Top 100 US websites don't say how long they keep data

A recent study of top consumer websites shows most consumers don't understand privacy policies

We have all done it -- willingly jotted in our personal information on a website for convenience or goods. And how many of us read, let alone understood the company privacy policy? All reputable websites that collect data have a privacy policy that users can click on to learn about what the personal information gathered is used for and if it is shared with outside companies.

In a recent study conducted by the privacy certification company TRUSTe has published the results of its look at the top 100 U.S. websites and their privacy policies Thursday.

It turns out that some of these companies have beefed-up the length of their policy statements to nearly 2,500 words -- that's twice as long as the Declaration of Independence. And they are written in far more complicated language than most public literature is written in (a staggering six reading grade levels higher than the average 8th grade level, according to the Flesch-Kincaid Grade Level Readability Formula.)

So for each of the dozens, if not hundreds of websites that you have handed over your email to, it would have taken an average of 10 minutes per site to read their privacy policy.

When policies are written in this complicated and lengthy form, they are certainly not being created so that consumers are able to make informed choices and protect their personal information.

The San Francisco-based TRUSTe was formerly a non-profit company was assisting companies in assuring that their privacy policies and practices were clear and matched the promises being made to consumers.

Fran Maier, TRUSTe's President told me that many companies that initially speak with TRUSTe have a weak understanding of privacy policies and the third-party software that is used on their website.
"Most companies are collecting data in some form but they don't even understand the extent until we test their site and break down the facets to them," said Maier. "It isn't usually malicious, it is just that some Java script and marketing tools have more functions to them than even they know about. So it imperative that these companies get a privacy company to audit their practices, so consumers have an accurate understanding of where their information is going."

TRUSTe also found that most consumers do not understand that some companies they share information with have the ability to sell or distribute that information to third-parties..

From the top 100 U.S. websites, 72% of their privacy policies say that they allow third-party tracking on their sites; 36% say that they collect users’ location data; and 31% say that they share user-provided data with third parties.

And more surprisingly,  93% of the websites do not disclose how long they keep customer data on file and 68% do not explain how a user can delete an account.

This snapshot is a look at 100 companies that are more well-versed in privacy policies and usually have professions draft up specific agreements for their business -- whereas many small business might even copy another businesses privacy policy.

Nationally, 14% of websites analyzed in 1998 had privacy policy, compared with the 97% found this year. Yet out of the 100 websites analyzed, only a meager 2% have a mobile-optimized privacy policy.

But as consumer behavior changes, TRUSTe has found that mobile privacy is one of the biggest growing concerns that users have about their personal information -- thus the big disconnect between company practices and consumer concerns rears its head again.