Data Privacy Day — 67% of the top 1,000 U.S. B2C websites are not compliant with EU privacy laws, a new Zendata report shows

April 9, 2022

Today, on #DataPrivacyDay, people internationally are making efforts to improve and educate businesses and consumers on data privacy. But how do we know where to improve if we don’t know where we stand? The truth is, the U.S. is still struggling to comply with EU privacy laws (GDPR).

In the spirit of advancement for all, Zendata used it’s proprietary software to analyze the top 1,000 U.S. websites and see which regulations they failed to follow. Here’s what we found:

Top websites are failing in three main categories: communication, transparency and new forms of tracking.

Nearly every website (82%) has complex privacy policies that are difficult to understand for the general consumer, and 41% are ambiguous about why they collect consumer data. Back in 2008, it would have taken 244 hours a year for the typical American internet user to read all of the privacy policies for the websites they visited. Today, it’s a seemingly impossible task that is increasingly hard because of the length, terminology and ambiguous language that is used.

A general disregard towards transparency is popping up across U.S. websites: 43% do not contain an option to opt-out of having your data sold, another half (55%) don’t have a cookie message on the first load, and one-third (31%) not only don’t have a cookie message on the first load, but also have ad trackers present on their site.

On top of all this, there is a rise in high device fingerprinting. Nearly half (44%) of the top U.S. websites use this data tracking tech to keep tabs on their visitors’ browsing behavior.

Why it matters:

While the GDPR is a European privacy law, if you offer goods or services to EU residents and capture personal identifiable information, you are required to comply with the regulation. Outside of legal issues, there are a number of risks businesses face:

Millions in added costs: Any company that fails to comply with these regulations is subject to fines of $80K-$120K. And in the case of a breach, companies will pay millions upfront, with longer tail costs to follow. Unfortunately, the average privacy compliance tools are at about $60k, with added costs for staffing and running these tools, which is also costly for small and medium businesses.

Loss of valuable customers: A new group of customers called Privacy Actives is on the rise, and could be another important factor to consider. While consumers are generally casual with their data, according to a recent Cisco survey of 2,600 adults, 32% are considered privacy actives. They are actively switching to new providers because of data or data-sharing policies.

Privacy actives are high value customers, as they tend to be more educated, affluent, and early tech adopters, and 90% said that the way a company treats their data reflects how they’re treated as customers. This group is growing quickly. Nearly another third of consumers (29%) care strongly about their privacy and are “willing to act,” (i.e. stop visiting websites with problematic privacy policies) but have not done so yet. They are one step away from becoming privacy actives.

Growth in trust and revenue: There is an upside to investing in data privacy, and those companies that are making changes are seeing benefits. A 2019 report by GDPR found that 80% of companies with a privacy-driven approach saw a positive impact on the organisation’s reputation and brand image with an increase in trust, with 75% seeing an increase in revenue.

The U.S. has some catching up to do, but the fact that Data Privacy Day is happening shows that influencers, regulators and businesses alike are doing what’s necessary to raise awareness and make improvements. Our goal is to join in this effort and help even the smallest companies pinpoint holes in their privacy policies and compliance measures — in a matter of minutes.

More about the data collection process:

Zendata used its proprietary software to scan the top 1,000 U.S. websites during December 2021.

Websites with privacy policies that are “difficult to understand” were determined by a proprietary machine learning model which takes into account privacy policy length, structure of the website, description of data uses, readability of the page, sentence length and lexical diversity.

Key findings:

  1. 43.22% do not contain option to opt-out of having data sold
  2. 54.94% do not have a cookie message on the first load
  3. 31.72% do not have a cookie message on the first load but have ad trackers present on the site
  4. 22.99% do not have a cookie message on the first load while having more than 10 ad trackers
  5. 13.68% do not have a cookie message on the first load with ad trackers and do not have the option to opt-out of having data sold
  6. 3.91% have at least 1 non-HTTP page
  7. 43.79% have high device fingerprinting
  8. 82.07% have complex privacy policies (i.e. difficult to understand)
  9. 41.38% have ambiguous data collection purposes