Show Abstract
Companies and government agencies are subject to distinct regulations that govern their collection and use of personally identifiable information. Yet, do privacy policies of companies and government agencies reflect this distinction? In this paper, we take advantage of two of the most recent automatic privacy policy analysis tools, Polisis and PrivacyCheck, and five corpora of over 800 privacy policies to answer this question. We discover that government agencies are considerably better in protecting (or not collecting for that matter) sensitive financial information, social security numbers, and user location. On the other hand, many of them fail to directly address children’s privacy or describe security measures taken to protect user data. Furthermore, we observe the positive effect of European regulation, such as the GDPR, on European government agencies. E.U government agencies perform well, with respect to notifying users of policy change, giving users the right to edit/delete their data, and limiting data retention— all of which are GDPR tenets. Our work sheds light on the actual effect of regulating privacy policies, paves the way for lawmakers to improve such regulation, and assists the research community in enhancing the usability of privacy policies through studying their trends.
Access Publication: Download PDF of Report