ANALYSIS, RESEARCH

A COMPLIANCE ANALYSIS OF WEBSITE PRIVACY POLICIES


Transparency is one of the fundamental principles in the protection of personal data. Each of us has the right to understand how our personal data are processed, how are used or shared. By publishing GDPR policies on a website, a company can make clear evidence of transparency in the processing of personal data, assuming and proving responsibility and obtaining a trustworthy label for the entire business ecosystem it belongs to. A GDPR READY research made in this year spring analysed more than 450 Romanian websites looking at how companies are respecting this transparency by publishing Privacy Policy, Terms & Conditions, Cookies Policy and Privacy Notes.

1. COMPLIANCE ANALYSIS PREMISES

 1.1. PRIVACY POLICY

Any organization that maintains an online public image should publish a privacy policy or a personal data processing statement on the Website. A link to this privacy statement must be clearly visible on each page of this site, under a commonly used term (such as “Privacy”, “Privacy Policy” or “Data Protection Statement”).

Articles 13 and 14 of the GDPR explain all the information we have to give to the individual persons when we collect their personal information or shortly after we have come into their possession in an indirect way. In order to clarify this, the Article 29 Working Group (WP29) published in November 2017 a guide dedicated to transparency policies, reviewed on April 2018.

1.2. TERMS & CONDITIONS

Another aspect of transparency, this time not just for personal data, is the presence of the page that describes the Terms and Conditions for using the site for visitors. The Terms and Conditions Webpage should represent the agreement by which the users of the site are informed about the rules, terms and regulations they must follow. Although not imposed by GDPR, the Terms and Conditions page may retain the rights to exclude certain users who may create abusive issues on the site or not comply with the rules set.

Usually, there are five reasons why a Terms and Conditions page is required:

  • Abuse prevention – in the case of problems related to spamming, abusive behaviour, uncontrolled activities that can lead to defamation reactions. Without the Terms and Conditions, there is no authority to suspend or prohibit users from displaying problematic trends.
  • Content protection – any site owner holds the logo, content and design of the site. The Terms and Conditions inform users of this fact and prevent the diversion of intellectual property.
  • The right to cancel the accounts – while the termination may be implicit in other clauses, a distinct right highlighted in the Terms and Conditions for cancelling the accounts is better.
  • Limitation of liability – The terms and conditions also limit the causes of actions that users may try to use against the site. These limits on liability may address errors in content or shutdown of the system. Basically, the terms explain that users take these risks when they register on the site and you cannot be held responsible for any losses they incur in these events.

Applicable legal notice – If the company is located in Romania, it is doubtful that you want to participate in an arbitration procedure in California or Singapore. Here is the section on the applicable law: the competence of the terms is stated and the place where any dispute settlement takes place.

1.3. COOKIES POLICY

At present, there is no dedicated legislation in the European Union that exclusively concerns the Cookies policy. There is a set of laws, recommendations and considerations that address how cookies can be used. They apply to all Member States of the European Union, and websites outside the EU must align to this if they are addressed to people in the Member States. In the absence of explicit legislation, the conditions of use for cookies are regulated by the Directive no. 58/2002, updated in 2009 known as “ePrivacy”, which is transposed in Romania by Law 506 of 2004, updated by Law 235 of 2015, regarding the processing of personal data and the protection of privacy in the electronic communications sector.

Until the advent of GDPR, compliance with this law meant a statement placed at the bottom or top of the site, which allows the user to know what kind of cookies are used. Most of us are familiar with the famous expression: “By using this website, you accept our cookie policy” or something similar. This information is useful but to what extent does it offer us an alternative? GDPR aims to change this, giving users a real and informed choice.

What ePrivacy says about Cookies – Article 5 (3) of ePrivacy requires prior informed consent regarding the storage or access to information stored on the user’s terminal equipment. In other words, users should be asked if they agree with most cookies and similar technologies (for example, web beacons, Flash cookies, etc.), and their consent must be obtained before the site begins to use them.

