Earlier this year, I reported that the Office of the Privacy Commissioner of Canada (OPC) was participating in the first ever Internet sweep by the Global Privacy Enforcement Network (GPEN).

The results are in. If you haven’t dusted off your privacy policy for a thorough clean-up, you should.

Yesterday, the OPC reported that globally the GPEN found that almost a quarter of the 2,276 mobile Apps and websites examined did not have a privacy policy available. One third of the privacy policies that could be found raised concerns regarding the relevance of the information. In particular policies:

  • used boilerplate language with brief over-generalized statements
  • failed to provide information customized to describe the organization’s practices
  • failed to take into account the relevant regulatory jurisdiction
  • directly quoted legislation rather than informing users

In addition, the OPC reported the initial results of its own examination of 300 websites. Among the findings were:

  • 1 in 10 failed to have a privacy policy or equivalent information
  • Of those with privacy policies, 1 in 10 buried them in other documents such as Terms and Conditions or had policies that were otherwise hard to find
  • 2 in 10 failed to provide a contact or made the contact information for the privacy officer difficult to find
  • 2 in 10 failed to provide relevant information – in some cases merely quoting the legislation or the Fair Information Practice Principles

Among the recommendations:

  • Draft uncluttered “user-centric” privacy notices
  • Make the policy comprehensive – covering online and offline activities
  • Explain directly the points of contact during which information will be collected
  • Explain what is collected and how it is used
  • Provide detailed explanation of website personalization features and how to opt-out
  • Provide a method of reporting privacy breaches

The OPC’s news release and related background information can be found here.