The Privacy Policy Landscape After the GDPR


Every new privacy regulation brings along the question of whether it results in improving the privacy for the users. The EU General Data Protection Regulation (GDPR) is one of the most demanding and comprehensive privacy regulations of all time. Hence, a few months after it went into effect, it is natural to study its impact on the landscape of privacy policies online. In this work, we conduct the first longitudinal, in-depth, and at-scale assessment of privacy policies before and after the GDPR. We gauge the complete consumption cycle of these policies, from the first user impressions until the compliance assessment. We create a diverse corpus of 3,686 English-language privacy policies for which we fetch the pre-GDPR and the post-GDPR versions. Our user study, with 460 participants on Amazon MTurk, does not indicate a significant change in the visual representation of privacy policies from the users' perspective. We also find that the readability of privacy policies suffers under the GDPR, due to almost a 23% more sentences and words, despite the efforts to reduce the reliance on passive sentences. We further develop a new workflow for the automated assessment of requirements in privacy policies, building on automated natural language processing techniques. Using this workflow, we show that privacy policies cover more data practices, particularly around data retention, user choice, and specific audiences, and that an average of 16.5% of the policies improved across seven compliance metrics. Finally, we also assess how transparent the organizations are with their privacy practices by performing specificity analysis. In this analysis, we find evidence for positive changes triggered by the GDPR, with the specificity level, averaged over eight metrics, improving in over 19.4% of the policies.

Proceedings on Privacy Enhancing Technologies 2020