Donate
Privacy Regulations Are Evolving: Are Organizations Ready? Thumbnail
‹ Back
Building Trust 20 September 2019

Privacy Regulations Are Evolving: Are Organizations Ready?

Kenneth Olmstead
By Kenneth OlmsteadInternet Privacy & Security Analyst

Privacy statements are both a point of contact to inform users about their data and a way to show governments the organization is committed to following regulations. On September 17, the Internet Society’s Online Trust Alliance (OTA) released Are Organizations Ready for New Privacy Regulations? The report, using data collected from the 2018 Online Trust Audit, analyzes the privacy statements of 1,200 organizations using 29 variables and then maps them to overarching principles from three privacy laws around the world: General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act (CCPA) in the United States, and Personal Information Protection and Electronics Document Act (PIPEDA) in Canada. 

In many cases, organizations lack key concepts covering data sharing in their statements. Just 1% of organizations in our Audit disclose the types of third parties they share data with. This is a common requirement across privacy legislation. It is not as onerous as having to list all of the organizations; simply listing broad categories like “payment vendors” would suffice. 

Data retention is another area where many organizations are lacking. Just 2% had language about how long and why they would retain data. Many organizations have statements like, “we retain user data for as long as it is needed.” This type of statement is not specific enough for many regulations. 

Other concepts cover users’ ability to interact with their data. Two relative bright spots are that 70% of organizations did include contact information and 50% included information on how users could get information about their data. However, virtually none included this information to the level of detail often required by laws like GDPR. 

For example, while most did have a point of contact, it was rare that the contact was specifically about privacy or to a Data Protection Officer (DPO). It was usually a generic contact email address. OTA’s standard is lower given that most of the organizations in the Audit are in the U.S. and were not held to this higher standard by U.S. law at the time of data col

Finally, OTA advocates, and many privacy laws require, that statements meet certain standards of readability. One simple practice, advocated by the OTA, that can help users navigate complex privacy statements is “layering.” This can be achieved in many ways, from a table of contents to a summary of the principles in the longer statement. Just under half (47%) of companies used layered statements. 

Many of the practices OTA advocates are relatively simple to implement and would go a long way to helping organizations navigate the changing privacy landscape. Read our full report to see the full range of practices advocated by the OTA and how they map to privacy concepts, or view the infographic for a quick reference to some of the findings. For more detail on the data and the methodology we used to generate the standings, see the Online Trust Audit and Honor Roll.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

How the Internet Society's Privacy Statement Stacks Up
How the Internet Society's Privacy Statement Stacks Up
Privacy1 May 2019

How the Internet Society’s Privacy Statement Stacks Up

For ten years, the Internet Society's Online Trust Alliance (OTA) has published an annual comprehensive survey of 1,200 sites' security...

Announcing the 2020 U.S. Presidential Campaign Audit
Announcing the 2020 U.S. Presidential Campaign Audit
Building Trust8 October 2019

Announcing the 2020 U.S. Presidential Campaign Audit

Today, the Internet Society's Online Trust Alliance released a new report, the "2020 U.S. Presidential Campaign Audit," analyzing the 23...

Announcing the Online Trust Audit & Honor Roll Methodology for 2018
Announcing the Online Trust Audit & Honor Roll Methodology for 2018
Building Trust23 August 2018

Announcing the Online Trust Audit & Honor Roll Methodology for 2018

The Online Trust Alliance (OTA) is an Internet Society initiative that aims to enhance online trust, user empowerment, and innovation...

Join the conversation with Internet Society members around the world