As the CNiL (the French privacy/data protection authority) revealed in a press release yesterday, the state of privacy related information for consumers/visitors on the web is still massively underwhelming. The findings of a coordinated audit by the 19 members of the GPEN that looked at some 2180 of the most popular websites and apps revealed that over a 20% don’t provide any kind of privacy notices despite their collecting of privacy relevant data.
If you look only at the mobile applications that figure climbs up to at over 50%.
In another comment the release details the often lacking quality in privacy notices (if they are present) as being too general or, conversely, too focused on one technical aspect, such as the use of “cookies”.
Par ailleurs, lorsque ces politiques de protection des données existent, elles sont parfois trop généralistes ou, à l’inverse, trop focalisées sur un seul aspect technique, comme par exemple celui des ” cookies “.
Further interesting takeaways from the French sites (250 of the most visited sites by French users) are that 99% of them actually collect personally identifiable information and some 50% of websites and mobile application included their privacy policies in a way that would make it hard to discover.
About the Internet Sweep Day and GPEN
The operation “Internet Sweep Day” was a first coordinated audit by the member agencies of the Global Privacy Enforcement Networt (GPEN). The GPEN is an informal network of Privacy Enforcement Authorities that pursues a number of tasks:
- Discuss the practical aspects of privacy law enforcement co-operation;
- Share best practices in addressing cross-border challenges;
- Work to develop shared enforcement priorities; and
- Support joint enforcement initiatives and awareness campaigns.
Some of the members of the GPEN include:
- Australia: Office of the Australian Information Commissioner; Office of the Victorian Privacy Commissioner; Office of the Information Commissioner, Queensland
- Belgium: Data Protection Commission
- Bulgaria: Bulgarian Commission for Personal Data Protection
- Canada: Office of the Privacy Commissioner of Canada; Information and Privacy Commissioner of British Columbia
- China (Special Administrative Regions): Office for Personal Data Protection, Macau SAR, China
- Czech Republic: Office for Personal Data Protection of the Czech Republic
- European Union: European Data Protection Supervisor
- Estonia: Estonian Data Protection Inspectorate
- France: Commission Nationale de l’Informatique et des Libertés
- Germany: Federal Data Protection Commission; Berlin Commissioner for Data Protection and Freedom of Information
- Guernsey: Data Protection Office
- Ireland: Office of the Data Protection Commissioner
- Israel: The Israeli Law, Information and Technology Authority
- Italy: Garante Per La Protezione Dei Dati Personali
- Korea: Ministry of Public Administration and Security; Korea Internet Security Agency; Personal Information Protection Commission
- Mexico: Federal Institute for Access to Information and Data Protection (IFAI)
- Netherlands: Dutch Data Protection Authority
- New Zealand: Office of the Privacy Commissioner
- Norway: Data Protection Authority
- Poland: Office of the Inspector General for the Protection of Personal Data (GIODO)
- Slovenia: Information Commissioner
- Spain: Agencia Española de Protección de Datos
- Switzerland: Federal Data Protection and Information Commissioner
- Ukraine: State Service of Ukraine on Personal Data Protection
- United Kingdom: Information Commissioner’s Office
- United States: Federal Trade Commission