http://orcid.org/0000-0002-0415-5814
ABSTRACT
Today, more than ever, companies collect their customers’ Personally Identifiable Information (PII) over the Internet. The alarming rate of PII misuse drives the need for improving companies’ privacy practices. We thoroughly study privacy policies of 600 companies (10% of all listings on NYSE, Nasdaq, and AMEX stock markets) across industries and investigate 10 different privacy pertinent factors in them. The study reveals interesting trends: for example, more than 30% of the companies still lack privacy policies, and the rest tend to collect users’ information but claim to use it only for the intended purpose. Furthermore, almost one out of every two companies provides the collected information to law enforcement without asking for a warrant or subpoena. We found that the majority of the companies do not collect children’s PII, one out of every three companies lets users correct their PII but does not allow complete deletion, and the majority post new policies online and expect the user to check the privacy policy frequently. The findings of this study can help companies improve their privacy policies, enable lawmakers to create better regulations and evaluate their effectiveness, and finally educate users with respect to the current state of privacy practices in an industry.
KEYWORDS:
Acknowledgments
This work was supported in part by the State of Texas IDWise Project. The authors would like to thank the Texas Legislature for its vision and investments in research advances and technology to support consumer empowerment in understanding and managing their online privacy and identity assets.
This work was also funded in part by the Center for Identity’s Strategic Partners. The complete list of Partners can be found at https://identity.utexas.edu/strategic-partners.
The authors would also like to thank Rachel L. German, Raphael De Los Santos, Usman Mahmood, Ali Ziyaan Momin, Blake Muir, and Haoran Niu for reading privacy policies, and James E. Zaiss for proofreading this paper.
Notes
1 AMEX was acquired by NYSE in 2008. It has become NYSE AMEX since 2009.
Additional information
Notes on contributors
Razieh Nokhbeh Zaeem
Razieh Nokhbeh Zaeem received her Ph.D. in Electrical and Computer Engineering from the University of Texas at Austin in 2014. In 2010, she was honored as a Google Anita Borg Scholarship Finalist. She interned at Rockwell Automation Inc. in Austin, TX in 2010, and at Fujitsu Laboratories of America in Sunnyvale, CA in 2012. She joined the Center for Identity as a post-doctoral fellow in 2014 and is now a research scientist at the Center. She has published in prestigious journals and conferences on a broad range of topics from automated software engineering and data mining to privacy concerns and identity protection.
K. Suzanne Barber
Suzanne Barber is the AT&T Endowed Professor in Engineering in the Department of Electrical and Computer Engineering and Director of the Center for Identity at The University of Texas at Austin. Previously serving as the Director of Software Engineering at The University of Texas at Austin, Dr. Barber led the cross-disciplinary Center for Excellence in Distributed Global Environments (EDGE).