How “Fresh” is That Privacy Statement? Thumbnail
Privacy 27 August 2019

How “Fresh” is That Privacy Statement?

By Jeff WilburSenior Director, Online Trust

One of the best practices we advocate and measure in our Online Trust Audit is that privacy statements should have a date stamp visible at the top of the page. This is an issue of transparency and lets readers know when the statement was last updated. Combined with another advocated best practice – access to prior versions of the privacy statement, which unfortunately is offered by only 3% of sites – readers get a sense of what changed between versions and when those changes happened.

For the first time this year, we captured the actual date stamps of more than 1,000 privacy statements across the audited sectors, and though we made some high level comments in the Audit, we thought it would be insightful to show another layer of detail. One of the reasons we captured specific dates was the fact that many privacy statements were updated in the months prior to (or shortly after) May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect in the European Union.

The graph below shows the date stamps from most to least recent (ending with those that have no date stamp) across the audited sectors. The green bars represent privacy statements with date stamps since the beginning of 2018, the blue bars represent date stamps prior to 2018, and the gray bar shows those with no date stamp. Note that this data was collected in February, 2019 so privacy statements could have been updated since then. Overall, nearly 70% of sites have a privacy statement date stamp – 46% at the top of the page, 22% at the bottom and 2% at both top and bottom.

There is significant variation in the “currency” of privacy statements. Consumer sites led with more than 70% of statements date stamped on or after January 1, 2018. By contrast, less than 20% of healthcare sites had similar date stamps. There is a parallel result in the percentage of sites with no date stamp on the privacy statement – consumer sites are the highest performing with only 10% lacking a date stamp, while more than 50% of healthcare privacy statements lack a date stamp, significantly lagging all other sectors.

It’s important to note that a recent date stamp does not equate to a better privacy statement, and we certainly do not advocate that privacy statements should be updated on a regular basis just to make them look more current. However, changing regulations around the world and in many US states (e.g, GDPR and the California Consumer Privacy Act, which goes into effect January 1, 2020) are forcing changes in most privacy statements, so older date stamps become increasingly conspicuous. Likewise, privacy statements with no date stamp leave the reader wondering whether recent changes in the privacy world have been incorporated into the statement. In either case, you can be certain that regulators are watching.

We urge organizations to take a disciplined approach to their privacy statements – regularly review them for necessary updates, update the date stamp when changes are made, and provide a means for readers to figure out what changed. This transparency keeps everyone – fellow employees, consumers, and regulators – in sync and helps all of us better navigate the rapidly changing world of privacy.

How would your organization do in the Online Trust Audit? Check out the Best Practice Checklist (Appendix E) and use it to improve your site’s security and privacy.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

10 March 2021

Internet Society Joins Leading Internet Advocates to Call on ISPs to Commit to Basic User Privacy Protections

Mozilla, the Electronic Frontier Foundation, and the Internet Society call on AT&T, T-Mobile, and Verizon to commit to limiting...

Strengthening the Internet 22 February 2021

The Best and the Brightest Security and Privacy Experts Are Gathering Virtually at NDSS 2021

NDSS 2021 will be one of the biggest NDSS symposia yet, featuring two keynotes, 90 peer-reviewed academic papers, six...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...