Almost 50 website privacy policies were assessed for accessibility, readability and content. The websites were also assessed against new transparency requirements in the Privacy Act that will come into effect on 12 March 2014.
Australian Privacy Commissioner, Timothy Pilgrim, said the results of the sweep were mixed with 83% of the sites having one or more issues in the following areas: 'easy to find', 'easy to read', 'contacts for further information', relevance and length.
'It is a concern that nearly 50% of website privacy policies were difficult to read. On average, policies were over 2,600 words long. In my view, this is just too long for people to read through. Many policies were also complex, making it difficult for most people to understand what they are signing up to,' Mr Pilgrim said.
'We did see some instances where organisations provided both a simplified and full policy to assist their customers to understand what will happen to their personal information. This attempt to use 'layered' privacy policies is encouraging.'
The Privacy Commissioner also reminded organisations that, in addition to readability and length, it was important to consider accessibility issues.
'Privacy policies need to be accessible by all users. This means that policies should be in formats that can be read by people using assistive technologies like a screen reader,' Mr Pilgrim said.
'With only 8 months to go until new privacy laws commence, organisations should be looking at their privacy policies now to ensure they comply with the new requirements. Organisations need to focus on these requirements and be open and transparent about their privacy practices. This will give people a better understanding of how their personal information will be handled so that they can make an informed decision about doing business with the organisation.'
0407 663 968
Notes for editors
The OAIC examined the top sites most visited by Australians (sourced from Alexa.com). Some key trends observed by the OAIC included:
- 9% of sites reviewed either listed no privacy contact or it was difficult to find contact information for a privacy officer
- Almost 50% of policies raised 'readability' issues, ie they were considered to be too long and difficult to read
- The average reading age of the policies was 16. None of the full privacy policies met the OAIC's preferred reading age level of 14. The OAIC used the Flesch-Kinkaid Reading Ease test
- More than 65% of privacy policies raised concerns with respect to the relevance of the information provided. For example, some sites with .au domain names were unclear about whether the site complied with the Privacy Act 1988.
About the GPEN Internet Privacy Sweep
The first Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep took place from 6 to 12 May 2013. It is a great example of privacy enforcement authorities working together to protect the privacy rights of individuals around the world.
Nineteen privacy enforcement authorities from around the globe participated in the first GPEN Internet Privacy Sweep. Over the week, participating authorities searched the Internet in a coordinated effort to assess privacy issues related to the common theme of 'Privacy Practice Transparency'. Transparency is a fundamental privacy principle common to privacy laws around the world.
The goals of the GPEN Internet Privacy Sweep initiative included: increasing public and business awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, identifying concerns which may be addressed with targeted education and/or enforcement and enhancing cooperation among privacy enforcement authorities.
The Sweep did not involve an in-depth analysis of the transparency of each website's privacy practices, but sought to replicate the consumer experience by spending a few minutes per site checking for performance against a set of criteria.
The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Rather, it was meant to help participating authorities identify sites or mobile phone apps which may warrant further assessment or follow-up after the Sweep and/or identify trends which might guide future education and outreach.
|Global (Websites)||Global (Mobile apps)||OAIC results(Websites)|
|Total number of websites or apps searched*||2,186||90||47|
|Sites/apps for which a concern was identified with respect to find-ability||23% (493)||60% (54)||15% (7)|
|Sites/apps for which a concern was identified with respect to contact-ability||19% (419)||30% (27)||9% (4)|
|Sites/apps for which a concern was identified with respect to readability||31% (688)||58% (52)||47% (22)|
|Sites/apps for which a concern was identified with respect to relevance of information provided||28% (620)||91% (82)||66% (31)|
|Overall percentage of sites/ for which one or more concerns was identified**||50% (1,091)||92% (83)||83% (39)|
* It is possible that some websites were examined by more than one Sweep participant. Two participants looked at mobile apps, while the other participants, including the OAIC looked at websites.
** The percentage of websites/apps for which concerns were found varied significantly among participants. For websites, the range was between 25% and 90%. It is important to note that participants used different criteria in assessing websites.
Major global trends observed
- One-third of policies raised concerns with respect to the relevance of the information provided. In some cases, sites would make brief over-generalised statements about privacy while offering no details on how organisations were collecting and using customer information. Many policies used 'boilerplate' language which did not take into account the relevant privacy jurisdiction. Too often, there was limited information on how organisations were collecting, using and disclosing personal information as it related to their business model.
- Approximately 33% of privacy policies viewed raised concerns with respect to their readability. Many of these policies quoted directly from applicable legislation. In doing so, these policies provide limited benefit to the average consumer seeking a clear and concise explanation of how their information is being collected and used.
Best practices observed
- Many organisations had privacy policies that were easily accessible, simple to read, and contrained privacy-related information that consumers would be interested to know, which demonstrates that it is possible to create transparent privacy polices.
- Many described what information is collected, for what purposes it is used, and with whom it is shared.
- Some of the best examples observed during the sweep were policies that made efforts to present the information in a way that was easily understandable and readable to the average person. This was accomplished through the use of plain language; clear and concise explanations; and the use of headers, short paragraphs, FAQs, and tables, among other methods.
Authorities who participated
- Office of the Australian Information Commissioner
- Office of the Privacy Commissioner of Canada
- Information and Privacy Commissioner of British Columbia
- Data Protection Inspectorate, Estonia
- Office of the Data Protection Ombudsman, Finland
- Commission Nationale de l'Informatique et des Libertés, France
- Federal Data Protection Commission, Germany
- Data Protection Commissioner of Berlin
- Data Protection Commissioner of Rhineland-Palatinate (Rheinland-Pfalz)
- Data Protection Supervisory Authority of Bavaria
- Data Protection Commissioner of Hesse
- Data Protection Commissioner of Brandenburg
- Office of the Privacy Commissioner for Personal Data, Hong Kong
- Office of the Data Protection Commissioner, Ireland
- Office for Personal Data Protection, Macao
- Office of the Privacy Commissioner, New Zealand
- Data Protection Authority, Norway
- Information Commissioner's Office, United Kingdom
- Federal Trade Commission, United States
About the Office of the Australian Information Commissioner
The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney General's portfolio. The OAIC was established under the Australian Information Commissioner Act 2010 (AIC Act). The OAIC currently has three commissioners: the Information Commissioner, the Privacy Commissioner and the FOI Commissioner.
More information can be found at www.oaic.gov.au.