Backgrounder

Results of the 2013 Global Privacy Enforcement Network Internet Privacy Sweep

OTTAWA, August 13, 2013 – The first Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep was an example of privacy enforcement authorities working together to promote privacy protection around the world.

Nineteen privacy enforcement authorities from around the globe participated in the 2013 Sweep, which took place May 6-12, 2013.  Over the week, participating authorities searched the Internet in a coordinated effort to assess privacy issues related to a common theme - Privacy Practice Transparency.  Preliminary Sweep results are now available.
Major global trends observed

  • Participants found too many websites with no privacy policy whatsoever.  Among the total 2,276 websites and mobile apps examined, 23 percent had no privacy policy available.

    A greater proportion of large organizations typically had privacy policies on their websites, in comparison to small and medium-sized organizations.
  • One-third of policies raised concerns with respect to the relevance of the information provided. 

    In some cases, sites would make brief over-generalized statements about privacy while offering no details on how organizations were collecting and using customer information.

    Many policies used boilerplate language which did not take into account the relevant privacy jurisdiction.  Too often, there was limited information on how organizations were collecting, using and disclosing personal information as it related to their business model.
  • Approximately 33 percent of privacy policies viewed raised concerns with respect to their readability.

    Many of these policies quoted directly from applicable legislation. In doing so, these policies provide limited benefit to the average consumer seeking a clear and concise explanation of how their information is being collected and used.
  • Mobile app privacy policies lagged those found on traditional websites.

    Some 92 percent of mobile apps reviewed in the sweep raised one or more concerns with respect to how they present information about their privacy practice, and 54 percent had no privacy policy at all. In some cases, organizations simply provided links to privacy policies for their websites which did not specifically address the collection and use of information within apps.

Best practices observed

  • Many organizations had privacy policies that were easily accessible, simple to read, and contained privacy-related information that consumers would be interested to know, which demonstrates that it is possible to create transparent privacy policies.
  • Many described what information is collected, for what purposes it is used, and with whom it is shared.
  • Some of the best examples observed during the sweep were policies that made efforts to present the information in a way that was easily understandable and readable to the average person. This was accomplished through the use of plain language; clear and concise explanations; and the use of headers, short paragraphs, FAQs, and tables, among other methods.
  • A majority of organizations (80 percent) ensured that their privacy policy included contact information for the particular individual with responsibility for privacy practices within that organization. Providing more than one option for contacting that individual (e.g. mail, toll-free number and/or e-mail) is a thoughtful way of ensuring there are no barriers to contacting an organization about its privacy practices.
  • Some policies we observed had been tailored for mobile apps and sites, going beyond simply providing a hyperlink to an organization’s existing website privacy policy. Recognizing that explaining privacy practices can be difficult on a mobile platform with a small screen, we encourage organizations to find innovative ways of conveying their privacy policies on mobile devices. 

About the GPEN Internet Privacy Sweep

The goals of the Sweep initiative included: increasing public and business awareness of privacy rights and responsibilities; encouraging compliance with privacy legislation; identifying concerns which may be addressed with targeted education and/or enforcement; and enhancing cooperation amongst privacy enforcement authorities.

The purpose of the Sweep was not to conduct an in-depth analysis of the privacy practice transparency of each website, but to replicate the consumer experience by spending a few minutes per site checking for performance against a set of common indicators.

The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches.  Rather, the initiative was meant to help participating authorities identify sites or apps which may warrant further assessment or follow-up after the Sweep and/or identify trends which might guide future education and outreach.

GPEN Privacy Sweep efforts are ongoing.   Several enforcement authorities have already taken follow-up action and several more are in the process of following up directly with organizations whose website privacy policies (or lack thereof) were of concern.  Follow-up actions could include outreach to organizations and enforcement actions.

Sweep Results at a Glance
  Global (Websites) Global (Mobile apps) OPC (Websites)
Total number of websites or apps searched* 2,186 90 326
Sites/apps for which no Privacy Policy or equivalent was found 21% (464) 54% (49) 9% (29)
Sites/apps for which a concern was identified with respect to find-ability 23% (493) 60% (54) 12% (39)
Sites/apps for which a concern was identified with respect to contact-ability 19% (419) 30% (27) 15% (49)
Sites/apps for which a concern was identified with respect to readability 31% (688) 58% (52) 21% (67)
Sites/apps for which a concern was identified with respect to relevance of information provided 28% (620) 91% (82) 21% (69)
Overall percentage of sites/ for which one or more concerns was identified** 50% (1,091) 92% (83) 47% (152)

*It is possible that some websites were examined by more than one participant.  Two participants looked at mobile apps, while the other participants, including the Office of the Privacy Commissioner of Canada (OPC), looked at websites.  

** The percentage of websites/apps for which concerns were found varied significantly among participants.  For websites, the range was between 25 percent and 90 percentIt is important to note that participants used different criteria in assessing websites.

See also:

News Release - Global Internet Sweep finds significant privacy policy shortcomings (August 13, 2013)

Blog Post: Initial results from our Internet Privacy Sweep: The Good, The Bad, and The Ugly (August 13, 2013)

News Release: Privacy enforcement authorities launch first-ever international Internet Privacy Sweep (May 6, 2013)

Global Privacy Enforcement Network Internet Privacy Sweep - Questions and Answers (May 6, 2013)

OPC Survey of Canadians and Privacy (January 2013) See pages 23-26

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: