In wide consultation with experts from around the world we were able to identify the following ranking categories for analysis:
Corporate administrative details
Does the company actually have a department or individual responsible for privacy compliance? The policy will have limited effect if users cannot question the processing of personal information. Some companies have designated privacy officials or embed privacy protection within the legal branch of the firm, while others do not even publish contact information.
Assesses whether a company plays a strong public role in protecting and promoting privacy in the marketplace (this must be matched with authority and action, not just mere words), or whether the firm is a leader in the trend toward profiling, sharing and disclosure of customer data. We also looked into whether the company is using industry-recognised self-regulatory mechanisms (e.g. Trust-e) and whether the company has signed up for the Safe Harbor agreement between the EU and the U.S.
Data collection and processing
What type of information does the site collect, with and without consent? On some sites the personal information submitted by customers is necessary (e.g. billing addresses) but there are many sites that collect information that may be unnecessary (age, marital status, home address, preferences, medical information, extraneous financial information) from customers without adequate information about why this information is needed and how it is used. Some companies may collect and mine other information, such as viewing habits and preferences (e.g. musical genre, lifestyle choices etc.)
Here, it is also important to note the status of 'Internet Protocol Addresses' (IP addresses). Many companies state that they see this data as non-personal - even anonymous - information, permitting them to collect and track users' movements around the site to determine what a specific user reads. This approach permits profiling of a user's habits and interests.
Some companies delete the information they collect once it is no longer needed. Other companies are not quite so clear, and a few sites are quite open that they do not intend to delete personal information at all (or at least not until they are ready to do so). With increased consumer concern about information breaches from stolen and lost computing resources, or through malicious hackers gaining access to resources, companies need to be aware that the risk to their market position and customer base may be proportionate to the amount of personal data they store.
Openness and rransparency
It is fair to say that most organisations have now created privacy policies. These privacy policies often say much but disclose relatively little about a company's true practices. Some companies also cover up or refuse to engage publicly about privacy concerns. Here we rate these companies on how open they are to the public about their actual practices. We look at their privacy policies to assess whether they are merely a collection of disarming words (that usually starts with 'At [company X] we take your privacy seriously') with little detail, or which even highlight contradictory practices.
Disappointingly, many of the privacy policies seem to have been written with the same goal: to say very little but in as complex a way as possible. Yet there are also some policies that are exemplary in their eloquence and detail, describing every element of information and how it is processed by the company.
Disarming statements about privacy do little to compensate for the lack of responsiveness to consumers who have privacy concerns. We are in a continuing process of contacting companies to see how they respond to privacy queries and concerns and whether those concerns are dismissed (as we have seen in some remarkable situations where in one case a company told us 'Life is too short (to worry about privacy)' or obfuscated (where companies respond with platitudes but disclose very little).
We look back over the history of the company to see how they responded to privacy problems and when those were brought to their attention, to measure the sincerity of these companies in protecting their customers' information. We also assess whether a company allows users to access and correct their personal information through 'subject access requests' or similar mechanisms.
Have these companies encountered ethical challenges and how have they dealt with them? Have they co-operated with problematic warrants and access contentious requests from law enforcement agencies and foreign governments? How have they responded to customers' concerns? These actions go some way to explaining how seriously a company treats their customers' personal information.
Customer and user control
In our earlier research and campaigns we identified a number of companies that were unwilling to let customers delete their accounts. This widespread practice is not only problematic for privacy (in that your data can never be deleted) but also calls into question whether companies are properly marketing themselves as 'x million customers' when in fact there are only 'x thousand' active customers.
User control in the age of advanced customer activity (such as in social networking sites) should also allow customers the ability to control who has access to personal information, whether this access can be limited and even, when possible, when it should be anonymized. There has been a remarkable level of activity in this area since the security concerns over social networking emerged and we are optimistic that new protections will emerge.
Additionally, we assess whether customers can choose for themselves what types of information they disclose.
Fair gateways and authentication
Online services increasingly require individuals to create accounts in order to gain access to services, whether to look at itineraries, read articles or conduct searches. Sometimes these access controls are privacy enhancing, where they can aid individual consumers in preventing the trawling of their personal profiles by unwelcome visitors. However we are concerned at the increased profiling of customers' preferences based on the resources companies gain access to (e.g. profiling individuals based on the material they read). We have also taken into account scenarios where a decision to block any form of surveillance may intefere with the resulting level and quality of service.
Privacy enhancing innovations and Privacy invasive innovations
Some companies have implemented advanced techniques to protect privacy through advanced use of encryption (beyond simple SSL) and identity management technologies, amongst others. But 'innovation' need not only be technology-based, but could also reflect advanced and progressive attitudes toward information processing, such as promoting the use of pseudonymous accounts. We highlight these practices where such information is available.