Does Your Higher Education Website Have a Privacy Statement?

image of privacy statement text from the Government of Canada

Privacy, Legal and Cookie Statements

A slender majority of universities and colleges, across 4,329 institutions in our six-country sample, include a link to some combination of a privacy, legal or cookie statement from their home page.

These statements (or “policy” documents) provide site visitors with important information about data collection and tracking that will take place as they traverse a website. We hypothesise that most sites’ Google Analytics data would show these pages are rarely visited. Nevertheless, they should still be accessible and reflect accurate information about a site’s data collection practices.

In our survey, almost 45% of sites did not place a link to privacy, legal or cookie statements on the home page. Moreover, for a small proportion of sites that did include a link, the link was broken. In a small number of cases the link directs to a PDF document, rather than an HTML page. And, in a few cases the “Privacy Statement” text was not associated with a link.

Our observations suggest a number of issues:

  • Sites should publish HTML-formatted privacy, legal and/or cookie statements/policies that are readily reached from a site’s principal landing pages.
  • Site visitors can find privacy, legal and/or cookie statements if the relevant links are included in page footers.
  • Appropriately formatted page footers should appear on every page on a site.
  • Legal and compliance staff should want their published privacy, legal or cookie statements to be accurate and complete. In practice, accuracy and completeness can be difficult to achieve when sites describe which cookies are set, and we address this issue in the next article in this series.

We suspect that most institutions are unaware that visitors are not able to access privacy and data collection policy information because they lack the ability to perform a site-wide audit.

Observed Statement Practices

Just over half the universities and colleges in the six countries we surveyed (Australia, Canada, Ireland, New Zealand, United Kingdom and the United States) publish links to information privacy notices on the home page.

There are two general approaches to providing privacy and cookie information:

  • European higher education institutions offer separate statements for privacy and cookies. The European Union ePrivacy directive addresses consent to load cookies, beacons and similar tracking code when visiting web pages. As a result, cookie statements explain how cookies are used, the types used and, in many cases, the specific cookies set on a site.

Separate privacy statements cover storage and use of personal information collected on a site: often when completing forms or providing email addresses.

  • Higher education institutions in non-EU countries generally publish only a privacy statement that references cookies: albeit in some cases with a link to a list of cookies.

These privacy statements also cover storage and use of personal information collected on a site, as well as contact details for access and correction.

The underlying statements are generally found within “About us” or “Legal” folders within a site. Without readily identified links, these statements are generally hard to find.

Survey Results

We examined the websites of 40 institutions in Australia, 205 in Canada, 8 in New Zealand, 7 in Ireland, 160 in the UK, and just over 3,900 in the US to determine current practice for providing site visitors with access to information about privacy and cookies. The results are summarised below: 

 LINK TEXT WORDING

US

CA

NZ

GB

AU

IE

Total

Cookie Statement

0.0%

0.0%

0.0%

29.3%

0.0%

40.0%

1.4%

Legal Statement

4.0%

4.3%

12.5%

9.6%

7.1%

10.0%

4.3%

No Statement

47.2%

42.6%

12.5%

7.6%

2.4%

0.0%

44.6%

Privacy Statement

48.8%

53.1%

75.0%

36.4%

90.5%

50.0%

48.9%

Privacy & Cookies Statement

0.0%

0.0%

0.0%

17.2%

0.0%

0.0%

0.8%

 

100.0%

100.0%

100.0%

100.0%

100.0%

100.0%

100.0%

Table 1: Results of surveying the home pages of 4,329 higher education websites for links to privacy, legal or cookie statements or policies published on the site

The five categories have the following meanings:

  • Cookie Statement– a link provided access to a statement/policy/notice specifically addressing cookie use and used the words "Cookie Statement" or a close variant as the link text;
  • Legal Statement – a link provided access to a statement/policy/notice addressing a range of legal issues, including privacy and cookie use and used the words "Legal Statement" or a close variant as the link text;
  • Privacy & Cookies Statement - a link provided access to a statement/policy/notice specifically addressing data privacy, data collection policies and cookie use and used the words "Privacy & Cookie Statement" or a close variant as the link text;
  • Privacy Statement - a link provided access to a statement/policy/notice specifically addressing data privacy and data collection policies and used the words "Privacy Statement" or a close variant as the link text; and,
  • No Statement – no link was provided on the home page to privacy, legal or cookie statement/policy/notice. These documents undoubtedly exist, but are not referenced from a site’s home page.

Based on our analysis, sites that place links in the footer of their home page typically link to a set of policy documents or notices that cover privacy, cookies and data collection policies regardless of the wording chosen as the anchor text for the link. Our concern is with the sites providing no links to this information.

Many sites offers links to multiple statements, for example link text to a "legal notice" as well as link text to a "privacy policy" addressing different issues. We checked the layout of the statements on a few dozen websites and note that the statements comprise large blocks of text that don't follow website leading practice for readability. Few of the statements indicate when they were last updated and when they do the date is rvealed by scrolling to the end of the document rather than being shown at the beginning.

Conclusions

Five conclusions fall out of the observations:

Almost half of the US university and college websites did not provide links to legal or privacy statements, which was the lowest compliance rating in our sample. Canadian higher education institutions are only slightly behind their US counterparts in this respect.

Fewer than 10% of UK, Irish and Australian university and college home pages fail to provide relevant links to information privacy statements on their home pages. One out of eight university-level institutions in New Zealand failed to provide a link.

Irish and UK universities offer the most fulsome information on cookie use, as part of their compliance with European Union legal directives. In all other jurisdictions information provided about cookies set while using a website is high-level and non-specific.

Albeit based on a small sample, much could be done to improve the readbility and useability of privacy, legal and cookie notices.

Institutions should make greater efforts to ensure that visitors to their sites can access relevant privacy and legal information from all pages and should periodically check that this is the case.

 

Sign Up for Email Delivery:

We collect the following solely to email you new research.

* indicates required
 

MailChimp stores your details. We do not share data with third parties.

 

 

 

Blog photo image: unsplash.com / pexels.com