News Science & Technology

Only 9 of 100 company websites obtain clear consent from data principals: Survey


Around 41 per cent of websites included information about data principal rights, such as correction, access, and erasure, in their privacy policies. However, only 9 per cent of organisations collected consent that met the criteria of being free, specific, and informed, a report from PwC India said.

(Representational Image/Getty Images/iStockphoto)
(Representational Image/Getty Images/iStockphoto)

In an analysis of 100 Indian enterprises’ websites the report titled “Readiness of India Inc. for the Digital Personal Data Protection Act, 2023: A PwC analysis” evaluated their compliance with the Digital Personal Data Protection (DPDP) Act of 2023.

The report highlighted that 90 per cent of the organisations reviewed provided a privacy notice to data principals when collecting data through their websites. Despite this high percentage, it was noted that merely offering a privacy notice did not necessarily signify the presence of a robust data privacy framework. In terms of third-party data transfers, 43 per cent of organisations were found to lack a well-defined purpose for sharing personal data with third-party data processors.

What are the key findings from the report?

– Consent: Only 9 per cent of organisations collected consent that met the standards of being free, specific, and informed. In most cases, bundled consent, where a single consent was obtained for multiple purposes, was prevalent.

While 48 per cent of organisations offered the option to withdraw consent, the process for doing so was often more challenging than providing consent. Additionally, only 2% of organizations obtained consent in multiple regional languages.

– Cookies: Approximately 16 per cent of organisational websites displayed a cookie consent banner, informing users about the collection and processing of their personal data.

Meanwhile, 33 per cent of organisations displayed a cookie notice, alerting users to the use of cookies on their websites. The information technology, hospitality, and aviation sectors were noted for their proactive approach to obtaining cookie consent and giving users control over their online experiences, likely due to their global presence and compliance with international data protection regulations.

– Privacy Notices: 90 per cent of organisations provided privacy notices when collecting data through their websites. Of these, 80% mentioned the types of personal data collected, and 54% indicated the retention period for such data. However, only 2% of organisations offered privacy policies or notices in multiple languages.

– Data Principal Rights: 41 per cent of organisations displayed data principal rights, including the right to erasure, access, and correction, on their websites. While many organisations had processes in place to honor data subject rights, they often lacked dedicated email addresses or online forms for support.

– Breach Notification: Merely 4 per cent of organisations had proactively published a breach notification mechanism on their websites. Organisations in the information technology and FinTech sectors were exceptions, as they operated in countries with stringent data privacy laws and had already achieved compliance.

– Data Protection Officer (DPO): Around 74 per cent of organisations provided contact details for inquiries related to data processing, with 54 per cent of them proactively sharing DPO contact details. These organisations likely had a robust privacy framework in place. In contrast, 17% of organizations listed email IDs for customer care or other functions related to data protection but lacked a comprehensive framework.

– Data Retention: A total of 54 per cent of organisations, primarily from sectors like FinTech, e-commerce, and information technology, stated data retention periods on their websites. However, organisations in consumer, retail, real estate, and manufacturing sectors needed to establish clear data retention guidelines in alignment with data privacy principles and legal requirements.

– Children’s Personal Data: Only one in ten schools provided a customised privacy notice for children and implemented age verification to confirm users’ age. These schools processed children’s data only after obtaining parental or guardian consent. However, online service and product providers often failed to offer age-appropriate notices, indicating a lack of parental consent when collecting data.

“Exciting news! Hindustan Times is now on WhatsApp Channels Subscribe today by clicking the link and stay updated with the latest news!” Click here!


Source link