Privacy Commissioner: Website privacy policies are too long and complex

The Office of the Australian Information Commissioner (OAIC) has released the results of a ‘privacy sweep’ of the websites most used by Australians. The sweep was part of the first international internet privacy sweep, an initiative of the Global Privacy Enforcement Network (GPEN).

Almost 50 website privacy policies were assessed for accessibility, readability and content. The websites were also assessed against new transparency requirements in the Privacy Act that will come into effect on 12 March 2014.

Australian Privacy Commissioner, Timothy Pilgrim, said the results of the sweep were mixed with 83% of the sites having one or more issues in the following areas: 'easy to find', 'easy to read', 'contacts for further information', relevance and length.

'It is a concern that nearly 50% of website privacy policies were difficult to read. On average, policies were over 2,600 words long. In my view, this is just too long for people to read through. Many policies were also complex, making it difficult for most people to understand what they are signing up to,' Mr Pilgrim said.

'We did see some instances where organisations provided both a simplified and full policy to assist their customers to understand what will happen to their personal information. This attempt to use 'layered' privacy policies is encouraging.'

The sweep also found that over 65% of privacy polices provided information that was not relevant to the handling of personal information, and was potentially confusing. One website did not have a privacy policy.

The Privacy Commissioner also reminded organisations that, in addition to readability and length, it was important to consider accessibility issues.

'Privacy policies need to be accessible by all users. This means that policies should be in formats that can be read by people using assistive technologies like a screen reader,' Mr Pilgrim said.

'With only 8 months to go until new privacy laws commence, organisations should be looking at their privacy policies now to ensure they comply with the new requirements. Organisations need to focus on these requirements and be open and transparent about their privacy practices. This will give people a better understanding of how their personal information will be handled so that they can make an informed decision about doing business with the organisation.'

To comply with new Australian Privacy Principle 1, organisations must have a clearly expressed and up to date privacy policy. The OAIC will use the sweep findings to inform the development of guidance about privacy policies for organisations in the lead up to March 2014.

Media contact:
Leila Daniels
media@oaic.gov.au
0407 663 968

Notes for editors

Australian results

The OAIC examined the top sites most visited by Australians (sourced from Alexa.com). Some key trends observed by the OAIC included:

  • 15% had a privacy policy that was hard to find on the website
  • 9% of sites reviewed either listed no privacy contact or it was difficult to find contact information for a privacy officer
  • Almost 50% of policies raised 'readability' issues, ie they were considered to be too long and difficult to read
  • The average reading age of the policies was 16. None of the full privacy policies met the OAIC's preferred reading age level of 14. The OAIC used the Flesch-Kinkaid Reading Ease test
  • More than 65% of privacy policies raised concerns with respect to the relevance of the information provided.  For example, some sites with .au domain names were unclear about whether the site complied with the Privacy Act 1988.

About the GPEN Internet Privacy Sweep

The first Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep took place from 6 to 12 May 2013. It is a great example of privacy enforcement authorities working together to protect the privacy rights of individuals around the world.

Nineteen privacy enforcement authorities from around the globe participated in the first GPEN Internet Privacy Sweep.  Over the week, participating authorities searched the Internet in a coordinated effort to assess privacy issues related to the common theme of 'Privacy Practice Transparency'.  Transparency is a fundamental privacy principle common to privacy laws around the world.

The goals of the GPEN Internet Privacy Sweep initiative included: increasing public and business awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, identifying concerns which may be addressed with targeted education and/or enforcement and enhancing cooperation among privacy enforcement authorities.

The Sweep did not involve an in-depth analysis of the transparency of each website's privacy practices, but sought to replicate the consumer experience by spending a few minutes per site checking for performance against a set of criteria.

The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Rather, it was meant to help participating authorities identify sites or mobile phone apps which may warrant further assessment or follow-up after the Sweep and/or identify trends which might guide future education and outreach.

