Abstract
Business-to-consumer (B2C) e-commerce websites have recently increased in South Africa. The extent of addressing privacy requirements in B2C e-commerce websites is still in its infancy in South Africa with the Protection of Personal Information Act which only came into effect recently. A sco** literature review was conducted to define a holistic set of privacy policy guidelines for websites. In total, 14 privacy policy guidelines for websites were identified to aid website owners in develo** their online data privacy policies. The research design further included a sample of ten popular South African B2C e-commerce website privacy policies using an embedded single-case study design to illustrate the application of the guidelines and to establish the extent of the content of the sample of website privacy policies in terms of the proposed privacy policy guidelines. The findings indicated that the website privacy policies did not fully address the proposed guidelines. The proposed privacy policy guidelines for websites provide website owners with a way to assess and improve their privacy policy content to contribute to compliance with data privacy requirements and to build consumer trust.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Revinova, S.: E-Commerce in BRICS: similarities and differences. Int. J. Econ. Policy Emerg. Econ. 12, 377–389 (2019)
Kordić, N.: The extent of e-commerce presence in develo** countries. In: Proceedings of the 1st International Scientific Conference - Sinteza 2014, pp. 313–317. Singidunum University, Belgrade, Serbia (2014). https://doi.org/10.15308/sinteza-2014-313-317
Earp, J.B., Anton, A.I., Aiman-Smith, L., Stufflebeam, W.H.: Examining internet privacy policies within the context of user privacy values. IEEE Trans. Eng. Manag. 52, 227–237 (2005)
Protection of Personal Information, Act 4 of 2013. https://www.gov.za/sites/default/files/gcis_document/201409/3706726-11act4of2013protectionofpersonalinforcorrect.pdf%0A. Accessed 2 May 2022
Netshakhuma, N.S.: Assessment of a South Africa national consultative workshop on the Protection of Personal Information Act (POPIA). Global Knowl. Mem. Commun. 69, 58–74 (2020)
Agrawal, R., Grosky, W.I., Fotouhi, F.: Ranking privacy policy. In: Proceedings of IEEE 23rd International Conference on Data Engineering Workshop, pp. 192–197. IEEE (2007).https://doi.org/10.1109/ICDEW.2007.4400991
Javed, Y., Salehin, K.M., Shehab, M.: A study of South Asian websites on privacy compliance. IEEE Access 8, 156067–156083 (2020). https://doi.org/10.1109/ACCESS.2020.3019334
Tjhin, I., Vos, M., Munaganuri, S.: Privacy governance online: privacy policy practices on New Zealand websites. In: Proceedings of Pacific Asia Conference on Information Systems, PACIS 2016 (2016)
Eckert, A., Milan, G.S., Roy, G., Bado, R.: Welcome back: Repurchase intention of Brazilian customers on e-commerce websites. Revista de Ciências da Administração. 23, 106–120 (2021)
Meinert, D.B., Peterson, D.K., Ii, J.R.C., Crossland, M.D.: Would regulation of web site privacy policy statements increase consumer trust? Inf. Sci.: Int. J. Emerg. Transdisc. 9, 123–142 (2006). https://doi.org/10.28945/476
Wu, K.-W., Huang, S.Y., Yen, D.C., Popova, I.: The effect of online privacy policy on consumer privacy concern and trust. Comput. Hum. Behav. 28, 889–897 (2012)
Malapane, T.A.: A risk analysis of e-commerce: a case of South African online shop** space. In: 2019 Systems and Information Engineering Design Symposium (SIEDS), pp. 1–6. IEEE (2019)
Anic, I.-D., Škare, V., Kursan Milaković, I.: The determinants and effects of online privacy concerns in the context of e-commerce. Electron Commer. Res. Appl. 36, 100868 (2019)
Staunton, C., et al.: Enabling the use of health data for research: develo** a POPIA code of conduct for research in South Africa. S. Afr. J. Bioeth. Law. 14, 33–36 (2021)
Aladeokin, A., Zavarsky, P., Memon, N.: Analysis and compliance evaluation of cookies-setting websites with privacy protection laws. In: Proceedings of Twelfth International Conference on Digital Information Management (ICDIM), pp. 121–126. IEEE (2017)
Ki Bareh, C.: Assessment of the Privacy and Security Practices of the Indian Academic Websites. Library Philosophy and Practice (2021)
Tesfay, W.B., Hofmann, P., Nakamura, T., Kiyomoto, S., Serna, J.: Privacyguide: Towards an implementation of the EU GDPR on internet privacy policy evaluation. In: IWSPA 2018 - Proceedings of the 4th ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2018, 15–21 Janua, 2018 (2018). https://doi.org/10.1145/3180445.3180447
Steyn, L.J., Mawela, T.: A trust-based e-commerce decision-making model for South African citizens. In: Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information Technologists on - SAICSIT ’16, pp. 1–9. ACM Press, New York (2016)
Mofokeng, T.E.: An empirical study step** towards ethnographic research for e-commerce websites: a perspective of user-centred design. Afr. J. Sci. Technol. Innov. Dev. 14, 1–19 (2021). https://doi.org/10.1080/20421338.2021.1958987
Hung, P.C.K., Cheng, V.S.Y.: Privacy. In: Encyclopedia of Database Systems, pp. 2136–2137. Springer, Boston (2009).https://doi.org/10.1007/978-0-387-39940-9_274
Cappel, J.J., Shah, V., Verhulsdonck, G.: Perceptions of online privacy. J. Bus. Educ. Leadersh. 10, 122–133 (2020)
