Unifying Privacy Policy Detection

Privacy policies are the main mechanism for websites to describe their practices in collecting and processing visitors' personal data. Their format and content are subject to legal requirements that have changed due to recent new privacy regulations including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and California Privacy Rights Act (CPRA). Studying how privacy policies are adapted to such regulatory change can help identify shortcomings in implementing the law and inform future legislatory initiatives. Existing work in this area mostly studied effects of the GDPR on privacy policies or the "Do Not Sell My Personal Information" link mandated by the CCPA. Methodologically, insights were mainly drawn from English-language privacy policies using keyword-based analyses or machine learning classifiers. In this work, we address this research gap and conduct a bilingual study of privacy policies in English and German that investigates the effects of the GDPR and CCPA/CPRA on privacy policy content, using established methods from corpus linguistics that are language-independent and do not rely on keyword lists or classifiers that may date quickly. We find that, unlike for the GDPR, the CCPA's requirements were not yet widely implemented when it first became enforceable but only with its amendment, the CPRA. Before that, websites used more than 60 variants of the "Do Not Sell" link instead of the mandated wording and did not prominently reference individual rights granted by the CCPA/CPRA. While companies outside California and the US did adapt their disclosures to the CCPA/CPRA, this was limited to English-language policies and did not spill over to policies in German. For GDPR enforcement, we find websites to increasingly rely on legitimate interests to justify data collection, raising concerns whether individuals' interests in the privacy of their personal information are still sufficiently considered.

Section: Text Preprocessingmentioning

confidence: 99%

A Bilingual Longitudinal Analysis of Privacy Policies Measuring the Impacts of the GDPR and the CCPA/CPRA

Hosseini,

Utz,

Degeling

et al. 2024

“…Ambiguity is further introduced by the need to have complete information in these policies [13,40]. In addition, many users need help retrieving specific information from a policy [28], and sometimes locate where the policy is mentioned in a website [30,32,34]. Most of these prior works point to critical challenges of privacy policies; however, they focused on analyzing a single snapshot of the policies.…”

Section: Related Work 21 Privacy Policy Challengesmentioning

confidence: 99%

Evolution of Composition, Readability, and Structure of Privacy Policies over Two Decades

Adhikari

Das

Dewri

2023

Privacy policies outline data collection and sharing practices followed by an organization, together with choice and control measures available to users to manage the process. However, users have often needed help reading and understanding such documents, regardless of their being written in a natural language. The fundamental problems with privacy policies persist despite advancements in privacy design, frameworks, and regulations. To identify the causes of privacy policies being persistently challenging to comprehend, it is vital to investigate historical policy patterns and understand the evolution of privacy policies concerning information packaging and presentation. To this aid, we create a sentence-level classifier to conduct a large-scale longitudinal analysis on different privacy policies from 130,604 organizations, totaling approximately one million policies from 1997 to 2019. We annotate 10,717 sentences from 115 policies in the OPP-115 corpus to implement the classifier and then use those annotations to train the XLNet and BERT classifiers. Results from our analysis reveal that specific data practice categories experience more frequent policy changes than others, making it challenging to track relevant information over time. In addition, we discover that every category has distinct composition, readability, and structural issues, which exacerbate when categories frequently co-occur in a document. Based on our observations, we provide recommendations for policy articulation and revision to make privacy policy documents conform to better coherence and structure.

“…A growing body of literature has tackled the problem to automatically find privacy policies on websites and download them for further analysis. Hosseini et al [28] discuss and evaluate different approaches and identify best practices. Recent research has also shown growing interest in (cookie) consent notices.…”

Section: Related Workmentioning

confidence: 99%

“…Thus, any website collecting such information must have a privacy policy that explains the use of visitors' personal data. To determine if a website had a privacy policy, we followed best practices identified by Hosseini et al [28] and searched for privacy policy specific words in and around HTML link tags. For this, we extended a list of common words for privacy policy links, terms-of-service, and contact pages from a recent study [55] to cover all official EU languages.…”

Section: No Privacy Policymentioning

confidence: 99%

Comparing Large-Scale Privacy and Security Notifications

Utz

Michels

Degeling

et al. 2023

Over the last decade, web security research has used notification campaigns as a tool to help web operators fix security problems or stop infrastructure abuse. First attempts at applying this approach to privacy issues focused on single services or vendors. Hence, little is known if notifications can also raise awareness and encourage remediation of more complex, vendor-independent violations of privacy legislation at scale, such as informed consent to cookie usage under the EU's ePrivacy Directive or the General Data Protection Regulation's requirement for a privacy policy. It is also unclear how privacy notifications perform and are perceived compared to those about security vulnerabilities. To fill this research gap, we conduct a large-scale, automated email notification study with more than 115K websites we notify about lack of a privacy policy, use of third-party cookies without or before informed consent, and input forms for personal data that do not use HTTPS. We investigate the impact of warnings about fines and compare the results with security notifications to more than 40K domains about openly accessible Git repositories. Based on our measurements and interactions with operators through email and a survey, we find that notifications about privacy issues are not as well received as security notifications. They result in lower fix rates, less incentive to take immediate action, and more negative feedback. Specific reasons include a lack of awareness and knowledge of privacy laws' applicability, difficulties to pinpoint the problem, and limited intrinsic motivation.