For ten years, the Internet Society’s Online Trust Alliance (OTA) has published an annual comprehensive survey of 1,200 sites’ security and privacy practices. The 10th edition of this Audit has been released and can be found here. As part of the Audit, we score each site’s privacy statement against 29 criteria, ranging from whether it is linked to on the site’s homepage, to whether it states how the site handles children’s data.
For this blog post, we decided to use the Internet Society’s current privacy statement as an example, to illustrate the criteria used, and to show how a privacy statement fits into the bigger picture of an organization’s privacy practices. A privacy statement is only one piece of an organization’s overall privacy practices – although, as the public-facing piece, it is of course important. Other aspects (which are not included in the OTA survey) include:
- expressing and committing to a set of overall privacy principles
- having internal policies and practices that put the public-facing privacy statement into practice
- internal and external enforcement of the commitments expressed in the privacy statement
There are myriad ways to structure a privacy statement and, to be frank, many privacy statements are written with different goals in mind. As a result, our survey sees a wide range of privacy statements, from single paragraphs to dozens of pages. Where a privacy statement is long, the Audit will score it more favorably if it uses a “layered” approach to improve readability – and this is the approach adopted by the Internet Society’s statement.
Other formatting/presentation choices can also make a policy score higher in the survey: for instance, including the date the statement was last updated at the top or bottom of the page and linking clearly to the privacy statement from the organization’s home page. The Internet Society’s statement met both of these criteria (compared with 47% of sites with a date stamp on top and 24% having one at the bottom), and was comparatively rare in its inclusion of links to previous versions of the organization’s privacy statements.
Another presentation-related criterion the Audit checks is the use of icons to tell users about certain functions or kinds of data. For example, some sites use a megaphone icon to indicate that the section is about sharing user data, or a symbol of a fingerprint to represent biometric data. In general privacy advocates suggest using icons because it can improve clarity and helps with comprehension for users at different reading levels. It can also simplify the policy by making it more visually appealing, as opposed to just pages of text. The icon approach suffers from a lack of standard icons to represent specific functions or data types. The Internet Society’s privacy statement does not currently use icons, and could improve by doing so. Icons are comparatively rare among the sites studied, being used by only 2%.
Some presentation-related criteria in the Audit are more subjective. For example, the EU’s General Data Protection Regulation (GDPR) says that privacy policies should be easy for most users to read. Applying some online analysis tools to the Internet Society’s privacy statement suggests that it has a “fog index” of around 17 – in other words, it can be readily understood by someone educated up to that age. That is probably high for text that is aimed at a general public audience, and therefore an area where some improvement is possible.
We should note, though, that some laws require legal text to be present in the statement, and this can mean including language which is more formal and less easy to read. For example, two parts of the statement are legally required in the United States. The first states whether the site collects data on children under 13 (to comply with the Children Online Privacy Protection Act). The Internet Society does fulfill this, along with 67% of sites.
The second relates to Do Not Track. Under current California law the site must notify users of how it responds, technically, to a “Do Not Track” signal from a web browser – though the site is not legally required to honor such a signal (only to say how it responds). The Internet Society’s statement does reference Do Not Track, along with 40% of sites. It does not, however, honor Do Not Track requests. None of the sites in the Audit honor Do Not Track either. We will be publishing a number of blog posts over the coming weeks to explain the steps the Internet Society has taken to minimize the privacy impact of tracking technologies on its sites.
A crucial aspect of any privacy statement is what it says about data sharing, and several of the survey criteria address this concept. In this regard, we look at three main areas.
First, legal obligations to share data. We test against two criteria, here. Is the privacy statement clear about cases where the Internet Society may be legally obliged to disclose users’ data? Here, we check whether the statement says that data may be shared with legal authorities if requested. The Internet Society’s statement, along with 90% of sites, does satisfy this test.
The other check is whether the statement says that users will be notified in case of a law enforcement request for data. The Internet Society’s statement does not make this commitment, but that is not unusual. Virtually none of the sites surveyed make such a commitment, and in some jurisdictions there may be cases where the law prevents a data controller from notifying users if a law enforcement access request is made.
Second, data sharing other than as required by law. The Internet Society’s statement does specify the instances where data might be shared with third parties, and it states what purposes such sharing is intended to achieve. Overall, the statement does reflect a clear set of principles and a policy of minimizing data sharing, confining it to stated practical purposes. However, different parts of the statement can be confusing in this area, and there is scope for improvement.
Third, data monetization. The Internet Society’s statement is clear in this regard, stating from the outset that “we will not sell or rent your personal data to others.”
A privacy statement is the main opportunity an organization has to tell all its users, visitors and stakeholders how their data is used, and how that use is governed by their rights. It is also an important part of ensuring that what the organization does with personal data is fair and legal. However, legal requirements and users’ expectations can all evolve over time, so privacy statements are dealing with a moving target and can always be improved. Privacy isn’t a state – it’s a process – and the same goes for privacy statements. They’re never done; they should always be subject to review, refinement, and improvement.
How would your organization do in the Online Trust Audit? Check out the Best Practice Checklist (Appendix E) and use it to improve your site’s security and privacy.