{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,10]],"date-time":"2026-01-10T03:40:44Z","timestamp":1768016444338,"version":"3.49.0"},"reference-count":36,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"1","license":[{"start":{"date-parts":[[2020,1,1]],"date-time":"2020-01-01T00:00:00Z","timestamp":1577836800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/3.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,1,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>The EU General Data Protection Regulation (GDPR) is one of the most demanding and comprehensive privacy regulations of all time. A year after it went into effect, we study its impact on the landscape of privacy policies online. We conduct the first longitudinal, in-depth, and at-scale assessment of privacy policies before and after the GDPR. We gauge the complete consumption cycle of these policies, from the first user impressions until the compliance assessment. We create a diverse corpus of two sets of 6,278 unique English-language privacy policies from inside and outside the EU, covering their pre-GDPR and the post-GDPR versions. The results of our tests and analyses suggest that the GDPR has been a catalyst for a major overhaul of the privacy policies inside and outside the EU. This overhaul of the policies, manifesting in extensive textual changes, especially for the EU-based websites, comes at mixed benefits to the users.<\/jats:p>\n               <jats:p>While the privacy policies have become considerably longer, our user study with 470 participants on Amazon MTurk indicates a significant improvement in the visual representation of privacy policies from the users\u2019 perspective for the EU websites. We further develop a new workflow for the automated assessment of requirements in privacy policies. Using this workflow, we show that privacy policies cover more data practices and are more consistent with seven compliance requirements post the GDPR. We also assess how transparent the organizations are with their privacy practices by performing specificity analysis. In this analysis, we find evidence for positive changes triggered by the GDPR, with the specificity level improving on average. Still, we find the landscape of privacy policies to be in a transitional phase; many policies still do not meet several key GDPR requirements or their improved coverage comes with reduced specificity.<\/jats:p>","DOI":"10.2478\/popets-2020-0004","type":"journal-article","created":{"date-parts":[[2020,1,8]],"date-time":"2020-01-08T09:31:05Z","timestamp":1578475865000},"page":"47-64","source":"Crossref","is-referenced-by-count":106,"title":["The Privacy Policy Landscape After the GDPR"],"prefix":"10.56553","volume":"2020","author":[{"given":"Thomas","family":"Linden","sequence":"first","affiliation":[{"name":"University of Wisconsin"}]},{"given":"Rishabh","family":"Khandelwal","sequence":"additional","affiliation":[{"name":"University of Wisconsin"}]},{"given":"Hamza","family":"Harkous","sequence":"additional","affiliation":[{"name":"\u00c9cole Polytechnique F\u00e9d\u00e9rale de Lausanne ,"}]},{"given":"Kassem","family":"Fawaz","sequence":"additional","affiliation":[{"name":"University of Wisconsin"}]}],"member":"35752","published-online":{"date-parts":[[2020,1,7]]},"reference":[{"key":"2022043002454588232_j_popets-2020-0004_ref_001_w2aab3b7b8b1b6b1ab1ab1Aa","unstructured":"[1] W. F. Adkinson, J. A. Eisenach, and T. M. Lenard, \u201cPrivacy online: A report on the information practices and policies of commercial web sites,\u201d Progress and Freedom Foundation, 2002."