Results of the 2016 Global Privacy Enforcement Network Sweep
GATINEAU, Que, September 22, 2016 – The fourth Global Privacy Enforcement Network (GPEN) Privacy Sweep focused on the Internet of Things and how companies around the globe communicate their personal information handling practices to consumers.
Some 25 data protection authorities participated in the initiative, together sweeping 314 devices. While the Office of the Privacy Commissioner of Canada focused on health devices, such as fitness trackers, thermometers and heart rate monitors, other global partners looked at everything from smart TVs, meters and cars to connected toys and household aids.
|Total number of devices/companies examined||314||21|
|Indicator 1: Do privacy communications adequately explain how personal information is collected, used and disclosed?|
|Are privacy communications specific to the device?|
|Do privacy communications mention disclosure to other companies?|
|Is the user told which companies?|
|Do privacy communications match the user experience?|
|Does the company collect the following information?|
|Date of birth|
|Does the company explain why the device collects certain information?Footnote *|
|Date of birth|
|Indicator 2: Are users fully informed about how personal information collected by the device is stored and safeguarded?|
|Indicator 3: Do privacy communications include contact details for individuals wanting to contact the company about a privacy-related matter?|
|Indicator 4: Do privacy communications explain how a user can delete their information?|
|Indicator 5: Did the company provide a timely, adequate and clear response to follow up questions?|
Sweepers reported that the privacy communications for many health and wellness devices swept don’t adequately explain personal information collection, use and disclosure practices.
Many Sweepers indicated they were not fully informed about how their personal information would be stored and about the safeguards that existed to protect it.
Generally speaking, Sweepers were left wanting for more information about the methods used to store and safeguard their information. The majority of Sweepers noted how companies did not indicate whether data would be encrypted when stored and/or transferred.
Sweepers had difficulty finding information about how to delete their data.
Nearly half of OPC Sweepers could not find simple instructions on how to delete their data, nor could more than three-quarters of international Sweepers. In follow-up responses to specific questions from the OPC, however, some companies were able to elaborate on their delete options.
Responses to customer questions about privacy were generally timely, clear and forthright.
Certain practices observed during the Sweep:
- A rare but welcome practice, Sweepers noted several examples of enhanced notice provided to users in the form of “just-in-time” notifications that explained the purposes for the collection of certain data elements in real time—in other words, at the very moment the user was asked to input the information or make a key decision, for example, during the registration process.
- Many devices requested access to certain sensitive data and it was not entirely clear to the Sweepers why this information was needed for the device to function. For example, Sweepers questioned the need for a blood pressure monitor and thermometer to have access to location information. Nonetheless, Sweepers noted that in some instances, the information was optional and the default setting was set to not share this sensitive data with the company.
- Sweepers were pleased to see some companies explain in detail which third parties could gain access to their personal information and for what purposes. Some named third-party partners outright or explicitly stated that data would never be shared or sold to advertisers or companies that profit from the trade of data.
- Sweepers sent follow-up privacy questions to a number of the companies and were pleased to hear back from many of them in a timely fashion. While some simply re-directed Sweepers to their legalistic privacy policies even though our Sweepers mentioned they had already reviewed them, others provided clear, thorough and easy-to-understand responses to their questions. Sweepers felt this was an important way to build trust that demonstrates just how important it is to train front line workers on how to effectively respond to privacy questions. Ideally, however, companies should incorporate this type of information into their privacy communications rather than wait to be asked.
Report a problem or mistake on this page
- Date modified: