Privacy statements have often served as real world examples of the classic philosophical query: if a tree falls in a forest and no one is around to hear it, does it make a sound? A 2016 study straightforwardly titled, “The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services” offered 543 American undergraduate students the opportunity to sign up for and test a new social network. In reality, there was no new social network; the experiment only measured the students’ review of the privacy statement and terms of service during their efforts to sign up as testers. As foreshadowed by the study’s title, very little attention was paid to either. Seventy-four percent of subjects skipped reading the privacy statement entirely. Of the twenty-six percent who actually studied the privacy statement, the average time spent reviewing it was only seventy-three seconds, although reading every word would have actually taken about thirty minutes. The subjects spent an average of fifty-one seconds on the terms of service, which should have taken about fifteen minutes to read fully. The short amount of time spent reviewing the terms of service resulted in ninety-eight percent of the study’s participants agreeing, among other things to provide their first-born child as payment for access to the network. Only two percent of subjects noticed the requirement and declined to sign up for the service.
However, privacy statements will garner increased scrutiny with the impending implementation of the General Data Protection Regulation (“GDPR”) on May 25, 2018, which imposes multiple privacy statement requirements in Articles 12 and 13. Hundreds of privacy statements were recently studied by the Global Privacy Enforcement Network (“GPEN”), a worldwide network of privacy enforcement agencies from forty-seven countries established to address global privacy enforcement and cooperation. The GPEN analyzed the privacy statements of 455 global websites and applications across industries including retail, finance, banking, travel, social media, gaming, education, and healthcare to evaluate their compliance with certain GDPR Article 12 and 13 requirements. GPEN found “significant room for improvement” across the board:
Almost a quarter of the privacy statements failed to identify what types of personal information would be collected;
Over sixty-five percent of the privacy statements did not inform users whether any safeguards were in place to protect collected personal data;
Nearly seventy percent of the privacy statements did not identify the country or countries where users’ information would be stored;
Almost half of the privacy statements did not inform users how they could access or delete their personal data;
Some privacy statements referred to outdated legislation such as the Safe Harbor Framework.
A full copy of the GPEN’s report is available here.
The privacy statements of the 455 organizations may have been deficient in other areas, as well. The GPEN’s study did not assess whether the privacy statements complied with all of the requirements of GDPR Articles 12 and 13. It also did not evaluate whether the privacy statements complied with other applicable global privacy laws, such as California’s Online Privacy Protection Act, Canada’s Personal Information Protection and Electronic Documents Act, Japan’s Personal Information Protection Act, or Mexico’s Federal Law for the Protection of Personal Data Possessed by Private Persons. Moreover, the GPEN did not analyze compliance with sector-specific privacy regulations.
Serious consequences, including criminal and civil penalties, can occur where privacy statements misrepresent an organization’s privacy practices or fail to comply with applicable regulations. The Federal Trade Commission has repeatedly found misleading or inaccurate privacy statements to constitute deceptive trade practices. Under the GDPR, the failure to comply with the requirements of Articles 12 and 13 can result in regulatory fines of up to €20,000,000 or 4% of global annual turnover, whichever is greater. European consumers can also bring private causes of action for inaccurate or deficient privacy statements under Article 82 of the GDPR, even if they do not suffer any material damages.
Since privacy statements are receiving more attention globally and the consequences of inaccuracies are amplifying, particularly for organizations impacted by the GDPR, organizations should review their privacy statements often to ensure they accurately reflect the company’s practices for handling personal data. If you have any questions about privacy statement development and compliance, please contact any member of our Cybersecurity and Privacy practice team.
This Client Alert is for information purposes only and should not be construed as legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information or an explanation about the matters discussed in this Alert, please contact one of the attorneys listed above.