CompLicy: Evaluating the GDPR Alignment of Privacy Policies - A Study on Web Platforms

Abstract

The European Union General Data Protection Regulation (GDPR) came into effect on May 25, 2018, imposing new rights and obligations for the collection and processing of EU citizens personal data. Inevitably, privacy policies of systems handling such data are required to be adapted accordingly. Specific rights and provisions are now required to be communicated to the users, as specified in GDPR Articles 12-14. This work aims to provide insights on whether privacy policies are aligned to the GDPR in this regard, i.e., including the needed information, formulated in sets of terms, by studying the paradigm of web platforms. We present: (1) a defined set of 89 terms, in 7 groups that need to be included within a systems’ privacy policy, resulting from a study of the GDPR and from an examination and analysis of real-life web platforms privacy policies; (2) the CompLicy tool, which as a first step crawls a given web platform, to infer whether a privacy policy page exists and, if it does, subsequently parses it, identifying GDPR terms and groups within, and finally, providing results for the inclusion of the necessary GDPR information within the aforementioned policy; (3) the evaluation of 148 existing web platforms, from 5 different sectors: (i) banking, (ii) e-commerce, (iii) education, (iv) travelling, and (v) social media, presenting the results .