Song An Low

As digitalisation increases and further accelerated by the pandemic, more organisations and companies are moving their operations either partially or fully online.

These online services have significantly increased the disclosure and flow of information online.

Although leveraging online platforms and digital media benefits both organisations and consumers with conveniences, the benefits come in the increased exchange of consumers’ personal data which is sensitive [1].

To protect consumer data privacy, organisations are required to provide privacy policies to consumers whenever personal data is collected.

What is a Privacy Policy?

“Privacy policy is a legal document in which the users are informed about the data practices used by the companies” [2], which include:

• collection,
• processing,
• use,
• managing,
• and disclosure of personal data

• Lengthy
• Difficult to understand
• Full of jargons
• Lack of transparency
• Ambiguous

O  V  E  R  V  I  E  W

Journey to take on this page

79% of U.S. adults stated that they are very or somewhat concerned about how companies are using their personal data.

YET

Only approximately one-in-five adults say they always (9%) or often (13%) read privacy policies.

38% of U.S. adults responded that they sometimes read such policies, and 36% say they never read a company’s privacy policy before agreeing to it.

This study aims to develop an assessment metric to thoroughly examine privacy policies to ensure that they serve the purpose of an effective notice to users rather than acting solely as protection to companies.

Metrics are “measures of quantitative assessment commonly used for assessing, comparing, and tracking performance or production” [4].

In this study, the metric consists of assessment criteria gathered from various aspects established by existing researches and any other possible areas to assess privacy policies in extension of the knowledge from prior studies.

1. 1. 1. content
      2. text property
      3. user interface

Motivated by prior researches from Chua et al. [5] and Li et al. [6], this aspect aims to investigate the completeness of privacy policies, in other words, whether all the necessary sections to notify the user about the privacy and data practices of the company are available in a privacy policy.

To analyse the content of privacy policies, privacy policies will be assessed on their:

1. Compliance level, the completeness of privacy policies compared to the principles stated in Malaysia’s Personal Data Protection Act (PDPA).

This aspect aims to study the characteristics of sentences and words used in privacy policies as privacy policies that contain all necessary contents but difficult to comprehend would still fail to notify users about their data practices.

To analyse the text property of privacy policies, privacy policies will be assessed on their:

1. Readability, the ease to read and understand the piece of text.
2. Jargon, the use of specific terminologies that are difficult to be understood by the public.

This aspect aims to evaluate the visual presentation of the privacy policies since the presentation of visual information affects reading efficiency [7].

1. Typography, the features of font type and size.

Using the assessment metric developed, live privacy policies will be evaluated based on the three aspects: content, text property, and user interface. Privacy policies will be selected from 16 industries in Malaysia, which are identified based on 11 sectors mandated by the PDPA to comply with the act:

1. 1. 1. Communications
      2. Banking and Financial Institution
      3. Insurance
      4. Health
      5. Tourism and Hospitalities
      6. Transportation
      7. Education
      8. Direct Selling
      9. Services
      10. Real Estate
      11. Utilities

Since the communications sector only consists of nine companies and is the least among all the industries, nine privacy policies will be selected from each industry, resulting in a total of 144 privacy policies to be evaluated.

The flow chart below explains the process to gain insights on the characteristics of privacy policies in Malaysia through clustering analysis.

References

[1]       C. Mutimukwe, E. Kolkowska, and Å. Grönlund, "Information privacy in e-service: Effect of organizational privacy assurances on individual privacy concerns, perceptions, trust and self-disclosure behavior," Government Information Quarterly, vol. 37, no. 1, p. 101413, 2020/01/01/ 2020, doi: https://doi.org/10.1016/j.giq.2019.101413.

[2]       J. Kaur, R. A. Dara, C. Obimbo, F. Song, and K. Menard, "A comprehensive keyword analysis of online privacy policies," Information Security Journal: A Global Perspective, vol. 27, no. 5-6, pp. 260-275, 2018/11/02 2018, doi: 10.1080/19393555.2019.1606368.

[3]       B. Auxier, L. Rainie, M. Anderson, A. Perrin, M. Kumar, and E. Turner, “Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information,” Pew Research Center: Internet, Science & Tech, 15-Nov-2019. [Online]. Available: https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/

[4]       J. Young. "Metrics." https://www.investopedia.com/terms/m/metrics.asp (accessed 2020/11/15, 2020).

[5]       H. N. Chua, A. Herbland, S. F. Wong, and Y. Chang, "Compliance to personal data protection principles: A study of how organizations frame privacy policy notices," Telematics and Informatics, vol. 34, no. 4, pp. 157-170, 2017/07/01/ 2017, doi: https://doi.org/10.1016/j.tele.2017.01.008.

[6]       Y. Li, W. Stweart, J. Zhu, and A. Ni, "Online Privacy Policy of the Thirty Dow Jones Corporations: Compliance with FTC Fair Information Practice Principles and Readability Assessment," Communications of the IIMA, vol. 12, p. 5, 2012.

[7]       J. Banerjee and M. Bhattacharyya, "Selection of the optimum font type and size interface for on screen continuous reading by young adults: an ergonomic approach," Journal of human ergology, vol. 40, pp. 47-62, 12/01 2011.

Clustering is a type of machine learning technique that aims to discover the natural grouping within data. In simple words, this means grouping a set of objects with similar characteristics into groups or clusters.

For more explanations on the basic concepts of clustering, watch this five minutes video by Arham from Data Science Dojo.

1. The metric formed would serve as a guideline to assess privacy policies.

Companies may improve on their existing privacy policies by referring to the criteria of the metric.

2. The results of clustering analysis could reflect the characteristics of privacy policies in Malaysia.

This highlights areas that companies should pay attention to when addressing the limitations of their privacy policies in communicating effective notice to consumers.

3. The evaluation of privacy policies using the developed metric could better inform individuals about the existing weaknesses in privacy policies.

This may provide them with better judgements on privacy policies before making any decisions.

I would like to take this opportunity to express my sincere gratitude to my research supervisor, Dr. Chua Hui Na, Associate Professor at the Department of Computing and Information Systems, Sunway University for her invaluable guidance and constructive advice in keeping me on track throughout this research.

04  WHAT DID WE FIND?

05  WHAT'S NEXT?

06  WHY IS THIS RESEARCH USEFUL?

Concern About How Data is Used

How Often Americans Read Privacy Policies