},{"key":"2022043002454588232_j_popets-2020-0004_ref_002_w2aab3b7b8b1b6b1ab1ab2Aa","unstructured":"[2] E. AI. [Online]. Available: https:\/\/spacy.io\/"},{"key":"2022043002454588232_j_popets-2020-0004_ref_003_w2aab3b7b8b1b6b1ab1ab3Aa","doi-asserted-by":"crossref","unstructured":"[3] A. I. Anton, J. B. Earp, Q. He, W. Stufflebeam, D. Bolchini, and C. Jensen, \u201cFinancial privacy policies and the need for standardization,\u201d IEEE Security & privacy, vol. 2, no. 2, pp. 36\u201345, 2004.10.1109\/MSECP.2004.1281243","DOI":"10.1109\/MSECP.2004.1281243"},{"key":"2022043002454588232_j_popets-2020-0004_ref_004_w2aab3b7b8b1b6b1ab1ab4Aa","unstructured":"[4] A. I. Ant\u00f3n, J. B. Earp, and A. Reese, \u201cAnalyzing website privacy requirements using a privacy goal taxonomy,\u201d in Requirements Engineering, 2002. Proceedings. IEEE Joint International Conference on. IEEE, 2002, pp. 23\u201331."},{"key":"2022043002454588232_j_popets-2020-0004_ref_005_w2aab3b7b8b1b6b1ab1ab5Aa","doi-asserted-by":"crossref","unstructured":"[5] A. I. Anton, J. B. Earp, M. W. Vail, N. Jain, C. M. Gheen, and J. M. Frink, \u201cHipaa\u2019s effect on web site privacy policies,\u201d IEEE Security & Privacy, vol. 5, no. 1, pp. 45\u201352, 2007.10.1109\/MSP.2007.7","DOI":"10.1109\/MSP.2007.7"},{"key":"2022043002454588232_j_popets-2020-0004_ref_006_w2aab3b7b8b1b6b1ab1ab6Aa","unstructured":"[6] T. H. R. Campaign. [Online]. Available: https:\/\/www.hrc.org\/hrc-story\/privacy-policy"},{"key":"2022043002454588232_j_popets-2020-0004_ref_007_w2aab3b7b8b1b6b1ab1ab7Aa","unstructured":"[7] A. Cohen. [Online]. Available: https:\/\/github.com\/seatgeek\/fuzzywuzzy"},{"key":"2022043002454588232_j_popets-2020-0004_ref_008_w2aab3b7b8b1b6b1ab1ab8Aa","doi-asserted-by":"crossref","unstructured":"[8] G. Contissa, K. Docter, F. Lagioia, M. Lippi, H.-W. Micklitz, P. Pa\u0142ka, G. Sartor, and P. Torroni, \u201cClaudette meets gdpr: Automating the evaluation of privacy policies using artificial intelligence,\u201d 2018.10.2139\/ssrn.3208596","DOI":"10.2139\/ssrn.3208596"},{"key":"2022043002454588232_j_popets-2020-0004_ref_009_w2aab3b7b8b1b6b1ab1ab9Aa","doi-asserted-by":"crossref","unstructured":"[9] M. Degeling, C. Utz, C. Lentzsch, H. Hosseini, F. Schaub, and T. Holz, \u201cWe value your privacy ... now take some cookies: Measuring the gdpr\u2019s impact on web privacy,\u201d in 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society, 2019. [Online]. Available: https:\/\/www.ndss-symposium.org\/ndss2019\/10.14722\/ndss.2019.23378","DOI":"10.14722\/ndss.2019.23378"},{"key":"2022043002454588232_j_popets-2020-0004_ref_010_w2aab3b7b8b1b6b1ab1ac10Aa","unstructured":"[10] E.-P. Directive, \u201cDirective 2002\/58\/ec of the european parliament and of the council of 12 july 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications),\u201d Official Journal L, vol. 201, no. 31, p. 07, 2002."},{"key":"2022043002454588232_j_popets-2020-0004_ref_011_w2aab3b7b8b1b6b1ab1ac11Aa","unstructured":"[11] E. Directive, \u201c95\/46\/ec of the european parliament and of the council of 24 october 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,\u201d Official Journal of the EC, vol. 23, no. 6, 1995."