News

Report: U.S. Web Sites Not Protecting Your Private Data

• By Kurt Mackie
• January 28, 2022

According to a study announced Friday by privacy compliance solutions vendor Zendata, many Web sites were found to have woeful data protection practices in place.

The context is the European Union's General Data Protection Regulation (GDPR), which went into effect years ago on May 25, 2018.

The GDPR specifies financial penalties for data privacy infractions that also apply to U.S. companies when they interact with European Union denizens. Zendata pegged the GDPR fines at the $80,000 to $120,000 range, but data breaches will cost organizations more and they'll bear upfront costs in the "millions."

No Opt Out
For the study, Zendata analyzed the top 1,000 U.S. Web sites (per Crunchbase.com data) during the Dec. 2021 period, using its own software for the analyses. Almost half of the sites (43.2 percent) didn't offer a choice of opting out of having one's data being sold. The actual use of the collected data was deemed as "ambiguous" for 41.4 percent of these sites.

Web site operators also failed in various ways to alert site visitors about the use of cookies to track their actions. Zendata found that 54.9 percent of the sites lacked a cookie message on the first load, and 31.7 percent of these sites not alerting users to cookies also used ad trackers.

Web site visitors also are getting tracked by "device fingerprinting," which was the case for 43.8 percent of the top U.S. Web sites studied.

Complex Privacy Policies
Perhaps worst of all, Zendata's study found that 82.1 percent of the top Web sites used complex privacy policies that were difficult to understand. Zendata researchers didn't read through these policies, but instead used a scanner and algorithm to make that determination.

"Websites with privacy policies that are 'difficult to understand' were determined by a proprietary machine learning model which takes into account privacy policy length, structure of the website, description of data uses, readability of the page, sentence length and lexical diversity," the announcement explained.

Reading privacy policies is sort of failure by design. It was once estimated that it would take "244 hours a year" for an American to read the privacy policies of all the Web sites visited. That estimate comes from a 2008 study, though. It's now deemed to be an impossible task due to the "length, terminology and ambiguous language" used in Web site privacy policies, Zendata contended.

A privacy-driven approach by Web sites leads to a positive effect, both in terms of brand and revenue, according to Zendata, citing a 2019 GDPR study. Zendata sells a service toward that end, but noted that "the average privacy compliance tools are at about $60k," plus IT support costs, making them costly for many small-to-medium businesses.