Privacy statement generators: a comparison
| Joost Krapels |
All organizations processing personal data, even the ones without an in-house privacy expert, are required to disclose information on this processing. Most organizations do this through a privacy statement on their website. Several websites offer a free privacy statement generator, but do these actually produce valid privacy statements? In this article, we summarize the research Nassim Kattouss BSc. did on privacy statement generators, and share the outcomes. At the end, we provide some recommendations.
Privacy statement generators
Most sites nowadays have a privacy statement/privacy notice at the bottom. In these statements, the company explains which personal data (e.g. name, email address, IP-address, etc.) of its clients it processes. Informing people whose personal data you process before you start the processing is mandatory for companies, but the medium is a free choice. Videos, diagrams, or even voice recordings are legal means as well.
Even though it is not required to use a privacy statement, most companies choose to use a privacy statement as a way to comply with the
articles of the General Data Protection Regulation (GDPR) concerning personal data collection. Privacy statements do, however, often have a variety of issues: they are quite lengthy, not written in the user’s language, and are often vague or even overly specific.
The above-mentioned issues are very common in privacy statements because there is a bundle of information a privacy statement should
contain such as:
- which data the companies collect;
- all the rights the consumers have under the GDPR;
- to which countries and parties the data flows.
The above-mentioned points are a small part of what should be present in a privacy statement. Of the 99 articles the GDPR comprises, three (12-14) directly address what information needs to be provided to users and what the requirements are. In 2019, we shared a (Dutch) checklist of the requirements. Some requirements are objective, such as stating your identity and contact details. Others are more subjective, such as the need for the communication to be “concise, transparant, intelligible, and easily accessible” (article 12).
Since not everyone is a privacy expert, many privacy statement generators have popped up online in the last four to five years. A generator asks the user to enter the required datapoints, and a privacy statement will be generated in a matter of seconds. When a company generates a privacy statement with a generator, their aim is to cover all obligations the GDPR has placed on them; the company wants to have a privacy statement that is complete. In his paper, Nassim Kattouss shows that you cannot blindly trust a privacy statement generator to create a legally valid privacy statement. To do this, he analyzed sixteen free online privacy statement generators on legal completeness, and asked participants in a survey to score the readability and understandability.
After analysis, it became apparent that most of the privacy statement generators tested in this paper generate incomplete privacy statements. Only four out of the sixteen generate complete privacy statements. Kattouss also concluded that the four complete privacy statements all scored at least a 4.0 out of 5.0 on readability and understandability. There was no clear “winner” out of all sixteen generated privacy statements, since the top four scored extremely similarly overall.
Of the six Dutch generators only two contained nearly all mandatory topics. Curiously, both these generators even stated automated decision-making, while this was not part of the test case and should have been left out. Of the ten English generators only two contained nearly all mandatory topics too. Neither one of these generators stated automated decision-making while this was not part of the test case and should have been left out.
The top four generated privacy statements scored very similar on readability and understandability. Besides the survey, Kattouss also analyzed the statements using the Fletch readability test. Even though this test is no silver bullet, it gives a decent indication of the education level needed to understand a text. All four statements were in the category “college education”, which does not nearly reflect 100% of the population.
To put his findings on readability into perspective, Kattouss used other data points collected during his questionnaires. He asked participants for their experience with privacy statements and their level of education. The majority, 81%, had at least some experience with privacy statements. Also, the average participant was high-educated.
We recommend to only use privacy statement generators if you have no easy access to a privacy or legal expert. In the case of privacy statements, we also believe in best-effort: a transparent and decent privacy statement is better than no privacy statement. If you have to create a privacy statement on short notice without expertise on hand, we recommend the following steps:
- For Dutch, create a draft privacy statement using the generator on veiliginternetten.nl. This website is an initiative by several Dutch public and semi-public institutions. For English, use the generator on termly.io.
- Copy the draft, and paste it in a text editor. Check whether the following is complete, and add where needed:
- The processing activities (your main service/product, improving the website, advertisement, etc.)
- The list of personal data processed
- The legal bases for your processing activities (legitimate interest, consent, etc.)
- If there is no automated decision-making, remove this from the template to avoid confusion
- The security measures you take to protect the personal data
- How people can lodge a complaint with you and the national supervisor (e.g. Autoriteit Persoonsgegevens)
- If you are happy with the statement, post it on your website. If you still have doubts, contact privacy specialists. (for example, ICT Institute)
The sixteen privacy statement generators checked during the research are:
- Stichting Webwinkelkeur
- Rocket Lawyer
- New Zealand Privacy Office
Image credit: @minkus via Unsplash
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. Within ICT Institute, Joost provides IT advice to clients, advises clients on Security and Privacy, and further develops our internal tools and templates.