},{"key":"2022043002454588232_j_popets-2020-0004_ref_012_w2aab3b7b8b1b6b1ab1ac12Aa","unstructured":"[12] H. Harkous, K. Fawaz, R. Lebret, F. Schaub, K. Shin, and K. Aberer, \u201cPolisis: Automated analysis and presentation of privacy policies using deep learning,\u201d in 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, 2018."},{"key":"2022043002454588232_j_popets-2020-0004_ref_013_w2aab3b7b8b1b6b1ab1ac13Aa","unstructured":"[13] B. Kahle. [Online]. Available: https:\/\/archive.org\/help\/wayback_api.php"},{"key":"2022043002454588232_j_popets-2020-0004_ref_014_w2aab3b7b8b1b6b1ab1ac14Aa","unstructured":"[14] Y. Kim, \u201cConvolutional neural networks for sentence classification,\u201d in Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing, EMNLP 2014, October 25-29, 2014, Doha, Qatar, A meeting of SIGDAT, a Special Interest Group of the ACL, 2014, pp. 1746\u20131751. [Online]. Available: http:\/\/aclweb.org\/anthology\/D\/D14\/D14-1181.pdf"},{"key":"2022043002454588232_j_popets-2020-0004_ref_015_w2aab3b7b8b1b6b1ab1ac15Aa","doi-asserted-by":"crossref","unstructured":"[15] C. Kohlsch\u00fctter, P. Fankhauser, and W. Nejdl, \u201cBoilerplate detection using shallow text features,\u201d in Proceedings of the third ACM international conference on Web search and data mining. ACM, 2010, pp. 441\u2013450.10.1145\/1718487.1718542","DOI":"10.1145\/1718487.1718542"},{"key":"2022043002454588232_j_popets-2020-0004_ref_016_w2aab3b7b8b1b6b1ab1ac16Aa","doi-asserted-by":"crossref","unstructured":"[16] L. Lebanoff and F. Liu, \u201cAutomatic detection of vague words and sentences in privacy policies,\u201d arXiv preprint arXiv:1808.06219, 2018.","DOI":"10.18653\/v1\/D18-1387"},{"key":"2022043002454588232_j_popets-2020-0004_ref_017_w2aab3b7b8b1b6b1ab1ac17Aa","unstructured":"[17] Legacy.com. [Online]. Available: https:\/\/www.legacy.com\/about\/privacy-policy"},{"key":"2022043002454588232_j_popets-2020-0004_ref_018_w2aab3b7b8b1b6b1ab1ac18Aa","doi-asserted-by":"crossref","unstructured":"[18] G. Lindgaard, G. Fernandes, C. Dudek, and J. Brown, \u201cAttention web designers: You have 50 milliseconds to make a good first impression!\u201d Behaviour & information technology, vol. 25, no. 2, pp. 115\u2013126, 2006.10.1080\/01449290500330448","DOI":"10.1080\/01449290500330448"},{"key":"2022043002454588232_j_popets-2020-0004_ref_019_w2aab3b7b8b1b6b1ab1ac19Aa","doi-asserted-by":"crossref","unstructured":"[19] M. Lippi, P. Palka, G. Contissa, F. Lagioia, H.-W. Micklitz, G. Sartor, and P. Torroni, \u201cClaudette: an automated detector of potentially unfair clauses in online terms of service,\u201d arXiv preprint arXiv:1805.01217, 2018.","DOI":"10.1007\/s10506-019-09243-2"},{"key":"2022043002454588232_j_popets-2020-0004_ref_020_w2aab3b7b8b1b6b1ab1ac20Aa","unstructured":"[20] K. Litman-Navarro, \u201cWe read 150 privacy policies. they were an incomprehensible disaster.\u201d https:\/\/www.nytimes.com\/interactive\/2019\/06\/12\/opinion\/facebook-google-privacy-policies.html, 2019, accessed: 2019-06-13."},{"key":"2022043002454588232_j_popets-2020-0004_ref_021_w2aab3b7b8b1b6b1ab1ac21Aa","unstructured":"[21] C. Liu and K. P. Arnett, \u201cRaising a red flag on global www privacy policies,\u201d Journal of Computer Information Systems, vol. 43, no. 1, pp. 117\u2013127, 2002."