Global Sweep results at a glance
  Global (Websites) Global (Mobile apps) OAIC results(Websites)
Total number of websites or apps searched* 2,186 90 47
Sites/apps for which no Privacy Policy or equivalent was found 21% (464) 54% (49) 2% (1)
Sites/apps for which a concern was identified with respect to find-ability 23% (493) 60% (54) 15% (7)
Sites/apps for which a concern was identified with respect to contact-ability 19% (419) 30% (27) 9% (4)
Sites/apps for which a concern was identified with respect to readability 31% (688) 58% (52) 47% (22)
Sites/apps for which a concern was identified with respect to relevance of information provided 28% (620) 91% (82) 66% (31)
Overall percentage of sites/ for which one or more concerns was identified** 50% (1,091) 92% (83) 83% (39)

* It is possible that some websites were examined by more than one Sweep participant.  Two participants looked at mobile apps, while the other participants, including the OAIC looked at websites.  

** The percentage of websites/apps for which concerns were found varied significantly among participants.  For websites, the range was between 25% and 90%.  It is important to note that participants used different criteria in assessing websites.

Major global trends observed  

  • Participants found too many websites with no privacy policy whatsoever. Among the total 2,186 websites and mobile apps examined, 23% had no privacy policy available. A greater proportion of large organisations typically had privacy policies on their websites, in comparison to small and medium-sized organisations.
  • One-third of policies raised concerns with respect to the relevance of the information provided. In some cases, sites would make brief over-generalised statements about privacy while offering no details on how organisations were collecting and using customer information. Many policies used 'boilerplate' language which did not take into account the relevant privacy jurisdiction. Too often, there was limited information on how organisations were collecting, using and disclosing personal information as it related to their business model.
  • Approximately 33% of privacy policies viewed raised concerns with respect to their readability. Many of these policies quoted directly from applicable legislation. In doing so, these policies provide limited benefit to the average consumer seeking a clear and concise explanation of how their information is being collected and used.
  • Mobile app privacy policies lagged behind those found on traditional websites. 92% of mobile apps reviewed in the sweep raised one or more concerns with respect to how they present information about their privacy practice, and 54% had no privacy policy at all. In some cases, organisations simply provided links to privacy policies for their websites which did not specifically address the collection and use of information within apps.

Best practices observed

  • Many organisations had privacy policies that were easily accessible, simple to read, and contrained privacy-related information that consumers would be interested to know, which demonstrates that it is possible to create transparent privacy polices.
  • Many described what information is collected, for what purposes it is used, and with whom it is shared.
  • Some of the best examples observed during the sweep were policies that made efforts to present the information in a way that was easily understandable and readable to the average person. This was accomplished through the use of plain language; clear and concise explanations; and the use of headers, short paragraphs, FAQs, and tables, among other methods.
  • A majority of organisations (80%) ensured that their privacy policy included contact information for the particular individual with responsibility for privacy practices within that organisation. Providing more than one option for contacting that individual (eg mail, toll-free number and/or e-mail) is a thoughtful way of ensuring there are no barriers to contacting an organisation about its privacy practices.
  • Some policies observed had been tailored for mobile apps and sites, going beyond simply providing a hyperlink to an organisation's existing website privacy policy. Recognising that explaining privacy practices can be difficult on a mobile platform with a small screen. Organisations are encouraged to find innovative ways of conveying their privacy policies on mobile devices.

Authorities who participated

  • Office of the Australian Information Commissioner
  • Office of the Privacy Commissioner of Canada
  • Information and Privacy Commissioner of British Columbia
  • Data Protection Inspectorate, Estonia
  • Office of the Data Protection Ombudsman, Finland
  • Commission Nationale de l'Informatique et des Libertés, France
  • Federal Data Protection Commission, Germany
  • Data Protection Commissioner of Berlin
  • Data Protection Commissioner of Rhineland-Palatinate (Rheinland-Pfalz)
  • Data Protection Supervisory Authority of Bavaria
  • Data Protection Commissioner of Hesse
  • Data Protection Commissioner of Brandenburg
  • Office of the Privacy Commissioner for Personal Data, Hong Kong
  • Office of the Data Protection Commissioner, Ireland
  • Office for Personal Data Protection, Macao
  • Office of the Privacy Commissioner, New Zealand
  • Data Protection Authority, Norway
  • Information Commissioner's Office, United Kingdom
  • Federal Trade Commission, United States  

About the Office of the Australian Information Commissioner

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney General's portfolio. The OAIC was established under the Australian Information Commissioner Act 2010 (AIC Act). The OAIC currently has three commissioners: the Information Commissioner, the Privacy Commissioner and the FOI Commissioner.

More information can be found at www.oaic.gov.au.

Share this page

Protecting information rights — advancing information policy