On 14 August 2013, the Office of the Australian Information Commissioner (OAIC) released the results of the privacy sweep of the websites most used by Australians. The privacy sweep was part of the first international internet privacy sweeps conducted in May this year, an initiative of the Global Privacy Enforcement Network in which nineteen privacy enforcement authorities from around the globe participated.
The theme of the sweep was privacy practice transparency. In this context, the websites were assessed for find-ability, contact-ability (i.e. how difficult it was to find contact information for the privacy officer), accessibility, readability (including length) and relevance. The Australian websites' policies were also tested against the new transparency requirements under the new Australian Privacy Principles (APPs), in particular APP 1 – Open and transparent management of personal information.
Under APP 1.3, APP entities must have a clearly expressed and up-to-date privacy policy. The privacy sweep revealed that many privacy policies will not comply with this requirement as they are too long, too complex, irrelevant and inaccessible.
The transparency dont's
47% of the Australian websites failed the read-ability test, being too long and unnecessarily complex. The Privacy Commissioner stated that '[o]n average, policies were over 2,600 words long. In my view, this is just too long for people to read through. Many policies were also complex, making it difficult for most people to understand what they are signing up to…'.
Other issues identified included that the policies:
- contained irrelevant information or did not contain relevant information. For example, many policies used 'boilerplate' language which did not take into account the relevant privacy jurisdiction, such as sites with .au domain names which were unclear about whether the site complied with the Privacy Act 1988 (Cth);
- contained over-generalised statements about privacy which offered no details on how organisations were collecting, using and disclosing personal information;
- were hard to find on the website; and
- either listed no privacy contact or made the contact information difficult to find.
The transparency do's
The results of the privacy sweep were not all doom and gloom. The following practices were commended:
- using presentation tools to make the information easily understandable and readable to the 'average' person (the OAIC's preferred reading age level is 14). The presentation tools used included 'plain language; clear and concise explanations; and the use of headers, short paragraphs, FAQs, and tables, among other methods';
- providing multiple options for contacting the privacy officer;
- providing both a simplified and full policy to assist individuals in understanding what will happen to their personal information. The Privacy Commissioner stated that '[t]his attempt to use 'layered' privacy policies is encouraging'; and
- tailoring policies for mobile apps and other technologies (such as assistive technologies like a screen reader).
What now?
The OAIC will use the results of the privacy sweep to inform the development of guidance on the APPs in the lead up to their commencement in March 2014 and to educate organisations about privacy policies.
The Privacy Commissioner stated that '[w]ith only 8 months to go until new privacy laws commence, organisations should be looking at their privacy policies now to ensure they comply with the new requirements'. Organisations should be wary to ignore this clear call to action.