Users should be informed about the use of cookies in plain, non-jargon language, on a dedicated “Cookie Policy” page, which can be reached from a popup or from the standard template toolbar. This page should explain:

  • Why cookies are used (to remind users actions, identify users, collect traffic information, etc.)
  • Whether cookies are essential for the operation of the website or for certain functionality or if it is aimed at improving the performance of the website
  • The types of cookies used (for example, session or permanent, first or a third party) that control/access the information regarding the cookies (site or a third party)
  • That these cookies will not be used other purposes than those indicated
  • How users can withdraw cookies consent.

What the GDPR says about Cookies – The main cause of the inconsistencies related to the Cookies Policy is that EU Regulation 679/ 2016 considers IP identifiers as personal data, which Directive 58 did not provide. This makes the site owners have to have a big headache in addition to ensuring compliance requirements for the acquisition and retention of IPs.

In GDPR, the only place where cookies are explicitly mentioned is Recital 30 which states: “Individuals may be associated with the online identifiers provided by their devices, applications, tools and protocols, such as IP addresses, cookie identifiers or others. Identifiers such as radio frequency identification tags. They can leave traces that, especially when combined with unique identifiers and other information received by servers, can be used to create profiles of individuals and to identify them.”

The idea is relatively simple: cookies can be used to uniquely identify a person, so they should be treated as personal data. It will affect those identifiers used for analysis, advertising, but also for those used for functional services such as chats and surveys.

What needs to be changed? – Users must be able to CHOOSE. Browsing a website does not mean that I agree with all the cookies. The type of phrase used at the moment is barely informative and, of course, does not offer a choice. Anyone who owns the site will not be able to force users to accept cookies in exchange for access to information.

Like any other consent under the GDPR, consent for cookies must be a clear AFFIRMATIVE action. An example is to click on a sign-in box or choose menu settings. Users must be careful not to have pre-checked boxes on the consent form!

Let’s not forget the OPT-OUT. The GDPR clearly states that any data subject should be able to withdraw consent as easily as he or she has given it. In the case of the new cookie policy, this requires any user to be able to revoke consent by the same type of action as when they gave their consent. For example, if a box is clicked to obtain consent, the same method must be offered for revoking the agreement by inserting a REJECT button.

1.4. PERSONAL DATA PROCESSING NOTES

Returning to the obligation to publish a Privacy Policy, any window, pop-up, form, and questionnaire or comment box on a public site must include a notification informing the user of how the data will be used, with reference to the confidentiality credential where all the explanations required by Art.13 and Art.14 have been given.

The GDPR sets higher standards for obtaining consent than previous legislation. Individuals need to understand clearly and unequivocally what they agree to – so notifications need to be simply articulated and specific – and the agreement must be given in the form of a clear affirmative action by the data subject. In practical terms, this means asking for a positive “opt-in” and also means that the use of pre-checked boxes should not be used.

The most common errors that appear on the sites are related to the lack of these notifications, preferring the usual formulas of authentication such as “Not a robot”, “1 + 2 = ...” or Captcha. The few sites that make a note about the processing of personal data collected on the site make a mistake by asking the user before pressing the subscribe button or sending the personal data the agreement for the privacy policy. Several examples of these usage errors will be presented in the chapter presenting the results of the Compliance Analysis.

2. METHODOLOGICAL ASPECTS

The compliance analysis of the GDPR policies on the Internet pages consisted of studying a sufficiently large number of sites to meet the optimal conditions for statistical analysis, on a sample as representative as possible.

The compliance study was based on two types of analysis:

– A predominantly qualitative general analysis on a number of 450 sites, which followed the way in which the websites that were the object of the research find the public policies of the organization (the owner, the policy of processing personal data (or Privacy Policy, Privacy Policy, etc.), page dedicated to the Terms and Conditions updated at the GDPR, a page dedicated to Cookies Policy, the presence of confidentiality notices associated with any form of personal data collection of the web visitor, the presence of the forms for addressing the requests for access to the data personal information, as well as the presence of the contact information of the PDO.

