Most organizations fall short of global data privacy requirements
A majority of organizations do not comply with current international data privacy regulations and are not prepared for new U.S. regulations rolling out in 2020, according to a new report by the Internet Society’s Online Trust Alliance.
The alliance, which identifies and promotes security and privacy best practices that build consumer confidence in the Internet, analyzed 29 variables in 1,200 privacy statements against common themes in three major privacy regulations: the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
The study found that a majority of privacy statements (98 percent) had some language about data sharing, with two-thirds (67 percent) stating they do not share data with third parties. However, less than 1 percent of organizations had language stating which types of third parties could access user data.
While not yet a requirement in the U.S., none of the organizations audited had any language regarding users being notified if their information was sold or shared.
Many privacy regulations are now requiring that any third parties organizations work with are held to the same data sharing standards they hold themselves to, yet only 57 percent of organizations currently say they hold third parties to this standard.
Many privacy regulations highlight data retention as an important concept, the report said, as many unauthorized data releases occur when an attacker accesses stored information that a company did not need to keep. Only 2 percent of organizations had explicit language about data retention.