The Global Privacy Enforcement Network (GPEN) in their 2017 sweep of websites and applications found that privacy notices are often too vague. The GPEN issued its findings after submissions from 24 Data Protection Authorities across the world, which collectively examined 455 websites and applications across various sectors.
The GPEN noted that information on how personal data would be used was often generic. It also identified a failure of privacy notices to advise users on how or where their data would be stored, including safeguards, and with which third parties the data would be shared with. In regards to the retail sector specifically, the GPEN noted that retailers who issue e-receipts (e.g. for proof of purchase) generally failed to provide any information relating to those receipts on their website.
The GPEN did observe overall, however, that the majority of organisations were quite transparent in specifying what information or categories of information they would be collecting and that privacy communications were usually easy to locate.
Click here to read the GPEN 2017 sweep in full.