GPEN

October 2017

Privacy Sweep 2017

The 2017 sweep focused on privacy policies, with results similar to the first privacy policy sweep in 2013. The participating authorities reported that website privacy notices are too vague and generally inadequate, finding most policies:
• Lack information on what happens to data after provided (i.e., purpose of use)
• Are ambiguous as to data shared with third parties (what data, with whom, etc.)
• Lack clarity on how data is secured
• Reference outdated legislation and frameworks
On the positive side, the sweep did find most organizations were generally quite clear on what information they would collect from users.

Some authorities specifically called out deficiencies relating to:
• Providing Information on automated decision-making
• Providing Information on safeguards (encryption)
• Providing Information on the location of personal data retention
• Providing Information on how to delete data
• Providing Information on the access to personal data (SARs)
https://www.privacyenforcement.net/node/906
https://www.privacyenforcement.net/sites/default/files/2017%20GPEN%20Sweep%20-%20International%20Report.pdf
jbho tl;dr. It appears that the 2017 sweep had a less focused approach than in years past (2014 – Cookies, 2015 – Mobile, 2016 – Child Data). Here’s a quick summary of some of the DPAs who participated, and what they covered:

• Albania (financial, banking, retail, social media, education, health, and travel agencies)
  • http://www.idp.al/2017/10/25/gpen-privacy-sweep-2017-finds-ambiguity-in-privacy-policies/
• Canada (educational apps)
  • https://www.priv.gc.ca/fr/nouvelles-du-commissariat/nouvelles-et-annonces/2017/nr-c_171024/
• Alberta (public, private and health sectors)
  • https://www.oipc.ab.ca/news-and-events/news-releases/2017/global-privacy-sweep-finds-websites,-apps-often-not-effectively-communicating-privacy-practices.aspx
• Ontario (online educational services)
  • https://www.ipc.on.ca/resource/2017-gpen-sweep-report-online-educational-services/
• Gibraltar (retail, finance, banking, travel, social media, gaming/gambling, education, and health)
  • http://www.gra.gi/download/1022/pressrelease241017.pdf
• Ireland (retail, finance, banking, travel, social media, gaming/gambling, education, and health)
  • https://www.dataprotection.ie/docs/EN/24-10-2017-International-data-protection-authorities-enforcement-operation-finds-website-privacy-notices-are-too-vague-and-generally-inadequate/m/1674.htm

• Mexico (financial sector, travel agencies, social media, education, and health)
  • http://inicio.inai.org.mx/Comunicados/Comunicado%20INAI-350-17.pdf
• Morocco (education, health, e-tailers, travel, gaming/gambling, social media, finance, and banking)
  • http://www.cndp.ma/fr/presse-et-media/communique-de-presse/454-communiqu%C3%A9-de-presse-du-25-10-2017.html
• New Zealand (retail, finance, banking, travel, social media, gaming/gambling, education, and health)
  • https://privacy.org.nz/news-and-publications/statements-media-releases/nz-website-privacy-notices-could-do-better-to-inform-users-study/
• United Kingdom (retail, banking, lending, travel, and finance price comparison sectors)
  • https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/10/international-enforcement-operation-finds-website-privacy-notices-are-too-vague-and-generally-inadequate/

 

September 2016

You can’t Spell Idiot Without IoT

Results of the 4th annual privacy sweep are in. Some 25 authorities participated in the 2016 IoT sweep, examining 314 different devices globally, including wellness devices, thermostats, smart TVs, connected toys, and many others. Global highlights include:
• 59% of devices failed to provide adequate privacy notice
• 48% failed to disclose third-party data sharing
• 38% provided no privacy contacts
• 68% failed to inform users how information was protected
• 72% failed to explain how users could delete their data
https://www.lda.bayern.de/media/pm2016_06_anhang.pdf
jbho: The GPEN hasn’t yet put together any comprehensive reports on any of its sweep results, but the various DPAs share nuggets here and there. The best summaries are usually put out by the Office of the Privacy Commissioner of Canada (OPC). This time, they provided a nice review, along with tips and hints, on their blog at http://blog.priv.gc.ca/index.php/2016/09/22/how-fit-is-your-gadget-putting-web-connected-healthwellness-devices-through-their-privacy-paces/

In case you forgot, GPEN is a network of approximately 50 privacy enforcement authorities from around the world, including the FTC and FCC.