privacy practices of companies need to be more transparent. There have been enforcement actions as well; for example, Facebook’s settlement with the FTC requiring better disclosures on data use and sharing.
Now we are seeing the market respond with a niche industry of privacy testers and raters arising to meet consumer demand for this information. One such rater getting recent attention on both sides of the Atlantic is PrivacyChoice (through its new Privacy Score product). According to its website, Privacy Score “estimates the privacy risk of using a website based on how they handle your personal and tracking data.” The site awards websites scores out of 100. Close to 1500 sites have been scored so far. The site also offers a list of every company “tracking” consumers visiting a particular site.
The concept of privacy testing and rating is not new. TRUSTe has been issuing seals of approval for privacy policies for years. In addition, the Wall Street Journal has released a “What They Know” series about the tracking activity of marketers on websites, and has rated the level of “exposure” for a number of sites (using Privacy Choice data as part of its methodology). Nevertheless, this concept of testing and rating is a direct response to the growing demand from consumers to know how companies are using their personal information, and it is not going away anytime soon.
From the European perspective, these scores/ratings are of little value to consumers. They do not provide any reliable assessment of compliance with the more stringent and long-established legal requirements for transparency and fair information handling under European data protection legislation and codes of practice.