OneTrust_Square Banner_300x250_DD_ROS_01_19
IAPP_Salary-Survey_300x250_FINAL
Anonos_Webcon_TE_300x250_ad_January17_FINAL
Twitter, Healthcare.gov top OTA privacy audit

Consumer services websites are improving their privacy practices while news sites need vast improvements. That’s according to Tuesday’s release of the 8th annual Online Trust Audit & Honor Roll. Conducted by the Online Trust Alliance, this wide-ranging audit looks at nearly 1,000 consumer-facing websites to assess their consumer protections, privacy practices, and data security.

The OTA broke the audit into five main industry categories, including consumer services, FDIC member banks, government, internet retailers, and news and media. Overall, half of the sites in the audit made the Honor Roll, and consumer services performed the best, with nearly three-quarters making the Honor Roll. Each category is assessed on three factors - consumer protection, privacy, and data security - worth 100 points each. Companies can receive up to 70 bonus points for implementing best practices or lose points due to a breach incident or an FTC settlement, for example. To make the honor roll, a company must get a total score of at least 80 percent or better and tally at least 55 points within each of the three categories. 

Twitter topped the overall list of highest-scoring sites, followed by HealthCare.gov, Pinterest, the White House, Dropbox, FileYourTaxes, LifeLock, Instagram, 1040.com, and the Gap. For the first time, the OTA also released the top five performers in each industry category. 

“I was delighted, yet surprised by the number of companies that qualified this year,” OTA Executive Director Craig Spiezle said in a phone interview. “Our goal is to see positive movement in responsible consumer protection and privacy policy,” but, he added, “From a privacy perspective, we still think there are significant areas where privacy policies are inadequate.” 

“I was delighted, yet surprised by the number of companies that qualified this year ... (but) from a privacy perspective, we still think there are significant areas where privacy policies are inadequate.” - OTA Executive Director Craig Spiezle

Though it had a 300-percent improvement over last year’s audit, news and media sites performed the worst. According to the report, the two main failures stem from incomplete privacy policies and “heavy use of third-party data trackers.” Jeff Wilber, who chairs OTA’s board of directors and helped lead this year's audit, said during a separate phone interview that news sites are the biggest users of “promiscuous trackers” because their business model is so ad-focused. “Privacy is the biggest issue for them, followed by email authentication and then consumer protection,” he added.

From the OTA report

From the OTA report

“We’re seeing that more and more companies are adopting best practices,” said Wilbur, though he pointed out that privacy scores dipped a bit this year because the OTA was more rigid in its scoring. In reading each site’s privacy policy, the audit focused on its language, including whether data is shared with third parties, whether a data retention policy was articulated, if the policy was layered and linked from the site’s home page, if it honors do-not-track requests, and whether it had a statement applying to COPPA. He said that sites lost points when they simply said they would share data to avoid liability. He also pointed out that sites received bonus points for including privacy policies in multiple languages, something he said one day could become a standard practice.

"This is the difference between compliance and stewardship," said Spiezle. "We need to move privacy pros away from the compliance mindset." 

Both Spiezle and Wilbur noted that, over the years, what's considered an-above-and-beyond practice eventually becomes a standard practice. "Two years ago," Spiezle explained, "the DNT disclosure was considered a bonus. Not anymore. Next year we'll consider other bonuses as the new standard. It's part of the natural evolution of the criteria we use. You see the same thing in security, it's constantly evolving." 

Spiezle noted that some sites redline their privacy policy when they have made alterations. That way, consumers, regulators, and civil society can see the actual changes that have been made. He said companies that practiced redlined policies received bonus points, but added that someday they could become part of the standard. 

"This is the difference between compliance and stewardship," said Spiezle. "We need to move privacy pros away from the compliance mindset." 

Though OTA assesses all these sites, it is constantly looking for feedback from its members and the companies it works with, and goes so far as to issue a call for public comment every Fall. Wilbur said that companies will sometimes reach out to the OTA. "We will walk them through what we're looking for to the extent we can, though it's not scalable when you're assessing 1,000 websites," he said.

"We're really using the carrot rather than the stick," Wilbur added. 

Ultimately, Spielze said the OTA is trying to get companies to adopt and implement best practices. "We want to raise awareness, drive adoption, and highlight leadership." 

Photo credit: screen shot from the OTA's 2016 Honor Roll report

Written By

Jedidiah Bracy, CIPP/E, CIPP/US

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy After Hours 2017

Celebrate Data Privacy Day on January 26 by joining us at a Privacy After Hours in your city. RSVP today!

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The GDPR Requires 75,000 DPOs

What’s the formula for DPO success? IAPP CIPP/E and CIPM training, certifications and our global privacy conferences.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

Join us in London to dig deep into operational privacy and practical strategies you can put to use right away. Registration is open. Don't miss out!

What Will You See at the Summit?

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Registration now open!

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration opens in February! Plan to join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»