Close Search
News  |  Government

Website Privacy Policies Too Complex

27 August 2013 at 11:55 am
Staff Reporter
A significant majority of website ‘privacy’ policies examined by the Office of the Australian Information Commissioner (OAIC) are too long and complex.

Staff Reporter | 27 August 2013 at 11:55 am


Website Privacy Policies Too Complex
27 August 2013 at 11:55 am

A significant majority of website ‘privacy’ policies examined by the Office of the Australian Information Commissioner (OAIC) are too long and complex.

The Privacy Commissioner has released the results of a ‘privacy sweep’ of the websites most used by Australians. The sweep was part of the first international internet privacy sweep, an initiative of the Global Privacy Enforcement Network (GPEN).

Almost 50 website privacy policies were assessed for accessibility, readability and content. The websites were also assessed against new transparency requirements in the Privacy Act that will come into effect on 12 March 2014.

Australian Privacy Commissioner, Timothy Pilgrim, said the results of the sweep were mixed with 83% of the sites having one or more issues around: 'easy to find', 'easy to read', 'contacts for further information', relevance and length.

'It is a concern that nearly 50% of website privacy policies were difficult to read. On average, policies were over 2,600 words long.

“In my view, this is just too long for people to read through. Many policies were also complex, making it difficult for most people to understand what they are signing up to," Pilgrim said.

'We did see some instances where organisations provided both a simplified and full policy to assist their customers to understand what will happen to their personal information. This attempt to use 'layered' privacy policies is encouraging."

The sweep also found that over 65% of privacy policies provided information that was not relevant to the handling of personal information, and was potentially confusing. One website did not have a privacy policy.

The Privacy Commissioner also reminded organisations that, in addition to readability and length, it was important to consider accessibility issues.

"Privacy policies need to be accessible by all users. This means that policies should be in formats that can be read by people using assistive technologies like a screen reader," Pilgrim said.

'With only 8 months to go until new privacy laws commence, organisations should be looking at their privacy policies now to ensure they comply with the new requirements. Organisations need to focus on these requirements and be open and transparent about their privacy practices.

“This will give people a better understanding of how their personal information will be handled so that they can make an informed decision about doing business with the organisation."

To comply with new Australian Privacy Principle 1, organisations must have a clearly expressed and up to date privacy policy. The OAIC will use the sweep findings to inform the development of guidance about privacy policies for organisations in the lead up to March 2014.

The OAIC examined the top sites most visited by Australians (sourced from Some key trends observed by the OAIC included:

  • 15% had a privacy policy that was hard to find on the website

  • 9% of sites reviewed either listed no privacy contact or it was difficult to find contact information for a privacy officer

  • Almost 50% of policies raised 'readability' issues, ie they were considered to be too long and difficult to read

  • The average reading age of the policies was 16. None of the full privacy policies met the OAIC's preferred reading age level of 14. The OAIC used the Flesch-Kinkaid Reading Ease test

  • More than 65% of privacy policies raised concerns with respect to the relevance of the information provided.  For example, some sites with .au domain names were unclear about whether the site complied with the Privacy Act 1988.

The first Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep took place from 6 to 12 May 2013.

19 privacy enforcement authorities from around the globe participated in the first GPEN Internet Privacy Sweep.  

The OAIC says the Sweep did not involve an in-depth analysis of the transparency of each website's privacy practices, but sought to replicate the consumer experience by spending a few minutes per site checking for performance against a set of criteria.

“The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Rather, it was meant to help participating authorities identify sites or mobile phone apps which may warrant further assessment or follow-up after the Sweep and/or identify trends which might guide future education and outreach.”

The Office of the Australian Information Commissioner has also released the new Australian Privacy Principles (APP) Guidelines for consultation. The Guidelines outline how the OAIC will interpret and apply the APPs, which are central to new privacy laws that will commence on 12 March 2014.

Staff Reporter  |  Journalist  |  @ProBonoNews

Your email address will not be published. Required fields are marked *


What next on government engagement?

Neil Pharaoh

Monday, 27th March 2023 at 12:12 pm

Embedding gender equity in government engagement

Ellen McLoughlin

Wednesday, 8th March 2023 at 10:19 pm

Businesses on notice as ACCC sweeps covers off greenwashing

Danielle Kutchel

Friday, 3rd March 2023 at 3:16 pm

ASIC launches first greenwashing court action

Isabelle Oderberg

Tuesday, 28th February 2023 at 8:28 am

pba inverse logo
Subscribe Twitter Facebook