},{"key":"2022043002454588232_j_popets-2020-0004_ref_022_w2aab3b7b8b1b6b1ab1ac22Aa","unstructured":"[22] E. T. Loiacono, R. T. Watson, D. L. Goodhue et al., \u201cWebqual: A measure of website quality,\u201d Marketing theory and applications, vol. 13, no. 3, pp. 432\u2013438, 2002."},{"key":"2022043002454588232_j_popets-2020-0004_ref_023_w2aab3b7b8b1b6b1ab1ac23Aa","unstructured":"[23] N. Lomas, \u201cPrivacy policies are still too horrible to read in full.\u201d https:\/\/techcrunch.com\/2019\/06\/13\/privacy-policies-are-still-too-horrible-to-read-in-full\/, 2019, accessed: 2019-06-13."},{"key":"2022043002454588232_j_popets-2020-0004_ref_024_w2aab3b7b8b1b6b1ab1ac24Aa","unstructured":"[24] M. Lui and T. Baldwin, \u201clangid. py: An off-the-shelf language identification tool,\u201d in Proceedings of the ACL 2012 system demonstrations. Association for Computational Linguistics, 2012, pp. 25\u201330."},{"key":"2022043002454588232_j_popets-2020-0004_ref_025_w2aab3b7b8b1b6b1ab1ac25Aa","doi-asserted-by":"crossref","unstructured":"[25] F. Marotta-Wurgler, \u201cSelf-regulation and competition in privacy policies,\u201d The Journal of Legal Studies, vol. 45, no. S2, pp. S13\u2013S39, 2016.10.1086\/689753","DOI":"10.1086\/689753"},{"key":"2022043002454588232_j_popets-2020-0004_ref_026_w2aab3b7b8b1b6b1ab1ac26Aa","doi-asserted-by":"crossref","unstructured":"[26] G. R. Milne and M. J. Culnan, \u201cUsing the content of online privacy notices to inform public policy: A longitudinal analysis of the 1998-2001 us web surveys,\u201d The Information Society, vol. 18, no. 5, pp. 345\u2013359, 2002.10.1080\/01972240290108168","DOI":"10.1080\/01972240290108168"},{"key":"2022043002454588232_j_popets-2020-0004_ref_027_w2aab3b7b8b1b6b1ab1ac27Aa","unstructured":"[27] M. A. Napierala, \u201cWhat is the bonferroni correction,\u201d AAOS Now, vol. 6, no. 4, p. 40, 2012."},{"key":"2022043002454588232_j_popets-2020-0004_ref_028_w2aab3b7b8b1b6b1ab1ac28Aa","doi-asserted-by":"crossref","unstructured":"[28] R. Ramanath, F. Liu, N. M. Sadeh, and N. A. Smith, \u201cUnsupervised alignment of privacy policies using hidden markov models,\u201d in Proceedings of the 52nd Annual Meeting of the Association for Computational Linguistics, ACL 2014, June 22-27, 2014, Baltimore, MD, USA, Volume 2: Short Papers, 2014, pp. 605\u2013610. [Online]. Available: http:\/\/aclweb.org\/anthology\/P\/P14\/P14-2099.pdf10.3115\/v1\/P14-2099","DOI":"10.3115\/v1\/P14-2099"},{"key":"2022043002454588232_j_popets-2020-0004_ref_029_w2aab3b7b8b1b6b1ab1ac29Aa","doi-asserted-by":"crossref","unstructured":"[29] K. Reinecke, T. Yeh, L. Miratrix, R. Mardiko, Y. Zhao, J. Liu, and K. Z. Gajos, \u201cPredicting users\u2019 first impressions of website aesthetics with a quantification of perceived visual complexity and colorfulness,\u201d in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2013, pp. 2049\u20132058.10.1145\/2470654.2481281","DOI":"10.1145\/2470654.2481281"},{"key":"2022043002454588232_j_popets-2020-0004_ref_030_w2aab3b7b8b1b6b1ab1ac30Aa","unstructured":"[30] L. Richardson. [Online]. Available: https:\/\/www.crummy.com\/software\/BeautifulSoup\/"},{"key":"2022043002454588232_j_popets-2020-0004_ref_031_w2aab3b7b8b1b6b1ab1ac31Aa","unstructured":"[31] J. Singer-Vine, \u201cWayBackPack: Open source scientific tools for Python.