– A detailed, quantitative-qualitative analysis of the presence and quality of the content of public policies, taking into account the minimum mandatory information that must appear in these declarations of conformity.

2.1. QUALITATIVE ANALYSIS

The research sample consists of about 450 sites, chosen on different criteria such as:

  • ACUITY – a sufficient number of sites are needed to ensure good quality statistical processing;
  • REPRESENTATIVENESS – the sites belong to public and private companies from different areas of activity, so that the results can be considered as covering for all verticals;
  • LEADERSHIP – for each of the activity areas considered, the companies that were noted for the results obtained were selected. The 100 companies from the Top Profitability analyzed in the Detailed Study are also included in this analysis;
  • RESPONSIBILITY – were followed sites from all areas that may involve an increased level of responsibility by appointing a DPO or the obligation to carry out an impact analysis – according to the list of activities presented in Decision 174 October 2018, Art. 1, Alin a – g.

The qualitative analysis was based on the evaluation of the content published on the sites of the studied sample, based on analysis criteria, to which different weights were assigned, depending on the importance of the aspect pursued.

2.2. IN-DEPTH ANALYSIS

The research sample consists of about 150 sites, chosen on the criteria of belonging to the Top 100 companies in Romania after Profitability for 2017, realized and published by Capital magazine, based on the results declared at the Trade Register ( Capital magazine, EXCLUSIVE TOP 100 the most profitable companies in Romania, July 2018). Another 50 sites were selected based on business results criteria, according to the results presented at the Trade Register.

The purpose, easy to guess, of the GDPR Ready Analysis, is to see to what extent the top companies in Romania have found the resources necessary to ensure the alignment of the new Regulation 679/2016, and the web pages containing the public policies of the organization represent the most eloquent business card for the state of compliance where a top company is located.

The detailed analysis was based on the evaluation of the content published on the websites of the studied sample, based on analysis criteria, to which different weights were assigned, depending on the importance of the aspect pursued. Part of these criteria, regarding the presence on the site of the different policies and the form of presentation, content, accessibility and format of the cookie bar are the same as those used in the qualitative analysis. The differences appear in the specific analysis for each of the policies (Confidentiality, Terms & Conditions, Cookies), wherein the used benchmark has been considered all the mandatory criteria by which the data subjects are informed of the way their personal data are processed, as it is clearly shown in Articles 13 and 14 of the GDPR.

3. MAIN RESEARCH RESULTS

Here is a brief rendering of the results obtained from the two types of analysis

3.1. QUALITATIVE ANALYSIS RESULTS

One of the objectives of this analysis, which studied 450 sites, was the general evaluation of the presence of public policies on the website. The six types of policies studied were analysed from the perspective of the presence on the websites, the criteria of appreciation being the presence, the absence and the presence partially or incomplete – for example, the specific notifications of a policy are described on pages other than those dedicated. What is to be emphasized here?

  • Only 63% of sites have a Privacy Policy
  • 31% do not have such a policy, so they do not comply with the principle of transparency regarding the protection of personal data
  • Only 40% of sites have a Terms & Conditions page, although it should be found on any public site and not directly related to GDPR.
  • Only 60% of the studied sites have a displayed cookie policy, of which 14% are incomplete
  • 79% of the sites do not have a confidentiality note although they collect personal data from the site
  • Only 8% of the sites offer the possibility of downloading forms for access requests to personal data.
  • Only 55% of sites offer a mailing address for GDPR issues, whether they have a dedicated DPO or not.
Source: GDPR READY RESEARCH, Sample: 450 Websites

Figure 1: PRESENCE OF THE WEBSITE POLICY

The analysis of the industrial verticals gives us an overview of the areas of activity in which there are concerns related to updating the public policies on the website. For the histogram of the analysis for the main industries verticals, an average of the percentage of compliance for all the sites belonging to the respective industry were chosen.

