17 August 2013

Website Privacy Statements

The Office of the Australian Information Commissioner (OAIC) has announced "the results of a ‘privacy sweep’ of the websites most used by Australians".

As you might expect, both the results and the OAIC response are rather lame.

The OAIC states that
Almost 50 website privacy policies were assessed for accessibility, readability and content. The websites were also assessed against new transparency requirements in the Privacy Act that will come into effect on 12 March 2014. 
Australian Privacy Commissioner, Timothy Pilgrim, said the results of the sweep were mixed with 83% of the sites having one or more issues in the following areas: 'easy to find', 'easy to read', 'contacts for further information', relevance and length. 
'It is a concern that nearly 50% of website privacy policies were difficult to read. On average, policies were over 2,600 words long. In my view, this is just too long for people to read through. Many policies were also complex, making it difficult for most people to understand what they are signing up to,' Mr Pilgrim said. 
'We did see some instances where organisations provided both a simplified and full policy to assist their customers to understand what will happen to their personal information. This attempt to use 'layered' privacy policies is encouraging.' 
The statement notes that
Over 65% of the [47] privacy polices provided information that was not relevant to the handling of personal information, and was potentially confusing. One website did not have a privacy policy.
There's no indication of whether the Commissioner has responded with carrot, stick or a simple urgent 'please explain' to the operators of that site.

The Commissioner's own site - recently but very belatedly updated - has attracted strong criticism for low usability, with documents being hard to find (in some instances disappearing altogether), confusingly-described and not provided on a timely basis. It is thus encouraging to see that the Commissioner
also reminded organisations that, in addition to readability and length, it was important to consider accessibility issues. 
'Privacy policies need to be accessible by all users. This means that policies should be in formats that can be read by people using assistive technologies like a screen reader,' Mr Pilgrim said. 
The OAIC backgrounder indicates that
  • 15% had a privacy policy that was hard to find on the website 
  • 9% of sites reviewed either listed no privacy contact or it was difficult to find contact information for a privacy officer 
  • Almost 50% of policies raised 'readability' issues, ie they were considered to be too long and difficult to read 
  • The average reading age of the policies was 16. None of the full privacy policies met the OAIC's preferred reading age level of 14. The OAIC used the Flesch-Kinkaid Reading Ease test 
  • More than 65% of privacy policies raised concerns with respect to the relevance of the information provided. For example, some sites with .au domain names were unclear about whether the site complied with the Privacy Act 1988.
The statement comments that
'With only 8 months to go until new privacy laws commence, organisations should be looking at their privacy policies now to ensure they comply with the new requirements. Organisations need to focus on these requirements and be open and transparent about their privacy practices. This will give people a better understanding of how their personal information will be handled so that they can make an informed decision about doing business with the organisation.' 
To comply with new Australian Privacy Principle 1, organisations must have a clearly expressed and up to date privacy policy.
That compliance is, of course, in the eye of the Commissioner - with the PC/OAIC historically tending to be quite permissive. The statement indicates that the OAIC will use the findings "to inform the development of guidance about privacy policies for organisations in the lead up to March 2014".

In a forthcoming article I suggest that we need to be more positive and do more. We could for example mandate accessibility, along the lines of the Australian Spam legislation and the US Financial Services Modernization Act (Gramm-Leach-Bliley Act).