Individuals are regularly left in the dark about how their personal information, once collected, is used and disclosed by websites and apps in the public, private and health sectors, a global privacy sweep has discovered.
The Office of the Information and Privacy Commissioner of Alberta joined 23 other privacy regulators around the world to analyze how effectively privacy policies are communicated and how much control users have over the information they give to websites and apps. In total, 455 websites and apps were analyzed, including 20 Alberta-based websites.
Of the 20 Alberta websites reviewed, 20% did not have a privacy policy despite collecting personal information. Meantime, 65% of the websites failed to disclose to users in which country their information was stored, and more than half did not provide a clear means for deleting or removing their personal information, once collected by the website. Additionally, 40% of the websites failed to adequately explain whether personal information is shared with third parties and to whom that data is shared.
The results in Alberta are similar to those globally, as among the 455 websites and apps analyzed:
- Privacy communications across the various sectors tended to be vague, lacked specific detail and often contained generic clauses.
- The majority of organizations failed to inform the user what would happen to their information once it had been provided.
- Organizations generally failed to specify with whom data would be shared.
- Many organizations failed to refer to the security of the data collected and held – it was often unclear in which country data was stored or whether any safeguards were in place.
- Just over half the organizations examined made reference to how users could access the personal data held about them.
More positively, most organizations were generally quite clear on what information they would collect from the user and more than half of organizations provided users with a means to access to the personal information that had been collected.
One theme internationally was that the private sector does much better at addressing consent than public and health sectors, in part due to different legislative frameworks. Whereas private sector privacy legislation is consent-based, public sector legislation is based on authority in most, if not all, jurisdictions.
“At the core of privacy laws is for individuals to have control over their own personal information; the information economy has eroded this principle,” said Information and Privacy Commissioner Jill Clayton. “As more awareness is raised about these practices, all sectors would be well served to ensure control is given back to consumers and citizens for both legal and ethical reasons. These include having mechanisms in place for individuals to access, delete and better understand what is happening to their own personal information.”
The privacy sweep was coordinated by the Global Privacy Enforcement Network, which was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of over 60 privacy enforcement authorities in 39 jurisdictions around the world.