Privacy statements are both a point of contact to inform users
about their data and a way to show governments the organization is committed to
following regulations. On September 17, the Internet Society’s Online Trust
Alliance (OTA) released “Are Organizations Ready for New Privacy Regulations?“
The report, using data collected from the 2018 Online Trust Audit,
analyzes the privacy statements of 1,200 organizations using 29 variables and
then maps them to overarching principles from three privacy laws around the
world: General Data Protection Regulation (GDPR) in the European Union,
California Consumer Privacy Act (CCPA) in the United States, and Personal
Information Protection and Electronics Document Act (PIPEDA) in Canada.
In many cases, organizations lack key concepts covering data
sharing in their statements. Just 1% of organizations in our Audit disclose
the types of third parties they share data with. This is a common requirement
across privacy legislation. It is not as onerous as having to list all of the
organizations; simply listing broad categories like “payment vendors”
would suffice.
Data retention is another area where
many organizations are lacking. Just 2% had language about how long and why
they would retain data. Many organizations have statements like, “we retain
user data for as long as it is needed.” This type of statement is not
specific enough for many regulations.
Other concepts cover users’ ability to interact with
their data. Two relative bright spots are that 70% of organizations did include
contact information and 50% included information on how users could get
information about their data. However, virtually none included this information
to the level of detail often required by laws like GDPR.
For example, while most did have a point of contact, it was rare that the contact was specifically about privacy or to a Data Protection Officer (DPO). It was usually a generic contact email address. OTA’s standard is lower given that most of the organizations in the Audit are in the U.S. and were not held to this higher standard by U.S. law at the time of data col
Finally, OTA advocates, and many privacy laws require, that
statements meet certain standards of readability. One simple practice, advocated
by the OTA, that can help users navigate complex privacy statements is
“layering.” This can be achieved in many ways, from a table of
contents to a summary of the principles in the longer statement. Just under
half (47%) of companies used layered statements.
Many of the practices OTA advocates are relatively simple to implement and would go a long way to helping organizations navigate the changing privacy landscape. Read our full report to see the full range of practices advocated by the OTA and how they map to privacy concepts, or view the infographic for a quick reference to some of the findings. For more detail on the data and the methodology we used to generate the standings, see the Online Trust Audit and Honor Roll.
The post Privacy Regulations Are Evolving: Are Organizations Ready? appeared first on Internet Society.