Website Privacy Policies Too Complex
Tuesday, 27th August 2013 at 11:55 am
A significant majority of website ‘privacy’ policies examined by the Office of the Australian Information Commissioner (OAIC) are too long and complex.
The Privacy Commissioner has released the results of a ‘privacy sweep’ of the websites most used by Australians. The sweep was part of the first international internet privacy sweep, an initiative of the Global Privacy Enforcement Network (GPEN).
Almost 50 website privacy policies were assessed for accessibility, readability and content. The websites were also assessed against new transparency requirements in the Privacy Act that will come into effect on 12 March 2014.
Australian Privacy Commissioner, Timothy Pilgrim, said the results of the sweep were mixed with 83% of the sites having one or more issues around: 'easy to find', 'easy to read', 'contacts for further information', relevance and length.
'It is a concern that nearly 50% of website privacy policies were difficult to read. On average, policies were over 2,600 words long.
“In my view, this is just too long for people to read through. Many policies were also complex, making it difficult for most people to understand what they are signing up to," Pilgrim said.
'We did see some instances where organisations provided both a simplified and full policy to assist their customers to understand what will happen to their personal information. This attempt to use 'layered' privacy policies is encouraging."
The Privacy Commissioner also reminded organisations that, in addition to readability and length, it was important to consider accessibility issues.
"Privacy policies need to be accessible by all users. This means that policies should be in formats that can be read by people using assistive technologies like a screen reader," Pilgrim said.
'With only 8 months to go until new privacy laws commence, organisations should be looking at their privacy policies now to ensure they comply with the new requirements. Organisations need to focus on these requirements and be open and transparent about their privacy practices.
“This will give people a better understanding of how their personal information will be handled so that they can make an informed decision about doing business with the organisation."
The OAIC examined the top sites most visited by Australians (sourced from Alexa.com). Some key trends observed by the OAIC included:
9% of sites reviewed either listed no privacy contact or it was difficult to find contact information for a privacy officer
Almost 50% of policies raised 'readability' issues, ie they were considered to be too long and difficult to read
The average reading age of the policies was 16. None of the full privacy policies met the OAIC's preferred reading age level of 14. The OAIC used the Flesch-Kinkaid Reading Ease test
More than 65% of privacy policies raised concerns with respect to the relevance of the information provided. For example, some sites with .au domain names were unclear about whether the site complied with the Privacy Act 1988.
The first Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep took place from 6 to 12 May 2013.
19 privacy enforcement authorities from around the globe participated in the first GPEN Internet Privacy Sweep.
The OAIC says the Sweep did not involve an in-depth analysis of the transparency of each website's privacy practices, but sought to replicate the consumer experience by spending a few minutes per site checking for performance against a set of criteria.
“The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Rather, it was meant to help participating authorities identify sites or mobile phone apps which may warrant further assessment or follow-up after the Sweep and/or identify trends which might guide future education and outreach.”
The Office of the Australian Information Commissioner has also released the new Australian Privacy Principles (APP) Guidelines for consultation. The Guidelines outline how the OAIC will interpret and apply the APPs, which are central to new privacy laws that will commence on 12 March 2014.