The Online Trust Alliance has released the results of its ninth annual Online Trust Audit and Honor Roll, this year finding an overall increase in trustworthy websites, with some caveats. Consumer services websites — non-retail sites that require a login — received the OTA's highest marks, while banking and government websites scored the lowest. 

In its annual audit, the OTA, which is now part of an Internet Society initiative, analyzes more than 1,000 consumer-facing websites to assess their privacy, security and consumer protection practices. Overall, the audit revealed 52 percent of the websites analyzed qualified for the honor roll, an uptick of five percent over last year. But the audit also found what it considers an "alarming three-year trend" that finds websites are either making the grade or completely failing to meet the OTA's trustworthy objectives. 

In a phone conversation with The Privacy Advisor, OTA Founder and Chairman Emeritus Craig Spiezle said this "bimodal" distribution is a bad sign. "There's no middle ground," he said. "It's as if students are either getting As or are getting Fs." Spiezle says this indicates that organizations are either taking privacy very seriously or not at all. 

On the flip side, the OTA saw a dramatic improvement in the privacy practices of online news sites. This year, 48 percent of news and media sites made the grade, the most significant improvement in the past year among all industries surveyed by the OTA. Last year, only 23 percent of news and media sites met the criteria. 

"This is a real comeback story," Speilze said of the news and media industry. "Just four years ago, only four percent of this sector" met the OTA's standards. He said the industry's privacy policies are getting much better. He also praised the work of Digital Content Next, a trade organization for online publishers. "We did briefings with their members and pointed to where privacy policies had holes in them. Clearly, they rallied to the call." 

The poorest performing industry sectors this year went to the federal government and the banking industry. Thirty-nine percent of government websites made the honor roll, a decrease of seven percent from last year, while the banking industry saw the largest decline overall. Only 27 percent of the FDIC 100 banks audited by the OTA qualified, a drop of 28 percent from last year. 

Spiezle said the decline in the financial sector stems from data released by the Consumer Financial Protection Bureau, as well as a number of data breaches and settlements during the last year. He said that banks often have a standardized privacy policy, but they often "don't meet the disclosures we're looking for." The OTA, for example, takes points away from policies that remain silent on critical issues, such as disclosures of user data to third parties or data retention policies. He also noted that larger banks have long histories of acquiring smaller banks, often making heterogeneous system structures. Consumer services websites, on the other hand, are much more homogeneous. 

The OTA also included a new industry category this year that focused on internet service providers, carriers, hosts and email providers. Spiezle said they foresaw the need to do this with the Federal Communications Commission proposed broadband privacy rules and eventual rollback. 

Overall, Spiezle said the OTA is not out to get companies, that this is meant to be collaborative. He described how organizations at first may find the OTA's ratings as adversarial, but "we'll go through and point out loopholes in their privacy policy." For Spiezle, companies should keep their privacy policies honest, simple and straightforward. "If you don't share data with third parties, then say it; if you don't retain user data, say it," he noted.

After such conversations, organizations will often take a step back and ask, "Are we doing what we say we're doing? Could we be clearer?" Spiezle says he often sees amazing results from this process. Sites end up clarifying and improving their policies, making them more user-friendly, transparent, and easy to read. 

"That's rewarding," he said. "We're not adversaries; we're trying to help." 

Now for the OTA, next year's audit starts today, according to Spiezle, and with the General Data Protection Regulation set to be in full effect by the OTA's 10th annual audit, there will be lots to talk about. He says the GDPR is a call to action — something about which he'll speak further at the IAPP's P.S.R. Conference in San Diego this fall. The regulation will create the need for a "rethink" about how organizations collect, process, share and delete personal data. 

Moving forward, Spiezle invites feedback and collaboration with industry: "We don't want to do this in a bubble. We want to be open and collaborative, to recognize leadership in the field and gain feedback from industry."