Yesterday, our Office participated in the first ever international internet privacy sweep. An initiative of the Global Privacy Enforcement Network (GPEN), the sweep is a coordinated effort among a number of data protection agencies to address a particular privacy issue. This year’s sweep assessed transparency online.
I was one of about 20 OPC employees who spent part of the day “sweeping” – visiting sites from a list we had compiled of over 1000 websites popular among Canadians. Our task: to review the privacy policies of popular websites from the point of view of the average consumer, and determine whether we could find out about an organization’s information handling practices, raise questions or concerns with an organization about their information handling practices, and understand their privacy policies.
Many of us sat at networked laptops in a small boardroom we dubbed “The Broom Closet”. Armed with coffee and spreadsheets, we clicked our way through privacy policies, checking for readability, counting words, and taking note of “Bouquets” (elements of privacy policies we felt were done well) and “Turnips” (elements of privacy policies that could be improved).
Through GPEN, the results from all of the sweeps conducted this week will be analyzed and results will be made public sometime in the coming months.
I spent the morning looking at popular kids’ websites. Some observations:
Privacy policies on children’s websites are written for parents, not kids.
In order to operate in the U.S., sites targeted to kids need to be compliant with the U.S. Children’s Online Privacy Protection Act (COPPA).
Operators of kids’ sites might aim to create privacy policies that are robust and comprehensive but in doing so, their privacy policies can risk being long, complex and legalistic.
Even so, some of the sites I visited clearly took some extra effort to break down their policies in order to meet the requirement under COPPA that privacy policies be “clear and understandable” – either by organizing information into hyperlinked chunks or tables, or providing summaries with links to the full policy below.
I can appreciate the challenge these sites face – on the one hand, they must demonstrate compliance; on the other hand, parents of kids who use these sites want to make informed decisions about their information. And parents often need to make those decisions quickly, or with other immediate priorities competing for their attention. How many of you have tried to make heads or tails of a new game your child wants to play, while breaking up a fight over who gets to use the iPad, while sweeping up goldfish crackers and Cheerios? (Not that this happens in my house, ever.)
When you consider that researchers have estimated it can take people up to 250 hours to read all of the privacy policies they encounter in a year, wouldn’t it be nice to see a privacy policy that tells you what you need to know, but also helps shave a couple of minutes off?