PrivacyCore_ad_300x250-01
PrivacyTraining_ad300x250.Promo1-01
DPI17_Web_300x250-COPY
Twitter, Healthcare.gov top OTA privacy audit

Consumer services websites are improving their privacy practices while news sites need vast improvements. That’s according to Tuesday’s release of the 8th annual Online Trust Audit & Honor Roll. Conducted by the Online Trust Alliance, this wide-ranging audit looks at nearly 1,000 consumer-facing websites to assess their consumer protections, privacy practices, and data security.

The OTA broke the audit into five main industry categories, including consumer services, FDIC member banks, government, internet retailers, and news and media. Overall, half of the sites in the audit made the Honor Roll, and consumer services performed the best, with nearly three-quarters making the Honor Roll. Each category is assessed on three factors - consumer protection, privacy, and data security - worth 100 points each. Companies can receive up to 70 bonus points for implementing best practices or lose points due to a breach incident or an FTC settlement, for example. To make the honor roll, a company must get a total score of at least 80 percent or better and tally at least 55 points within each of the three categories. 

Twitter topped the overall list of highest-scoring sites, followed by HealthCare.gov, Pinterest, the White House, Dropbox, FileYourTaxes, LifeLock, Instagram, 1040.com, and the Gap. For the first time, the OTA also released the top five performers in each industry category. 

“I was delighted, yet surprised by the number of companies that qualified this year,” OTA Executive Director Craig Spiezle said in a phone interview. “Our goal is to see positive movement in responsible consumer protection and privacy policy,” but, he added, “From a privacy perspective, we still think there are significant areas where privacy policies are inadequate.” 

“I was delighted, yet surprised by the number of companies that qualified this year ... (but) from a privacy perspective, we still think there are significant areas where privacy policies are inadequate.” - OTA Executive Director Craig Spiezle

Though it had a 300-percent improvement over last year’s audit, news and media sites performed the worst. According to the report, the two main failures stem from incomplete privacy policies and “heavy use of third-party data trackers.” Jeff Wilber, who chairs OTA’s board of directors and helped lead this year's audit, said during a separate phone interview that news sites are the biggest users of “promiscuous trackers” because their business model is so ad-focused. “Privacy is the biggest issue for them, followed by email authentication and then consumer protection,” he added.

From the OTA report

From the OTA report

“We’re seeing that more and more companies are adopting best practices,” said Wilbur, though he pointed out that privacy scores dipped a bit this year because the OTA was more rigid in its scoring. In reading each site’s privacy policy, the audit focused on its language, including whether data is shared with third parties, whether a data retention policy was articulated, if the policy was layered and linked from the site’s home page, if it honors do-not-track requests, and whether it had a statement applying to COPPA. He said that sites lost points when they simply said they would share data to avoid liability. He also pointed out that sites received bonus points for including privacy policies in multiple languages, something he said one day could become a standard practice.

"This is the difference between compliance and stewardship," said Spiezle. "We need to move privacy pros away from the compliance mindset." 

Both Spiezle and Wilbur noted that, over the years, what's considered an-above-and-beyond practice eventually becomes a standard practice. "Two years ago," Spiezle explained, "the DNT disclosure was considered a bonus. Not anymore. Next year we'll consider other bonuses as the new standard. It's part of the natural evolution of the criteria we use. You see the same thing in security, it's constantly evolving." 

Spiezle noted that some sites redline their privacy policy when they have made alterations. That way, consumers, regulators, and civil society can see the actual changes that have been made. He said companies that practiced redlined policies received bonus points, but added that someday they could become part of the standard. 

"This is the difference between compliance and stewardship," said Spiezle. "We need to move privacy pros away from the compliance mindset." 

Though OTA assesses all these sites, it is constantly looking for feedback from its members and the companies it works with, and goes so far as to issue a call for public comment every Fall. Wilbur said that companies will sometimes reach out to the OTA. "We will walk them through what we're looking for to the extent we can, though it's not scalable when you're assessing 1,000 websites," he said.

"We're really using the carrot rather than the stick," Wilbur added. 

Ultimately, Spielze said the OTA is trying to get companies to adopt and implement best practices. "We want to raise awareness, drive adoption, and highlight leadership." 

Photo credit: screen shot from the OTA's 2016 Honor Roll report

Written By

Jedidiah Bracy, CIPP/E, CIPP/US

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»