Backgrounder

Results of the 2016 Global Privacy Enforcement Network Sweep

GATINEAU, Que, September 22, 2016 – The fourth Global Privacy Enforcement Network (GPEN) Privacy Sweep focused on the Internet of Things and how companies around the globe communicate their personal information handling practices to consumers.

Some 25 data protection authorities participated in the initiative, together sweeping 314 devices. While the Office of the Privacy Commissioner of Canada focused on health devices, such as fitness trackers, thermometers and heart rate monitors, other global partners looked at everything from smart TVs, meters and cars to connected toys and household aids.

Results at a Glance:
  Global OPC
Total number of devices/companies examined 314 21
Indicator 1: Do privacy communications adequately explain how personal information is collected, used and disclosed?
Yes 41% 38%
No 59% 62%
Are privacy communications specific to the device?
Yes 31% 24%
No 69% 76%
Do privacy communications mention disclosure to other companies?
Yes 52% 86%
No 48% 14%
Is the user told which companies?
Yes N/A 24%
No N/A 76%
Do privacy communications match the user experience?
Yes N/A 14%
No N/A 62%
Dont't know N/A 24%
Does the company collect the following information?
Location
Yes 68% 81%
No 32% 19%
Photo/video/audio files
Yes 41% 38%
No 59% 62%
Date of birth
Yes 64% 86%
No 36% 14%
Does the company explain why the device collects certain information?Footnote *
Location
Yes N/A 53%
No N/A 47%
Photo/video/audio files
Yes N/A 25%
No N/A 75%
Date of birth
Yes N/A 11%
No N/A 89%
Indicator 2: Are users fully informed about how personal information collected by the device is stored and safeguarded?
Yes 32% 24%
No 68% 76%
Indicator 3: Do privacy communications include contact details for individuals wanting to contact the company about a privacy-related matter?
Yes 62% 86%
No 38% 14%
Indicator 4: Do privacy communications explain how a user can delete their information?
Yes 28% 52%
No 72% 48%
Indicator 5: Did the company provide a timely, adequate and clear response to follow up questions?
Yes 57% 62%
No 43% 38%

Key Trends:

Sweepers reported that the privacy communications for many health and wellness devices swept don’t adequately explain personal information collection, use and disclosure practices.

The vast majority of health and wellness device companies offered a privacy policy. However, Sweepers noted they were seldom specific to the device and that most were generic policies posted online by the company, which typically had multiple products and/or services under its name. Sweepers also reported that privacy communications seldom matched the user’s experience. Most privacy communications mentioned disclosure to third parties but Sweepers were not always told to whom the personal information may be disclosed.

Many Sweepers indicated they were not fully informed about how their personal information would be stored and about the safeguards that existed to protect it.

Generally speaking, Sweepers were left wanting for more information about the methods used to store and safeguard their information. The majority of Sweepers noted how companies did not indicate whether data would be encrypted when stored and/or transferred.

Sweepers had difficulty finding information about how to delete their data.

Nearly half of OPC Sweepers could not find simple instructions on how to delete their data, nor could more than three-quarters of international Sweepers.  In follow-up responses to specific questions from the OPC, however, some companies were able to elaborate on their delete options.

Responses to customer questions about privacy were generally timely, clear and forthright. 

The vast majority of device makers offered contact information should customers have follow-up questions. Sweepers were largely satisfied with the responses they received from companies.  Some, however, were late to respond or failed to speak directly to the issues raised by Sweepers. Some simply redirected Sweepers back to the company’s privacy policy.

Certain practices observed during the Sweep:

  • A rare but welcome practice, Sweepers noted several examples of enhanced notice provided to users in the form of “just-in-time” notifications that explained the purposes for the collection of certain data elements in real time—in other words, at the very moment the user was asked to input the information or make a key decision, for example, during the registration process.
  • Many devices requested access to certain sensitive data and it was not entirely clear to the Sweepers why this information was needed for the device to function.  For example, Sweepers questioned the need for a blood pressure monitor and thermometer to have access to location information.  Nonetheless, Sweepers noted that in some instances, the information was optional and the default setting was set to not share this sensitive data with the company.
  • Sweepers were pleased to see some companies explain in detail which third parties could gain access to their personal information and for what purposes. Some named third-party partners outright or explicitly stated that data would never be shared or sold to advertisers or companies that profit from the trade of data.
  • Sweepers sent follow-up privacy questions to a number of the companies and were pleased to hear back from many of them in a timely fashion. While some simply re-directed Sweepers to their legalistic privacy policies even though our Sweepers mentioned they had already reviewed them, others provided clear, thorough and easy-to-understand responses to their questions. Sweepers felt this was an important way to build trust that demonstrates just how important it is to train front line workers on how to effectively respond to privacy questions. Ideally, however, companies should incorporate this type of information into their privacy communications rather than wait to be asked.

See also:

News Release
Trends Blog
The Internet of Things: An introduction to privacy issues with a focus on the retail and home environments

Date modified: