New watchdog study shows that approximately half of all web privacy policies are non-compliant and risk enforcement action


It has been said for some time that data is the new oil, but many global organizations continue to struggle to comply with regulatory requirements when it comes to the exploitation of this valuable resource.

A recent worldwide audit of over 2,000 websites, coordinated by the Global Privacy Enforcement Network (“GPEN”), has revealed “significant shortcomings” at many organizations. In particular, approximately half of the websites “swept” failed to display a complete, coherent and compliant privacy policy, or worse still, any policy at all.

The audit, the first of its kind, was conducted in May of this year by 19 different data protection authorities around the world, including the UK’s Information Commissioner’s Office (“ICO”).”The results reveal significant shortcomings” reports Adam Stevens, Intelligence Officer at the ICO, on 16 August, stating that 23% of the 250 websites it reviewed had no privacy policy at all and that a third of those that did have policies ” were considered to be difficult to read, and many weren’t sufficiently tailored to the actual website”.

These statistics are particularly significant given the audit’s focus on larger companies – companies one would expect to be ahead of the curve when it comes to providing information on their collection and handling of personal data. Presumably a more in depth survey of smaller companies with a web presence but a smaller compliance budget would produce even more alarming results.

The Canadian data protection authority also participated in the study, making similar observations to those of the ICO. Jennifer Stoddart, Privacy Commissioner of Canada, provided some non-compliant examples which were particularly eye-catching:
“A particularly disappointing example for my Office was a paternity testing website with a privacy statement so skimpy it would fit into a tweet. We also found a major fast food chain collecting personal information, such as photos, addresses and dates of birth, for various initiatives, and yet the privacy policy was just 110 words. At the other extreme, we saw long, legalistic policies that simply regurgitated – word for word in some cases – federal privacy legislation”.

Ms. Stoddart went on to say that “Neither approach is helpful to Canadians – nor necessary, as demonstrated by the many privacy policies we saw that were able to strike a balance between transparency and concision”.

Importantly, the various watchdogs have now committed to contacting those companies where significant concerns arose, leaving the door open to a potential wave of enforcement action off the back of the sweep in any number of jurisdictions.

The study is also likely to lead to further cooperation and collaboration among international authorities on an issue that crosses international borders. For example, the GPEN members have given some examples of best practices for companies to follow when drafting global privacy policies. These policies, along with already published guidance by regulators such as the ICO and Canadian data protection authority, are a good place to start when drafting privacy policies from scratch or for those companies in need of routine health check.