The Privacy Policy Landscape After the GDPR (1809.08396v3)

Abstract: The EU General Data Protection Regulation (GDPR) is one of the most demanding and comprehensive privacy regulations of all time. A year after it went into effect, we study its impact on the landscape of privacy policies online. We conduct the first longitudinal, in-depth, and at-scale assessment of privacy policies before and after the GDPR. We gauge the complete consumption cycle of these policies, from the first user impressions until the compliance assessment. We create a diverse corpus of two sets of 6,278 unique English-language privacy policies from inside and outside the EU, covering their pre-GDPR and the post-GDPR versions. The results of our tests and analyses suggest that the GDPR has been a catalyst for a major overhaul of the privacy policies inside and outside the EU. This overhaul of the policies, manifesting in extensive textual changes, especially for the EU-based websites, comes at mixed benefits to the users. While the privacy policies have become considerably longer, our user study with 470 participants on Amazon MTurk indicates a significant improvement in the visual representation of privacy policies from the users' perspective for the EU websites. We further develop a new workflow for the automated assessment of requirements in privacy policies. Using this workflow, we show that privacy policies cover more data practices and are more consistent with seven compliance requirements post the GDPR. We also assess how transparent the organizations are with their privacy practices by performing specificity analysis. In this analysis, we find evidence for positive changes triggered by the GDPR, with the specificity level improving on average. Still, we find the landscape of privacy policies to be in a transitional phase; many policies still do not meet several key GDPR requirements or their improved coverage comes with reduced specificity.

• The paper presents a large-scale, longitudinal study analyzing the evolution of online privacy policies across EU and global websites before and after the GDPR implementation.
• Analyzing over 6,278 policies, the study found improvements in EU policy presentation and increased GDPR coverage, but also significant length increases and varied changes in specificity.
• While the GDPR spurred substantial policy updates, compliance and specificity gaps persist, indicating an ongoing transition phase towards achieving greater transparency.

An Examination of the GDPR's Influence on Online Privacy Policies

The paper "The Privacy Policy Landscape After the GDPR" offers a meticulous analysis of how online privacy policies have evolved following the enactment of the General Data Protection Regulation (GDPR) in the European Union. The authors conducted a longitudinal, large-scale paper comparing privacy policies from before and after the GDPR's implementation to assess how the regulation has affected disclosure practices across various industries. This research presents a comprehensive overview of transformations in privacy policies concerning their presentation, textual attributes, coverage breadth, compliance with GDPR mandates, and specificity in describing data practices.

Methodology and Findings

The paper is distinguished by its breadth, analyzing over 6,278 privacy policies from both EU-based and global websites. The researchers developed an automated pipeline to retrieve and analyze privacy policies, which enabled a comparison of pre-GDPR and post-GDPR policy iterations. The authors dissected the impact of the GDPR into five dimensions: presentation, text features, coverage, compliance, and specificity.

Presentation: An extensive user paper involving 470 participants revealed an enhancement in the presentation of EU privacy policies post-GDPR. Especially, EU policies were observed to be more visually pleasing and clearer, contributing to a more positive user experience when compared to their pre-GDPR versions and to global policies, which did not show significant visual improvements.

Text Features: Textual analysis indicated significant lengthening of privacy policies, with EU and global policies growing by approximately 35% and 25%, respectively, in word count. While sentence length showed slight variation, the overall sentence structure, including the passive voice presence, remained largely unchanged.

Coverage: Analysis of high-level privacy categories revealed a significant increase in coverage of GDPR-relevant topics such as data retention and user access rights. The EU set showed a higher improvement margin than the global set, reflecting a more pronounced impact of the GDPR on EU policies.

Compliance: Using a structured querying methodology aligned with ICO guidelines, the paper assessed compliance with seven GDPR requirements. It found that while many policies still did not meet every requirement, there was a clear positive trend post-GDPR, with roughly 59.3% of EU policies and 58.2% of global policies complying with the examined GDPR mandates.

Specificity: Despite increased coverage and compliance, the paper highlighted a dichotomy in specificity: while some policies became more explicit in detailing data practices, others expanded their range at the expense of specificity, resulting in generalized statements.

Implications and Future Directions

The GDPR has undoubtedly catalyzed a significant restructuring of online privacy policies, yet gaps remain in compliance and specificity. The transition phase is evident, with many organizations still adapting to meet GDPR's requirements comprehensively. The research underscores the need for enhanced transparency and specificity to fulfill the ideal of informed data subjects envisaged by GDPR.

The paper indicates potential directions for further exploration. Future research might explore the regional nuances of compliance and examine the long-term trends in privacy policy adaptations beyond surface-level changes. Furthermore, with evolving AI and machine learning capabilities, the potential for more sophisticated automated policy analysis tools could provide broader insights into the compliance landscape across different jurisdictions.

In conclusion, the paper offers valuable insights into the GDPR's role in reshaping the landscape of privacy policies, highlighting both progress and areas for improvement. The ongoing efforts to enhance transparency signify a step towards bridging the gap between regulatory intentions and practical implementations of privacy obligations.