Close up of a webpage on a smartphone with a button to redirect the user to the site's privacy policy.
© Jevanto Productions/

A majority of English-language websites do not have privacy policies, according to a study by the Penn State College of Information Sciences and Technology.

Privacy policies are a huge concern for regulators and internet users. While many companies make their privacy policies overly elaborate and hard to read, some don’t even bother creating one.

“Privacy policies are often the only source of information regarding what happens to users’ personal information online,” said Mukund Srinath, doctoral student in the College of IST and lead author of the paper.

“The availability of privacy policies and the ability of users to understand them are fundamental to ensuring that individuals can make informed decisions about their personal information,” Srinath explained in a press release on Monday.

The researchers published their study, “Privacy Lost and Found: An Investigation at Scale of Web Privacy Policy Availability,” in August.

Many Websites Do Not Comply With Privacy Laws

Most countries or regional blocs require websites to make a privacy policy available to visitors. This lets visitors learn about how a website collect, share, store, and use their data.

However, many websites do not adhere to this requirement. They either do not provide a privacy policy or offer broken links, blank pages, and unreadable content.

“Not many websites have privacy policies,” Srinath noted.

“For a user landing on a random website, there is only a 34% chance that a privacy policy exists. Among them, there is a 2% to 3% chance that the link is broken. And 5% of the links that do work will lead to a page that contains irrelevant information, such as placeholder text or documents in a language that doesn’t match the website’s landing page.”

Researchers Crawled Millions of Sites

For this study, the researchers crawled millions of English-language websites using the capture-recapture technique. This allowed them to estimate the general unavailability of privacy policies online.

Pranav Venkit, doctoral student at the College of IST and co-author of the paper, said the technique was similar to what ecologists use for animals in the wild.

“They go into a forest of bears, capture a small sample, tag them and send them back into the wild. They go back the next day and capture another set. The unseen versus the previously seen bears enable the ecologists to estimate the bear population,” Venkit said.

A key takeaway from the study is the sheer magnitude of the problem that regulators around the world face in enforcing their laws.

Srinath said regulators do not have the capacity to check the massive number of websites on the internet. Instead, they resort to acting on user complaints or compliance self-certification to investigate a site.

“Regulators cannot keep up,” Srinath said.

Read our article on the privacy risks in user agreements to learn about the importance of privacy policies and why you shouldn’t just click “Accept” when you land on a site.

If this article caught your interest, we recommend reading more about the state of privacy policies around the world today. Our researchers put together a list of the 20 most difficult-to-read privacy policies on the internet.

Leave a comment