Privacy White Lists - Don't be Fooled (2009)
1. Introduction
Privacy ‘white lists’ are published by trustmark schemes to help identify which organisations have been certified as compliant members of their scheme. If an organisation is on the list a consumer may have an increased level of confidence that they will be covered by the rules of the trustmark scheme, including privacy protection and dispute resolution. Consumers can also use the white lists to check that the use of the trustmark is valid, as a significant proportion of trustmarks that appear on websites are often fake or expired.
There is a trend towards the global expansion of white-lists and there is a proposal to develop an APEC white-list of organisations that comply with the APEC Privacy Framework Cross Border Privacy Rules.[2]
This article summarises a Galexia study of white lists published by trustmark schemes. (Surprisingly, not all trustmark schemes publish white lists). The study only examined white lists where the trustmark operators claim that organisations on the lists have passed strict verification of privacy protection standards. Also, the study only examined white lists that have some form of Government backing, oversight or approval. Only six white lists are published that meet all of these criteria, and the Galexia study excluded one white list (ESRB) because it was limited to one very specific type of product (computer games).[3]
This resulted in a study of 5 white lists ranging from 9 to 340 members. Where the published white list was larger than 300 entries Galexia studied 50% of the members on the list. For all other white lists Galexia studied every entry on the list.
The study included the ‘Government oversight’ criteria as Galexia considers there are risks for consumers where Governments lend credibility to trustmark schemes and white lists - without adequate quality control and regulation in place.
Overall the study found that privacy white lists contained an alarming proportion of inaccurate and out of date information. Depending on the trustmark scheme administering the white-list, between 22% and 73% of information is inaccurate or out of date.
[2] <http://www.apec.org/apec/apec_groups/committee_on_trade/electronic_commerce.html>
[3] <http://www.esrb.org/privacy/>