Transparency is central to respecting the privacy of individuals and it is paramount that organisations develop transparent online privacy policies so that individuals understand how their personal data is handled in this virtual context. To raise awareness of online privacy rights and to encourage compliance with privacy legislation, 19 privacy enforcement authorities, during 6-12 May 2013, joined forces to participate in the first international ‘Internet Privacy Sweep’ to assess ‘Privacy Practice Transparency’. This initiative was pioneered by the Global Privacy Enforcement Network (GPEN) and coordinated by the Canadian Privacy Commissioner. The findings of the sweep were published in August 2013.
Over the week, participating authorities searched the Internet, replicating a user’s experience to assess the transparency of privacy policies and practices across 2,186 websites and 90 mobile apps. Five common indicators were adopted to define the scope of the sweep when assessing each website, including:
- Findability – how difficult is this information to find?
- Contactability – is contact information for privacy queries accessible?
- Relevance – how well does the information provided address common privacy questions or issues?
The Internet Privacy Sweep highlighted the following concerns:
- One-third of privacy policies were inadequate in terms of relevance, and had a disproportionate focus on cookies rather than an explanation of data processing as a whole
- 33% proved weak in terms of readability, whether minimal information of no more than a tweet, to the other extreme, legalistic language quoted direct from statute
The following best practices were highlighted:
- Many organisations’ privacy policies were easily accessible, simple to read, and relevant, including information as to what data is collected for what purposes and to whom it is disclosed
- The best policies were easily accessible and presented in plain language with clear and concise explanation, using headings, short paragraphs and frequently asked questions
- 80% of privacy policies included contact information (with several options including mail, email or phone) for privacy queries
The sweep was not intended as an investigation into compliance issues or legislative breaches; however, several enforcement authorities have already taken follow-up actions and enforcement directly against organisations whose privacy policies (or lack of) were alarmingly exposed by the sweep. Organisations are therefore encouraged to ensure they adopt a transparent approach to their privacy practices to avoid scrutiny from GPEN’s ongoing privacy sweep efforts.