One of the best practices we advocate and measure in our Online Trust Audit is that privacy statements should have a date stamp visible at the top of the page. This is an issue of transparency and lets readers know when the statement was last updated. Combined with another advocated best practice – access to prior versions of the privacy statement, which unfortunately is offered by only 3% of sites – readers get a sense of what changed between versions and when those changes happened.
For the first time this year, we captured the actual date stamps of more than 1,000 privacy statements across the audited sectors, and though we made some high level comments in the Audit, we thought it would be insightful to show another layer of detail. One of the reasons we captured specific dates was the fact that many privacy statements were updated in the months prior to (or shortly after) May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect in the European Union.
The graph below shows the date stamps from most to least recent (ending with those that have no date stamp) across the audited sectors. The green bars represent privacy statements with date stamps since the beginning of 2018, the blue bars represent date stamps prior to 2018, and the gray bar shows those with no date stamp. Note that this data was collected in February, 2019 so privacy statements could have been updated since then. Overall, nearly 70% of sites have a privacy statement date stamp – 46% at the top of the page, 22% at the bottom and 2% at both top and bottom.
There is significant variation in the “currency” of privacy statements. Consumer sites led with more than 70% of statements date stamped on or after January 1, 2018. By contrast, less than 20% of healthcare sites had similar date stamps. There is a parallel result in the percentage of sites with no date stamp on the privacy statement – consumer sites are the highest performing with only 10% lacking a date stamp, while more than 50% of healthcare privacy statements lack a date stamp, significantly lagging all other sectors.
It’s important to note that a recent date stamp does not equate to a better privacy statement, and we certainly do not advocate that privacy statements should be updated on a regular basis just to make them look more current. However, changing regulations around the world and in many US states (e.g, GDPR and the California Consumer Privacy Act, which goes into effect January 1, 2020) are forcing changes in most privacy statements, so older date stamps become increasingly conspicuous. Likewise, privacy statements with no date stamp leave the reader wondering whether recent changes in the privacy world have been incorporated into the statement. In either case, you can be certain that regulators are watching.
We urge organizations to take a disciplined approach to their privacy statements – regularly review them for necessary updates, update the date stamp when changes are made, and provide a means for readers to figure out what changed. This transparency keeps everyone – fellow employees, consumers, and regulators – in sync and helps all of us better navigate the rapidly changing world of privacy.
How would your organization do in the Online Trust Audit? Check out the Best Practice Checklist (Appendix E) and use it to improve your site’s security and privacy.