Results of the 2014 Global Privacy Enforcement Network Sweep
OTTAWA, September 10, 2014 – The second Global Privacy Enforcement Network (GPEN) Privacy Sweep demonstrates the ongoing commitment of privacy enforcement authorities to work together to promote privacy protection around the world.
Some 26 privacy enforcement authorities in 19 countries participated in the 2014 Sweep, which took place May 12-18. Over the course of the week, participants downloaded 1,211 popular mobile apps in a bid to assess the transparency of their privacy practices. The Office of the Privacy Commissioner of Canada focused on 151 apps that were either made-in-Canada or were downloaded frequently by Canadians. Sweep results are now available.
|Global Apps||OPC Apps|
|Total # of apps examined||1,211||151|
|Permissions (Indicator 2)|
|Apps requesting 1 or more permissions||75%||70%|
|Access to other accounts||15%||23%|
|Indicators||Privacy Communications||Global Apps||OPC Apps|
|Indicator 1||Apps with concerns regarding pre-installation privacy communications||59%||42%|
|Indicator 3||Apps with excessive permissions based on sweeper’s understanding of app’s functionality||31%||28%|
|Indicator 4||Apps with privacy communications not well tailored to small screen||43%||31%|
|Indicator 5||Overall privacy marks|
|0 = No privacy information, other than permissions||30%||11%|
|1 = Privacy information not adequate; sweeper does not know how information will be collected, used and disclosed||24%||15%|
|2 = Privacy information somewhat explains the app’s collection, use and disclosure of personal information; however, sweeper still had questions about certain permissions||31%||46%|
|3 = Privacy information clearly explains how app collects/uses/discloses personal information; sweeper is confident in his/her knowledge of app’s practices||15%||28%|
* It’s important to keep in mind that participants enforce different laws and may have applied a different lens to their assessments. In speaking with our provincial and international partners, we all agreed that the overall trends were similar even if the percentages varied.
The OPC found more apps provided clear explanations of their collection, use and disclosure of personal information practices than the global average.
Of the apps assessed on this indicator, 28 per cent received top marks for overall satisfaction with privacy communications compared to the global average of 15 per cent.
Globally, some 43 per cent of apps examined did not tailor privacy communications to the small screen, be it tablet or smart phone.
The OPC drew the same conclusion for nearly a third of the apps swept. Sweepers from all countries complained of small print and overly lengthy privacy policies. Too many required users to click through multiple pages or scroll horizontally as well as vertically.
Nearly 60 per cent of apps examined globally raised privacy concerns for sweepers even before they were downloaded. For the OPC, 42 per cent of apps raised similar concerns.
In other cases, the apps linked to social media pages. Sometimes users would have to log in to view the policy or the links were simply broken. A number of apps raised questions about who the developer or data controller was.
Globally, sweepers were dismayed to find that 30 per cent of apps offered no privacy communications whatsoever.
OPC sweepers ran into this situation significantly less, with just 11 per cent of apps displaying no privacy communications.
- Many popular apps are embracing the potential to build user trust by providing clear, easy-to-read and timely explanations about exactly what information will be collected and how it will be used, pursuant to each permission.
- Sweepers found many positive examples of apps properly tailoring privacy communications to the small screen through pop-ups, layered information and just-in-time notifications.
- Some apps didn’t just tell users what they would do with their personal information, but also clearly articulated what they would not do with the information. Some apps even provided links to the privacy policies of their advertising partners. Others gave users the option to “opt-out” of the “help us with analytics” feature, which uses software to collect user information to improve the performance of the app.
- Sweepers noted a number of best practices in the area of children’s privacy and parental consent. One international partner highlighted, for example, an app that required parents to complete a consent form before their child could register.
About the GPEN Privacy Sweep
The goals of the Sweep initiative included: increasing public and business awareness of privacy rights and responsibilities; encouraging compliance with privacy legislation; identifying concerns that may be addressed with targeted education and/or enforcement; and enhancing cooperation amongst privacy enforcement authorities.
The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or possible violations of privacy legislation. Our Sweep was also not meant to be an assessment of the apps’ privacy practices in general, nor was it meant to provide an in-depth analysis of the design and development of the apps examined.
By downloading and briefly interacting with the apps, the exercise was meant to recreate the consumer experience. Our sweepers ultimately sought to assess transparency by spending a few minutes per app checking performance against a set of common indicators.
GPEN Privacy Sweep efforts are ongoing. Several enforcement authorities have already taken follow-up action and several more are in the process of following up directly with organizations whose apps were of concern. The OPC has already begun to issue letters to organizations to inform them of our findings and make suggestions for improvement. We have the option to pursue enforcement action but have not yet made any decisions as to whether we will.
About the Global Privacy Enforcement Network
The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of 51 privacy enforcement authorities in 39 jurisdictions around the world.
About the Office of the Privacy Commissioner of Canada
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.
- 30 -
For more information, please contact:
Tobi Cohen, Office of the Privacy Commissioner of Canada
NOTE: Journalists are asked to please send requests for interviews or further information via e-mail.
- Date modified: