One of the best practices we advocate and measure in our Online
Trust Audit is that privacy statements should have a date stamp
visible at the top of the page. This is an issue of transparency and lets
readers know when the statement was last updated. Combined with another
advocated best practice – access to prior versions of the privacy statement,
which unfortunately is offered by only 3% of sites – readers get a sense of
what changed between versions and when those changes happened.
For the first time this year, we captured the actual date
stamps of more than 1,000 privacy statements across the audited sectors, and
though we made some high level comments in the Audit, we thought it would be
insightful to show another layer of detail. One of the reasons we captured
specific dates was the fact that many privacy statements were updated in the
months prior to (or shortly after) May 25, 2018, when the General Data
Protection Regulation (GDPR) went into effect in the European Union.
The graph below shows the date stamps from most to least recent (ending with those that have no date stamp) across the audited sectors. The green bars represent privacy statements with date stamps since the beginning of 2018, the blue bars represent date stamps prior to 2018, and the gray bar shows those with no date stamp. Note that this data was collected in February, 2019 so privacy statements could have been updated since then. Overall, nearly 70% of sites have a privacy statement date stamp – 46% at the top of the page, 22% at the bottom and 2% at both top and bottom.
There is significant variation in the “currency” of privacy
statements. Consumer sites led with more than 70% of statements date stamped on
or after January 1, 2018. By contrast, less than 20% of healthcare sites had
similar date stamps. There is a parallel result in the percentage of sites with
no date stamp on the privacy statement – consumer sites are the highest
performing with only 10% lacking a date stamp, while more than 50% of healthcare
privacy statements lack a date stamp, significantly lagging all other sectors.
It’s important to note that a recent date stamp does not
equate to a better privacy statement, and we certainly do not advocate that
privacy statements should be updated on a regular basis just to make them look
more current. However, changing regulations around the world and in many US
states (e.g, GDPR and the California Consumer Privacy Act, which goes into
effect January 1, 2020) are forcing changes in most privacy statements, so
older date stamps become increasingly conspicuous. Likewise, privacy statements
with no date stamp leave the reader wondering whether recent changes in the
privacy world have been incorporated into the statement. In either case, you
can be certain that regulators are watching.
We urge organizations to take a disciplined approach to their privacy statements – regularly review them for necessary updates, update the date stamp when changes are made, and provide a means for readers to figure out what changed. This transparency keeps everyone – fellow employees, consumers, and regulators – in sync and helps all of us better navigate the rapidly changing world of privacy.
How would your organization do in the Online Trust Audit? Check out the Best Practice Checklist (Appendix E) and use it to improve your site’s security and privacy.
The post How “Fresh” is That Privacy Statement? appeared first on Internet Society.