ICO blog: Global privacy study gives international view

An international study suggests websites could provide clearer information to customers on how their personal data is being used, but found some examples of good practice.

The project, highlighted in an ICO blog back in May, saw 19 data protection authorities from around the world analyse 2,186 website privacy policies.

The study is the first of its kind, and was coordinated by the Global Privacy Enforcement Network (GPEN) to enable international privacy enforcement authorities to work together to protect the privacy rights of individuals across the world.

The purpose was not to conduct an in-depth analysis of the privacy practice of each website, but to replicate the consumer experience by spending a few minutes on each website looking at what information was provided to identify global trends.

The results reveal significant shortcomings, with 23 per cent of sites reported to have no privacy policy at all. Of those that did have policies, a third were considered to be difficult to read, and many weren’t sufficiently tailored to the actual website.

In the UK, we focused on 250 of the larger websites, so we’d expect them to be clear as to how they collect and handle personal information.

Most of these sites had a privacy policy that was easy to find and gave a fairly clear indication of what personal data was being collected about customers and why they were using this information. However websites generally weren’t clear on how long personal data would be retained for or if it would be transferred internationally.

An important outcome from this work was to build cooperation and collaboration among international authorities on an issue that crosses international borders and to give a global overview. GPEN members, including the ICO, will be contacting those organisations where their privacy policy, or lack thereof, raises significant concerns.

The international work also gave some examples of best practice noted by GPEN members:

  • Using plain language to make the information easily understandable and readable to the average person.
  • Using subheadings, short paragraphs, FAQs and tables, to make the policies easier to read.
  • Including privacy-related information that consumers would be interested to learn.
  • Ensuring privacy policies include contact information for the particular individual with responsibility for privacy practices within that organisation, and even providing more than one option for contacting that individual.
  • Tailoring policies for mobile apps and sites, going beyond simply providing a hyperlink to an organisation’s existing website privacy policy.

Our privacy notices code of practice sets out the sort of information we would expect to be provided in a privacy notice as a matter of best practice. Our findings from this study will feed into our work reviewing this code of practice in the coming months. If you have ideas or comments about what we should cover, let us know.

Adam StevensAdam Stevens manages the Intelligence Hub within the Enforcement Department, which collects, analyses and disseminates information with the aim of guiding and supporting the ICO’s approach to regulatory action.
This entry was posted in Adam Stevens and tagged , , . Bookmark the permalink.