Some comments on the results:

  • The highest level of compliance can be found in the utilities, telco, retail – hypermarket, pharmaceutical & cosmetics, and the automotive industries.
  • On the opposite side, and this is quite sad, there are areas that by the nature of their activity are obliged to have a DPO: public administration (town halls), education (schools, colleges, universities), healthcare (hospitals, clinics) and government (ministries and supervised organizations)
  • A surprisingly low compliance average of 36% was found for companies in the IT industry, which had a fairly large research population (121 sites).
Source: GDPR READY RESEARCH, Sample: 450 Websites

Figure 2: TOP VERTICAL AVERAGE VALUES FOR INDUSTRY

3.2. IN-DEPTH ANALYSIS RESULTS

A general appreciation for the 150 sites studied in detail refers to the presence of policies cumulated with criteria of visibility, accessibility and content of policies. Compliance level is rated as a percentage and classified as Low (below 25%), Medium (25% – 75%) and Good (over 75%)

While 4% of the organizations analysed do not have a functional website, 13% have no policies, 14% have poor compliance, 53% average and only 17% have a satisfactory level of compliance.

Source: GDPR READY RESEARCH, Sample: 150 Websites

Figure 3: GENERAL APPRECIATION

Another objective of the detailed analysis was the policy evaluation of the compliance criteria presented in the methodology chapter:

From the perspective of Confidentiality, only 21% of the 150 sites have a satisfactory level of compliance, while 51% have an average level, 13% are insufficient, and 15% do not have a Privacy Policy.

Source: GDPR READY RESEARCH, Sample: 150 Websites

Figure 4: PRIVACY POLICY CONFORMITY

Regarding the pages dedicated to the Terms and Conditions, only 14% have a satisfactory level of compliance, 42% a medium level, 25% poor compliance, and 19% have no place Terms and Conditions.

When analysing the Cookies Policy, it appears that only 3% of the sites have an acceptable level of compliance, 33% an average one, 44% an unsatisfactory one, and 23% of the sites do not have cookies.

Finally, the 114 sites that have cookies, were analysed from the perspective of compliance with the GDPR rules for obtaining consent, the way of displaying and the content of the cookie bars, the presence or not of predefined acceptance boxes, as well as the presence of a box of REJECT next to the one of ACCEPT. The results are summarized in Figure 5.

Source: GDPR READY RESEARCH, Sample: 114 Websites

Figure 5: COOKIES BAR CONFORMITY

4. MOST FREQUENT MISTAKES

Among the most common mistakes encountered during this Compliance Review are:

  • The omission of the description of rights, mandatory in any information of the data subjects
  • Not updated content of Privacy Policy – There are many sites where the respective policy refers to Law 677/2001 or the message is displayed: “Our company is a Personal Data Operator registered in the National Register with No. ……”
  • Missing / Not updating Terms & Conditions page
  • Cookies bar is missing although a cookie policy is present on the site
  • The obligation to accept the use of cookies as a condition of continuation on the site
  • The presence of a granular menu for accepting the different categories of cookies with Prefixed boxes
  • Lack of the possibility of Opt-out accepting the use of cookies: 92% of the sites that have a cookie policy.
  • The cookie bar is placed in such a way that it hides the presence of the other policies, usually at the bottom of the site.

5. CONCLUSIONS

The lack of concerns regarding the publication or updating of the Public Policies on the Website can be a worrying finding and a transparent x-ray of how Romanian organizations are willing to invest in aligning with the GDPR.

The presence of these site policies represents a business card, a public statement of the company’s concerns for compliance and accountability.

The public policies on the website represent only the visible part of what can be called a GDPR compliance project. It is hard to believe that an organization that is not concerned with its public image can approach an acceptable level of compliance with internally applied processes, procedures and policies.

One thought on “A COMPLIANCE ANALYSIS OF WEBSITE PRIVACY POLICIES

  1. Pingback: MOST FREQUENT MISTAKES IN GDPR ADOPTION PROJECTS – GDPR Ready!

Comments are closed.