Skip to content

Media Statements

Media Statement - Global Results from the first GPEN Internet Privacy Sweep

Date: 14 August 2013

Global Results from the first GPEN Internet Privacy Sweep

(14 August 2013) The Office of the Privacy Commissioner for Personal Data ("PCPD"), joined force with 18 other privacy enforcement authorities from around the globe in announcing today the results of an international Internet Privacy Sweep exercise ("Sweep") to assess privacy issues related to the common theme of Privacy Practice Transparency in websites and smartphone applications ("Apps"). Transparency is a fundamental privacy principle common to privacy laws around the world.

The Sweep

The Sweep was coordinated by the Global Privacy Enforcement Network ("GPEN")1. The Sweep took place from 6 to 12 May 2013 in the jurisdictions of each of the participating privacy enforcement authority. It replicated the consumer experience by spending a few minutes checking each selected website or App against an agreed set of criteria, including availability, accessibility, readability and relevancy of their privacy policy statements ("PPS"). The Sweep examined 2,186 websites and Apps in total.

Common concerns

The Sweep identified significant shortcomings:

  • 23% of the websites and mobile apps surveyed had no privacy policy available.

  • In some cases, sites would make brief over-generalised statements about privacy while offering no details on how organisations were collecting, using and disclosing customer information.

  • A greater proportion of large organisations typically had privacy policies on their websites, in comparison to small and medium-sized organisations. One-third of the policies examined raised concerns with respect to the relevance of the information provided in them. In many policies, standard boilerplate language was used.

  • 33% of the privacy policies raised concerns with respect to readability, with many of these policies quoting directly from applicable legislation. In doing so, these policies proved of limited benefit to the average consumer seeking a clear and concise explanation of how their information is being collected and used.

The privacy policies of Apps2 lag behind traditional websites.

  • 92% of App privacy policies reviewed in the sweep raised one or more concerns with respect to how they present information about their privacy practices.

  • 54% had no privacy policy at all.

  • In some cases, organisations simply provided links to privacy policies for their websites which did not specifically address the collection and use of information within Apps.

Best Practices

Participants observed many positive examples of best practices during the Sweep. For example:

  • Many organisations had privacy policies that were easy to find, simple to read and contained privacy-related information that consumers would be interested to know.

  • Many policies addressed consumers' rights and obligations within that jurisdiction, describing what information is collected, for what purposes it is used, and with whom it is shared.

  • Some of the best examples were policies that made efforts to present the information in a way that was easily understandable and readable to the average person. This was accomplished through the use of plain language; clear and concise explanations; and the use of headers, short paragraphs, FAQs, and tables, among other methods.

  • 80% of organisations ensured that their privacy policy included contact information for the particular individual with responsibility for privacy practices within that organisation. Providing more than one option for contacting that individual (e.g. mail, toll-free number and/or e-mail) is a thoughtful way of ensuring there are no barriers to contacting an organisation about its privacy practices.

  • Some policies had been tailored for Apps and sites, going beyond simply providing a hyperlink to an organisation's existing website privacy policy.

Mr Allan Chiang, the Privacy Commissioner for Personal Data said, "Privacy has become an international issue in the Internet and mobile world, requiring an international response. The challenges are global, and the solutions need to be global as well. The Sweep brought the issue of online privacy transparency to the forefront. It shone a spotlight on the importance for organisations to be open and transparent about how they collect, use and disclose personal data so that individuals can make meaningful decisions in exercising control over their own data. Transparency is especially important in an online environment where personal data is sometimes used in ways that individuals may not expect."

- End -

1 The GPEN is a network of privacy enforcement authorities from around the globe working together to protect the privacy rights of individuals.

2 See detailed results of survey in Hong Kong at www.pcpd.org.hk/english/resources_centre/publications/files/mobile_app_sweep_e.pdf