OTTAWA, August 13, 2013 — From tweet-sized privacy statements to legalistic privacy policies simply cut and pasted from legislation, the first-ever Global Privacy Enforcement Network Internet Privacy Sweep has highlighted shortcomings in how some online organizations provide information about their privacy practices.

“While we did see some good examples that demonstrated it is possible to create transparent privacy policies,” says Jennifer Stoddart, Privacy Commissioner of Canada, “unfortunately, we also found some sites with no policies, or that offered only brief, over-generalized statements about privacy.”

“A particularly disappointing example for my Office was a paternity testing website with a privacy statement so skimpy it would fit into a tweet. We also found a major fast food chain collecting personal information, such as photos, addresses and dates of birth, for various initiatives, and yet the privacy policy was just 110 words,” says Commissioner Stoddart. “At the other extreme, we saw long, legalistic policies that simply regurgitated – word for word in some cases – federal privacy legislation.” 

“Neither approach is helpful to Canadians—nor necessary, as demonstrated by the many privacy policies we saw that were able to strike a balance between transparency and concision,” adds Commissioner Stoddart.

The Internet Sweep results offer some insights into how organizations are informing consumers about their privacy practices, and a number of specific examples illustrating these trends can be found in a blog post on the OPC’s website.  The Commissioner determined it was in the public interest to share specific results from the Sweep because she felt that the examples would help Canadians to better understand the observations.

The first Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep, from May 6-12, 2013, was an example of privacy enforcement authorities working together to promote privacy protection.  Nineteen privacy enforcement authorities participated, looking at the privacy policies of more than 2,000 websites and apps. 

This year’s theme was Privacy Practice Transparency. Transparency is a fundamental privacy principle common to privacy laws around the world. 

“This inaugural Sweep has highlighted the importance for organizations to be open and transparent about their privacy practices.  People need this information to make meaningful decisions in exercising control over their own information,” says Commissioner Stoddart.

Office of the Privacy Commissioner of Canada Results

Some key trends observed by the Office of the Privacy Commissioner of Canada during its Sweep of over 300 websites included:

• Almost one in 10 had no privacy policy or equivalent information. Another 10 percent had a privacy policy that was hard to find, in some cases because it was buried in a lengthy Legal Notice or in the Terms and Conditions.
• Approximately 20 percent of sites reviewed either listed no privacy contact, or made it difficult to find contact information for a privacy officer. In one case, website users were invited to send privacy questions by email, yet no email address could be found.
• More than 20 percent of privacy policies raised concerns with respect to the relevance of the information provided.  For example, some simply quoted portions of Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) verbatim instead of explaining how personal information is actually collected and used.

International Results

Sweep participants in other countries identified similar trends and concerns.  Globally, almost one quarter (23 percent) of the more than 2,000 websites and mobile apps examined had no privacy policy available.  Meanwhile, approximately one-third of the privacy policies found raised concerns with respect to the relevance of the information in them.

Detailed information about the international results is included in a Backgrounder.

The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Rather, it was meant to replicate the consumer experience by spending a few minutes per site checking for performance against a set of common indicators.

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations engaged in commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces,PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.

Src www.news.gc.ca