Privacy statements are both a point of contact to inform users about their data and a way to show governments the organization is committed to following regulations. On September 17, the Internet Society’s Online Trust Alliance (OTA) released “Are Organizations Ready for New Privacy Regulations?“ The report, using data collected from the 2018 Online Trust Audit, analyzes the privacy statements of 1,200 organizations using 29 variables and then maps them to overarching principles from three privacy laws around the world: General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act (CCPA) in the United States, and Personal Information Protection and Electronics Document Act (PIPEDA) in Canada.
In many cases, organizations lack key concepts covering data sharing in their statements. Just 1% of organizations in our Audit disclose the types of third parties they share data with. This is a common requirement across privacy legislation. It is not as onerous as having to list all of the organizations; simply listing broad categories like “payment vendors” would suffice.
Data retention is another area where many organizations are lacking. Just 2% had language about how long and why they would retain data. Many organizations have statements like, “we retain user data for as long as it is needed.” This type of statement is not specific enough for many regulations.
Other concepts cover users’ ability to interact with their data. Two relative bright spots are that 70% of organizations did include contact information and 50% included information on how users could get information about their data. However, virtually none included this information to the level of detail often required by laws like GDPR.
For example, while most did have a point of contact, it was rare that the contact was specifically about privacy or to a Data Protection Officer (DPO). It was usually a generic contact email address. OTA’s standard is lower given that most of the organizations in the Audit are in the U.S. and were not held to this higher standard by U.S. law at the time of data col
Finally, OTA advocates, and many privacy laws require, that statements meet certain standards of readability. One simple practice, advocated by the OTA, that can help users navigate complex privacy statements is “layering.” This can be achieved in many ways, from a table of contents to a summary of the principles in the longer statement. Just under half (47%) of companies used layered statements.
Many of the practices OTA advocates are relatively simple to implement and would go a long way to helping organizations navigate the changing privacy landscape. Read our full report to see the full range of practices advocated by the OTA and how they map to privacy concepts, or view the infographic for a quick reference to some of the findings. For more detail on the data and the methodology we used to generate the standings, see the Online Trust Audit and Honor Roll.