\u201d [Online]. Available: https:\/\/pypi.org\/project\/waybackpack\/"},{"key":"2022043002454588232_j_popets-2020-0004_ref_032_w2aab3b7b8b1b6b1ab1ac32Aa","doi-asserted-by":"crossref","unstructured":"[32] W. B. Tesfay, P. Hofmann, T. Nakamura, S. Kiyomoto, and J. Serna, \u201cPrivacyguide: Towards an implementation of the eu gdpr on internet privacy policy evaluation,\u201d in Proceedings of the Fourth ACM International Workshop on Security and Privacy Analytics. ACM, 2018, pp. 15\u201321.10.1145\/3180445.3180447","DOI":"10.1145\/3180445.3180447"},{"key":"2022043002454588232_j_popets-2020-0004_ref_033_w2aab3b7b8b1b6b1ab1ac33Aa","doi-asserted-by":"crossref","unstructured":"[33] J. Turow, M. Hennessy, and N. Draper, \u201cPersistent misperceptions: Americans\u2019 misplaced confidence in privacy policies, 2003\u20132015,\u201d Journal of Broadcasting & Electronic Media, vol. 62, no. 3, pp. 461\u2013478, 2018.10.1080\/08838151.2018.1451867","DOI":"10.1080\/08838151.2018.1451867"},{"key":"2022043002454588232_j_popets-2020-0004_ref_034_w2aab3b7b8b1b6b1ab1ac34Aa","doi-asserted-by":"crossref","unstructured":"[34] M. W. Vail, J. B. Earp, and A. I. Ant\u00f3n, \u201cAn empirical study of consumer perceptions and comprehension of web site privacy policies,\u201d IEEE Transactions on Engineering Management, vol. 55, no. 3, pp. 442\u2013454, 2008.10.1109\/TEM.2008.922634","DOI":"10.1109\/TEM.2008.922634"},{"key":"2022043002454588232_j_popets-2020-0004_ref_035_w2aab3b7b8b1b6b1ab1ac35Aa","unstructured":"[35] A. Van Lamsweerde, \u201cGoal-oriented requirements engineering: A guided tour,\u201d in Requirements Engineering, 2001. Proceedings. Fifth IEEE International Symposium on. IEEE, 2001, pp. 249\u2013262."},{"key":"2022043002454588232_j_popets-2020-0004_ref_036_w2aab3b7b8b1b6b1ab1ac36Aa","doi-asserted-by":"crossref","unstructured":"[36] S. Wilson, F. Schaub, A. A. Dara, F. Liu, S. Cherivirala, P. G. Leon, M. S. Andersen, S. Zimmeck, K. M. Sathyendra, N. C. Russell, T. B. Norton, E. H. Hovy, J. R. Reidenberg, and N. M. Sadeh, \u201cThe creation and analysis of a website privacy policy corpus,\u201d in Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics, ACL 2016, August 7-12, 2016, Berlin, Germany, Volume 1: Long Papers, 2016. [Online]. Available: http:\/\/aclweb.org\/anthology\/P\/P16\/P16-1126.pdf10.18653\/v1\/P16-1126","DOI":"10.18653\/v1\/P16-1126"}],"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/content.sciendo.com\/view\/journals\/popets\/2020\/1\/article-p47.xml","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.sciendo.com\/pdf\/10.2478\/popets-2020-0004","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,20]],"date-time":"2022-07-20T16:30:44Z","timestamp":1658334644000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2020\/popets-2020-0004.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,1]]},"references-count":36,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2020,1,7]]},"published-print":{"date-parts":[[2020,1,1]]}},"alternative-id":["10.2478\/popets-2020-0004"],"URL":"https:\/\/doi.org\/10.2478\/popets-2020-0004","relation":{},"ISSN":["2299-0984"],"issn-type":[{"value":"2299-0984","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,1,1]]}}}