National statistics suggest that 87.9% of all adults in the U.K. use the internet. With some 45.9 million internet users, almost all Britons have access to the internet at work or for leisure.
Most of us carry a smartphone or an internet-connected device and are regularly checking the news, making purchases, watching videos, or logged in to social media. In one day, we may have visited over 20 sites, and the question is: how many of these take information about you and use it without your knowledge or consent? How many websites are truly safe?
The Information Commissioner’s Office set out to see whether websites across different sectors were doing enough to inform visitors about exactly what personal data they were extracting from peoples’ visits. A review of 30 U.K. websites was made, looking into a variety of sectors including:
- Retail
- Banking and lending
- Travel
- Finance price comparison sectors
Here are the ICO’s key findings:
- 26 out of 30 didn’t specify how and where any collected personal information would be stored
- 26 websites failed to give clear information on whether visitor’s personal information would be shared with third parties and what they would do with it
- 24 websites didn’t give visitors information about removing, or the option to remove, their personal information from the site
- Seven didn’t have clear information about how a visitor could access the data held about them (i.e through a Subject Access Request).
These findings clearly make for bad reading. As reflected by the number of data breaches constantly being reported, data protection is not being afforded the respect it deserves. Companies are not adequately fulfilling their data protection responsibilities in informing their website visitors of what happens to the information they gather through visitor clicks, searches and inputted information.
This study is part of a global investigation led by the ICO, with 23 other data protection regulators from around the globe also participating in it. They concluded that, “there is significant room for improvement in terms of specific details contained in privacy communications.”
The Global Privacy Enforcement Network (GPEN) also provided the following findings over 455 websites reviewed:
- Privacy notices tended to be vague
- On the plus side, most did tell users that it was going to take information from the user
- Unfortunately, most organisations didn’t tell users what was going to happen to that data
- Many didn’t specify if personal data would be shared with others and if so, what for
- Many organisations didn’t offer any information about the security of the data it collected
A lot of websites still referred to outdated laws that no longer applied or had been updated. Bigger organisations that provided services to more than one country often didn’t say which jurisdiction’s laws were applicable.
Research Group Manager for our ICO, Adam Stevens, said:
“These findings suggest that people using those websites that we and our international partners examined are generally not very well informed about what happens to their data once it has been collected. That just won’t do. It is important that it is clear to people how they can control their information online.”
As the General Data Protection Regulation (GDPR) looms in the near future, organisations need to step-up on their cyber security measures and provide the public with relevant information about how it takes and works with consumer data. Consumers have a right to be informed so that they’re aware of how their personal data is used, and how they can maintain control over it.