Some Sites Reserve Right To Share Personal Data
Although the vast majority of popular Web sites have privacy policies, many of those sites don't actually promise to protect users' privacy, according to new research from PrivacyChoice.
The organization said in a report released Monday that one in five popular sites and apps with privacy policies reserve the right to share users' personal information -- including names, email addresses and contact information -- for any commercial purposes. Many of the sites with those broad reservation-of-rights clauses are e-commerce destinations, says PrivacyChoice CEO Jim Brock.
For the report, PrivacyChoice examined the privacy policies of 2,500 of the most popular Web sites and apps. The group compiled the list of sites to examine based on data from comScore and other sources; around 300 of the apps examined were found on Facebook, Brock says.
Many of those sites are "first parties," meaning they collect data and store directly from visitors to their sites, and aren't subject to the same self-regulatory privacy principles as Web companies that track people across more than one site. Those principles require companies to notify consumers about online tracking and allow them to opt out of receiving ads targeted based on Web-surfing behavior.
PrivacyChoice, which offers the free app PrivacyFix, flags sites with problematic privacy policies. Brock says the group is urging consumers not to provide data to the 20% of sites that reserve the right to transfer data without restrictions. "I don't think it's a good idea to give personal data to a site that won't tell you what they'll do with it," Brock says.
PrivacyChoice also examined whether sites have procedures for discarding data, or for allowing users to request that their data be removed. The majority -- 60% -- do not offer users any way to remove their data. "Most sites consider data a one-way street. It flows to them and it stays with them," Brock says.
Only 38% of sites appear to contemplate shedding consumer data. Those sites either don't retain the data, or have a process for users to remove information.