The Internet Society’s Online Trust Alliance (OTA) released a report this week that measured 1200 U.S.-based organizations’ readiness for three major global privacy regulations: the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States that goes into effect January 1, 2020, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. The assessment, the OTA’s 10th Online Trust Audit, reviewed 29 variables in the publicly-posted privacy statements from each organization.
While privacy statements are only one outwardly-facing piece of a larger information privacy management program, they are also subject to requirements defined in these privacy laws, with the goal that they accurately reflect the organizations’ privacy practices as thoroughly and clearly as possible, so that users can make an informed decision about whether or not to share their information with the organization.
Since this assessment was limited to only these posted policies it is limited in context – for example, just because only 57% of the organizations stated that they hold third parties to the same standard, that doesn’t mean 43% of organizations aren’t doing it. Nevertheless the criteria highlighted in this report are all important considerations to include when reviewing your organization’s privacy program.
A copy of the full report can be downloaded here.