A Bermuda Privacy Commission survey of 196 local websites and apps found that 76 per cent used language that was difficult to understand when it came to user privacy, and only 40 per cent had any privacy policy notice at all.

These were some of the findings from the Privacy Commission’s first participation in an annual worldwide survey of online privacy protection.

From January 29 to February 2, the local Privacy Commission was one of 26 global privacy enforcement authorities that acted as “sweepers” in the Global Privacy Enforcement Network sweep.

The annual initiative is aimed at increasing awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, and enhancing co-operation between international privacy enforcement authorities.

The Privacy Commissioner, Alexander White, said: “Participating in this sweep was an important first step for our office into the phase of conducting active investigations.”

He gave credit to assistant commissioner Christopher Moulder and his team for not only executing the global privacy sweep, but also adding Bermuda-specific sweep questions. These took into account many organisations’ early stage of Personal Information Protection Act readiness.

Pipa comes into effect on January 1, and will regulate and protect the use of personal information by individuals, companies, public authorities and other organisations in Bermuda.

“We recognise that with Pipa not yet in effect, some organisations may not yet have their privacy notices where they would like them,” Mr White said. “The sweep gives our office statistics about what sort of guidance would be useful. The sweep results provide a baseline by which we can measure our progress as a community in these areas. We encourage organisations not to wait, but to start on the ‘Road to Pipa’ now.”

The sweep found that nearly all of the 1,000-plus websites and mobile apps they looked at employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions.

Deceptive design patterns, also referred to as dark patterns, use features that steer users towards options that may result in the collection of more of their personal information.

These patterns may also force users to take multiple steps to find a privacy policy, log out, or delete their account, or present them with repetitive prompts aimed at frustrating them and ultimately pushing them to give up more of their personal information than they would like.

Those involved in the privacy sweep replicated the user experience by engaging with websites and apps to assess the ease with which they could make privacy choices, obtain privacy information, and log out of or delete an account.

The local sweep took place on February 1.

“I believe the sweep went extremely well, as it gave us an opportunity to examine organisations specific to the scope but also provided us with valuable data from an overall Pipa compliance standpoint,” Mr Moulder said.

The data confirmed that there was much work to be done.

“I’m hopeful that future sweeps will highlight the steps taken by organisations now towards full Pipa compliance,” he said.