Out-Law News 2 min. read

Watchdogs' review of internet privacy notices reveals 'significant shortcomings', says ICO


Businesses have been warned to better explain how they handle and use personal data within privacy notices published on websites.

A 'sweep' of more than 2,000 websites and mobile apps conducted by 19 different data protection authorities (DPAs) around the world found "significant shortcomings" in the way businesses displayed and detailed information in privacy policies, the Information Commissioner's Office (ICO) said.

The sweep took place in May and was co-ordinated by the Global Privacy Enforcement Network (GPEN). The ICO looked at 250 websites belonging to large companies in a review designed more to "replicate the consumer experience by spending a few minutes on each website" rather than taking the form of an "in-depth analysis", the watchdog said.

"The results reveal significant shortcomings, with 23% of sites reported to have no privacy policy at all," Adam Stevens, team manager of the intelligence unit at the ICO, said of the figures for all 2,186 websites analysed globally. "Of those that did have policies, a third were considered to be difficult to read, and many weren’t sufficiently tailored to the actual website."

Stevens also said that the ICO had specific concerns about some of the UK websites it analysed and that the watchdog would be "contacting those organisations where their privacy policy, or lack thereof, raises significant concerns".

"Most of [the 250 UK] sites had a privacy policy that was easy to find and gave a fairly clear indication of what personal data was being collected about customers and why they were using this information," Stevens said. "However websites generally weren’t clear on how long personal data would be retained for or if it would be transferred internationally."

The data protection authority in Canada was among the other watchdogs to participate in the sweep operation. Jennifer Stoddart, Privacy Commissioner of Canada, cited some examples of problematic privacy policies her office had identified.

"A particularly disappointing example for my Office was a paternity testing website with a privacy statement so skimpy it would fit into a tweet," Stoddart said. "We also found a major fast food chain collecting personal information, such as photos, addresses and dates of birth, for various initiatives, and yet the privacy policy was just 110 words. At the other extreme, we saw long, legalistic policies that simply regurgitated – word for word in some cases – federal privacy legislation."

"Neither approach is helpful to Canadians – nor necessary, as demonstrated by the many privacy policies we saw that were able to strike a balance between transparency and concision," Stoddart added.

When the ICO announced that the sweep operation was taking place in May, it said that too many companies were using the privacy policies they publish "to protect themselves rather than inform the public" about the collection and use of personal data.

Stevens said that the watchdogs had noted some best practice examples in its sweep. He said privacy policies should be set out in "plain language" which the average consumer could easily understand and read. The policies should also contain subheadings, short paragraphs, FAQs and tables to help with the easiness with which they can be read, he added.

Companies should also publish contact details for individuals responsible for privacy practices with their organisation and should tailor their privacy policies for inclusion within mobile apps or on mobile sites, Stevens added.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.