UNIVERSITY PARK, Pa. — An alarming study by Penn State University researchers is revealing the lack of online privacy policies covering the vast majority of websites. Their study shows that only one-third of online organizations make their privacy policies available for review.
“Privacy policies are legal documents that organizations use to disclose how they collect, analyze, share and secure their online users’ personal data,” explains study lead Mukund Srinath, a doctoral student in the Penn State College of Information Sciences and Technology (IST). “Privacy policies are often the only source of information regarding what happens to users’ personal information online. The availability of privacy policies and the ability of users to understand them are fundamental to ensuring that individuals can make informed decisions about their personal information.”
Legal jurisdictions worldwide, such as the European Union with its General Data Protection Regulation (GDPR) and individual states in the United States like California with the California Privacy Rights Act (CPRA), mandate that organizations post privacy policies on their websites. These regulations follow the principle of “notice and choice,” where users are presented with terms (the privacy policy) and must take action, like clicking “Accept,” to signify their acceptance of those terms.
However, despite these regulations, Penn State researchers found that most organizations are not in compliance.
“Not many websites have privacy policies,” notes Srinath in a university release. “For a user landing on a random website, there is only a 34 percent chance that a privacy policy exists. Among them, there is a 2 percent to 3 percent chance that the link is broken. And 5 percent of the links that do work will lead to a page that contains irrelevant information, such as placeholder text or documents in a language that doesn’t match the website’s landing page.”
To arrive at these conclusions, researchers conducted a large-scale investigation, crawling millions of English-language websites to identify when privacy policies were unavailable. They employed a technique called “capture-recapture,” similar to how ecologists estimate animal populations in the wild. This method allowed them to estimate the overall unavailability of privacy policies on the web.
“Regulators cannot keep up,” explains Srinath. “They are often overwhelmed by the numbers of privacy policies on the web and forced to rely on user complaints or compliance self-certification to prompt investigations of missing or ineffective privacy policies.”
Study co-author Shomir Wilson, assistant professor of IST and director of the Human Language Technologies (HLT) Lab at Penn State, emphasized the importance of transparency and accountability in online data privacy practices.
“This research provides important insights into the current state of privacy policy practices on the web that can inform efforts to develop more effective privacy policy standards and best practices as well as to improve the accessibility and comprehensibility of existing policies for users,” says Wilson.
The National Science Foundation supported this research. The study was presented at the 23rd Association for Computing Machinery Symposium on Document Engineering at the University of Limerick in Ireland.
You might also be interested in:
- Best VPN Services: Top 5 Virtual Private Networks Most Recommended By Cybersecurity Experts
- Creepy apps cause emotional damage by invading your privacy, study says
- Surveillance state: 60% of Americans think government tracks their data
