International data watchdogs: Websites don't tell you who sees your privates
Plus they're super-vague about where they store them
The privacy notices used by websites and apps to tell users what data they collect and how it will be used fail to offer the necessary specifics, an international study has found.
The work, carried out by 24 data protection regulators across the world, assessed the notices, communications and sign-up processes used by 455 websites and apps.
Just 22 per cent told users where there was a data retention policy
The regulators were scathing in their conclusions, finding a whole range of holes in the notices used, saying that examples of good practice “were in the minority”.
The litany of errors revealed by the study (PDF) include that organisations fail to specify who they’ll share the data with, and aren’t clear on where data is stored or how it will be protected. Some don’t even tell users exactly what information they’ll collect.
Across the whole 455 organisations, half didn't specify with whom the data will be shared, while a quarter don’t even mention whether personal information would be shared with third parties.
The UK is below average in this category, with 26 of the 30 sites assessed failing to properly explain whether they pass data on to third parties, and if they did, the identity of the third parties.
Organisations are also unclear on where data will be stored - 67 per cent don’t say which country it will end up in - and international data transfers are often particularly vague.
Although organisations might have safeguards like access controls or encryption in place, 35 per cent didn’t specify what they were. Just 22 per cent told users where there was a data retention policy.
Even the most basic information didn’t manage to make it into some organisations’ notices, with 23 per cent failing to make it clear what data they’d slurp, and 17 per cent failing to get adequate consent to collect it.
However, more than half the organisations offered users instructions on how to access their data; a similar number told them how to remove their personal data from the database.
Further indication of organisations' lack of interest in making sure privacy notices are up to date is that some still referred to the Safe Harbor agreement on trans-Atlantic data flows, which was revoked in 2015.
Adam Stevens, research group manager at the UK's Information Commissioner’s Office - which led the study - said the situation "just won't do".
Businesses need to fix the problems ahead of the General Data Protection Regulation “if they don’t want to be breaking the new law”, he said.
Neil Brown, internet lawyer for Decoded:Legal, said it was “no surprise” that data controllers needed to up their game when it came to communicating with data subjects.
"Organisations working towards consistency with the information provisions of the GDPR should take this opportunity to be clearer and more transparent," he said.
"In reality though, who reads privacy notices? If an organisation really wants to be transparent, they should consider providing information at the point of collection — for example, at the point of account registration, or when asking for permission to use certain data — rather than just via a linked page." ®