Abstract
The European Union General Data Protection Regulation (GDPR) came into effect on May 25, 2018, imposing new rights and obligations for the collection and processing of EU citizens personal data. Inevitably, privacy policies of systems handling such data are required to be adapted accordingly. Specific rights and provisions are now required to be communicated to the users, as specified in GDPR Articles 12-14. This work aims to provide insights on whether privacy policies are aligned to the GDPR in this regard, i.e., including the needed information, formulated in sets of terms, by studying the paradigm of web platforms. We present: (1) a defined set of 89 terms, in 7 groups that need to be included within a systems’ privacy policy, resulting from a study of the GDPR and from an examination and analysis of real-life web platforms privacy policies; (2) the CompLicy tool, which as a first step crawls a given web platform, to infer whether a privacy policy page exists and, if it does, subsequently parses it, identifying GDPR terms and groups within, and finally, providing results for the inclusion of the necessary GDPR information within the aforementioned policy; (3) the evaluation of 148 existing web platforms, from 5 different sectors: (i) banking, (ii) e-commerce, (iii) education, (iv) travelling, and (v) social media, presenting the results .
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
According to GDPR, personal data are defined as information that relates to an identified or identifiable individual.
- 2.
- 3.
- 4.
- 5.
- 6.
“CompLicy” is a portmanteau, i.e., a made-up word, coined from the combination of the words “Compliance” and “Policy”.
References
Chang, C., Li, H., Zhang, Y., Du, S., Cao, H., Zhu, H.: Automated and personalized privacy policy extraction under GDPR consideration. In: Biagioni, E.S., Zheng, Y., Cheng, S. (eds.) WASA 2019. LNCS, vol. 11604, pp. 43–54. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23597-0_4
Contissa, G., et al.: CLAUDETTE meets GDPR: Automating the evaluation of privacy policies using artificial intelligence. SSRN 3208596 (2018)
European Parliament and Council of the European Union: Charter of fundamental rights of the European union. Official Journal of the European Union (2012)
European Parliament and Council of the European Union: General data protection regulation. Official Journal of the European Union (2015)
Hadar, I., et al.: Privacy by designers: software developers’ privacy mindset. Empirical Softw. Eng. 23(1), 259–289 (2018)
Krumay, B., Klar, J.: Readability of privacy policies. In: Singhal, A., Vaidya, J. (eds.) DBSec 2020. LNCS, vol. 12122, pp. 388–399. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-49669-2_22
Linden, T., Khandelwal, R., Harkous, H., Fawaz, K.: The privacy policy landscape after the GDPR. Priv. Enhanc. Technol. 2020(1), 47–64 (2020)
McDonald, A.M., Reeder, R.W., Kelley, P.G., Cranor, L.F.: A comparative study of online privacy policies and formats. In: Goldberg, I., Atallah, M.J. (eds.) PETS 2009. LNCS, vol. 5672, pp. 37–55. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03168-7_3
Renaud, K., Shepherd, L.A.: How to make privacy policies both GDPR-compliant and usable. In: International Conference on Cyber Situational Awareness, Data Analytics and Assessment, pp. 1–8. IEEE (2018)
Tesfay, W.B., Hofmann, P., Nakamura, T., Kiyomoto, S., Serna, J.: I read but don’t agree: Privacy policy benchmarking using machine learning and the EU GDPR. In: The Web Conference, pp. 163–166 (2018)
Tesfay, W.B., Hofmann, P., Nakamura, T., Kiyomoto, S., Serna, J.: PrivacyGuide: towards an implementation of the EU GDPR on internet privacy policy evaluation. In: International Workshop on Security and Privacy Analytics. pp. 15–21 (2018)
Torre, D., Abualhaija, S., Sabetzadeh, M., Briand, L., Baetens, K., Goes, P., Forastier, S.: An AI-assisted approach for checking the completeness of privacy policies against GDPR. In: International Requirements Engineering Conference, pp. 136–146. IEEE (2020)
Vanezi, E., et al.: GDPR Compliance in the Design of the INFORM e-learning platform: a case study. In: International Conference on Research Challenges in Information Science, pp. 1–12. IEEE (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Vanezi, E., Zampa, G., Mettouris, C., Yeratziotis, A., Papadopoulos, G.A. (2021). CompLicy: Evaluating the GDPR Alignment of Privacy Policies - A Study on Web Platforms. In: Cherfi, S., Perini, A., Nurcan, S. (eds) Research Challenges in Information Science. RCIS 2021. Lecture Notes in Business Information Processing, vol 415. Springer, Cham. https://doi.org/10.1007/978-3-030-75018-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-75018-3_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75017-6
Online ISBN: 978-3-030-75018-3
eBook Packages: Computer ScienceComputer Science (R0)