An Automated Approach to Auditing Disclosure of Third-Party Data Collection in Website Privacy Policies

TL;DR

This study audits over 200,000 website privacy policies to assess if users are adequately informed about third-party data collection and if their choices, like Do Not Track, are respected, revealing significant gaps in transparency and compliance.

Contribution

It provides the first large-scale analysis of third-party data collection disclosures and the effectiveness of privacy policies in informing users and respecting their choices.

Findings

Less than 15% of data flows are disclosed in policies.

Most policies are difficult to understand and time-consuming to read.

No third-party policies fully support the Do Not Track signal.

Abstract

A dominant regulatory model for web privacy is "notice and choice". In this model, users are notified of data collection and provided with options to control it. To examine the efficacy of this approach, this study presents the first large-scale audit of disclosure of third-party data collection in website privacy policies. Data flows on one million websites are analyzed and over 200,000 websites' privacy policies are audited to determine if users are notified of the names of the companies which collect their data. Policies from 25 prominent third-party data collectors are also examined to provide deeper insights into the totality of the policy environment. Policies are additionally audited to determine if the choice expressed by the "Do Not Track" browser setting is respected. Third-party data collection is wide-spread, but fewer than 15% of attributed data flows are disclosed. The third-parties most likely to be disclosed are those with consumer services users may be aware of, those without consumer services are less likely to be mentioned. Policies are difficult to understand and the average time requirement to read both a given site{\guillemotright}s policy and the associated third-party policies exceeds 84 minutes. Only 7% of first-party site policies mention the Do Not Track signal, and the majority of such mentions are to specify that the signal is ignored. Among third-party policies examined, none offer unqualified support for the Do Not Track signal. Findings indicate that current implementations of "notice and choice" fail to provide notice or respect choice.