TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Twitter, Healthcare.gov top OTA privacy audit Related reading: Get the full picture on PIAs and DPIAs

rss_feed
OneTrust_Square Banner_300x250_DD_ROS_01_19
APF17_WebBanner_300x250-COPY
Webcon_PA_300x250_ad_April-17_FINAL

Consumer services websites are improving their privacy practices while news sites need vast improvements. That’s according to Tuesday’s release of the 8th annual Online Trust Audit & Honor Roll. Conducted by the Online Trust Alliance, this wide-ranging audit looks at nearly 1,000 consumer-facing websites to assess their consumer protections, privacy practices, and data security.

The OTA broke the audit into five main industry categories, including consumer services, FDIC member banks, government, internet retailers, and news and media. Overall, half of the sites in the audit made the Honor Roll, and consumer services performed the best, with nearly three-quarters making the Honor Roll. Each category is assessed on three factors - consumer protection, privacy, and data security - worth 100 points each. Companies can receive up to 70 bonus points for implementing best practices or lose points due to a breach incident or an FTC settlement, for example. To make the honor roll, a company must get a total score of at least 80 percent or better and tally at least 55 points within each of the three categories. 

Twitter topped the overall list of highest-scoring sites, followed by HealthCare.gov, Pinterest, the White House, Dropbox, FileYourTaxes, LifeLock, Instagram, 1040.com, and the Gap. For the first time, the OTA also released the top five performers in each industry category. 

“I was delighted, yet surprised by the number of companies that qualified this year,” OTA Executive Director Craig Spiezle said in a phone interview. “Our goal is to see positive movement in responsible consumer protection and privacy policy,” but, he added, “From a privacy perspective, we still think there are significant areas where privacy policies are inadequate.” 

“I was delighted, yet surprised by the number of companies that qualified this year ... (but) from a privacy perspective, we still think there are significant areas where privacy policies are inadequate.” - OTA Executive Director Craig Spiezle

Though it had a 300-percent improvement over last year’s audit, news and media sites performed the worst. According to the report, the two main failures stem from incomplete privacy policies and “heavy use of third-party data trackers.” Jeff Wilber, who chairs OTA’s board of directors and helped lead this year's audit, said during a separate phone interview that news sites are the biggest users of “promiscuous trackers” because their business model is so ad-focused. “Privacy is the biggest issue for them, followed by email authentication and then consumer protection,” he added.

From the OTA report

From the OTA report

“We’re seeing that more and more companies are adopting best practices,” said Wilbur, though he pointed out that privacy scores dipped a bit this year because the OTA was more rigid in its scoring. In reading each site’s privacy policy, the audit focused on its language, including whether data is shared with third parties, whether a data retention policy was articulated, if the policy was layered and linked from the site’s home page, if it honors do-not-track requests, and whether it had a statement applying to COPPA. He said that sites lost points when they simply said they would share data to avoid liability. He also pointed out that sites received bonus points for including privacy policies in multiple languages, something he said one day could become a standard practice.

"This is the difference between compliance and stewardship," said Spiezle. "We need to move privacy pros away from the compliance mindset." 

Both Spiezle and Wilbur noted that, over the years, what's considered an-above-and-beyond practice eventually becomes a standard practice. "Two years ago," Spiezle explained, "the DNT disclosure was considered a bonus. Not anymore. Next year we'll consider other bonuses as the new standard. It's part of the natural evolution of the criteria we use. You see the same thing in security, it's constantly evolving." 

Spiezle noted that some sites redline their privacy policy when they have made alterations. That way, consumers, regulators, and civil society can see the actual changes that have been made. He said companies that practiced redlined policies received bonus points, but added that someday they could become part of the standard. 

"This is the difference between compliance and stewardship," said Spiezle. "We need to move privacy pros away from the compliance mindset." 

Though OTA assesses all these sites, it is constantly looking for feedback from its members and the companies it works with, and goes so far as to issue a call for public comment every Fall. Wilbur said that companies will sometimes reach out to the OTA. "We will walk them through what we're looking for to the extent we can, though it's not scalable when you're assessing 1,000 websites," he said.

"We're really using the carrot rather than the stick," Wilbur added. 

Ultimately, Spielze said the OTA is trying to get companies to adopt and implement best practices. "We want to raise awareness, drive adoption, and highlight leadership." 

Photo credit: screen shot from the OTA's 2016 Honor Roll report

Comments

If you want to comment on this post, you need to login.