Lockhat, R.: Social media and the protection of personal information act. South. Afr. J. Anaesth. Analg. 27, 69–72 (2021).https://doi.org/10.36303/SAJAA.2021.27.6.S1.2702
Staunton, C., Tschigg, K., Sherman, G.: Data protection, data management, and data sharing: Stakeholder perspectives on the protection of personal health information in South Africa. PLoS ONE 16, e0260341 (2021). https://doi.org/10.1371/journal.pone.0260341
Jiang, Y., Syn, T.: Online privacy policy disclosure: an empirical investigation. J. Comput. Inf. Syst. 63, 663–680 (2022). https://doi.org/10.1080/08874417.2022.2095542
Sindermann, C., Schmitt, H.S., Kargl, F., Herbert, C., Montag, C.: Online privacy literacy and online privacy behavior – the role of crystallized intelligence and personality. Int. J. Hum. Comput. Interact. 37, 1455–1466 (2021). https://doi.org/10.1080/10447318.2021.1894799
Brunotte, W., Chazette, L., Kohler, L., Klunder, J., Schneider, K.: What about my privacy? hel** users understand online privacy policies. In: Proceedings of the International Conference on Software and System Processes and International Conference on Global Software Engineering, pp. 56–65. ACM, New York (2022). https://doi.org/10.1145/3529320.3529327
Kretschmer, M., Pennekamp, J., Wehrle, K.: Cookie banners and privacy policies: measuring the impact of the GDPR on the web. ACM Trans. Web 15, 1–42 (2021)
Capistrano, E.P.S., Chen, J.V.: Information privacy policies: the effects of policy characteristics and online experience. Comput. Stand Interfaces 42, 24–31 (2015)
Steinfeld, N.: “I agree to the terms and conditions”: (How) do users read privacy policies online? An eye-tracking experiment. Comput. Hum. Behav. 55, 992–1000 (2016)
Amos, R., Acar, G., Lucherini, E., Kshirsagar, M., Narayanan, A., Mayer, J.: Privacy policies over time: curation and analysis of a million-document dataset. In: Proceedings of the Web Conference 2021, pp. 2165–2176. ACM, New York (2021)
Reinhardt, D., Borchard, J., Hurtienne, J.: Visual interactive privacy policy: the beter choice? In: Proceedings of Conference on Human Factors in Computing Systems (2021)
Kotal, A., Joshi, K.P., Joshi, A.: ViCLOUD: measuring vagueness in cloud service privacy policies and terms of services. In: Proceedings of IEEE 13th International Conference on Cloud Computing (CLOUD), pp. 71–79. IEEE (2020). https://doi.org/10.1109/CLOUD49709.2020.00023
Proctor, R.W., Ali, M.A., Vu, K.-P.L.: Examining usability of web privacy policies. Int. J. Hum. Comput. Interact. 24, 307–328 (2008). https://doi.org/10.1080/10447310801937999
Micheti, A., Burkell, J., Steeves, V.: Fixing broken doors: strategies for drafting privacy policies young people can understand. Bull. Sci. Technol. Soc. 30, 130–143 (2010)
Ibdah, D., Lachtar, N., Raparthi, S.M., Bacha, A.: “Why should i read the privacy policy, i just need the service”: a study on attitudes and perceptions toward privacy policies. IEEE Access 9, 166465–166487 (2021). https://doi.org/10.1109/ACCESS.2021.3130086
Zaeem, R.N., Barber, K.S.: The effect of the GDPR on privacy policies: recent progress and future promise. ACM Trans. Manag. Inf. Syst. 12, 1–20 (2021). https://doi.org/10.1145/3389685
Lin, X., Liu, H., Li, Z., **ong, G., Gou, G.: Privacy protection of China’s top websites: a Multi-layer privacy measurement via network behaviours and privacy policies. Comput. Secur. 114, 102606 (2022)
Prinsloo, P., Kaliisa, R.: Data privacy on the African continent: opportunities, challenges and implications for learning analytics. Br. J. Edu. Technol. 53, 894–913 (2022)
Botha, J., Grobler, M.M., Hahn, J., Eloff, M.: A high-level comparison between the South African protection of personal information act and international data protection laws. In: Proceedings of the 12th International Conference on Cyber Warfare and Security, ICCWS 2017, pp. 57–66 (2017)
Oki, O., Ngotshane, S.: Investigating the effects of covid-19 on online shop** cybercrime in buffalo city. In: Proceedings of 2021 International Conference on Electrical, Computer, Communications and Mechatronics Engineering (ICECCME), pp. 1–6. IEEE (2021)
Mutemwa, M., Mtsweni, J., Mkhonto, N.: Develo** a cyber threat intelligence sharing platform for South African organisations. In: Proceedings of 2017 Conference on Information Communication Technology and Society (ICTAS), pp. 1–6. IEEE (2017)
van Ooijen, I., Vrabec, H.U.: Does the GDPR enhance consumers’ control over personal data? an analysis from a behavioural perspective. J. Consum. Policy 42(1), 91–107 (2018). https://doi.org/10.1007/s10603-018-9399-7
Lung, S.L., Wincentak, J., Gan, C., Kingsnorth, S., Provvidenza, C., McPherson, A.C.: A sco** review of suggested practices for healthcare providers when discussing sexuality with youth. Can. J. Hum. Sex. 31, 143–160 (2022). https://doi.org/10.3138/cjhs.2021-0058
Rumrill, P.D., Fitzgerald, S.M., Merchant, W.R.: Using sco** literature reviews as a means of understanding and interpreting existing literature. Work 35, 399–404 (2010)
Munn, Z., Peters, M.D., Stern, C., Tufanaru, C., McArthur, A., Aromataris, E.: Systematic review or sco** review? Guidance for authors when choosing between a systematic or sco** review approach. BMC Med. Res. Methodol. 18, 1–7 (2018)
Page, M.J., Moher, D., McKenzie, J.E.: Introduction to PRISMA 2020 and implications for research synthesis methodologists. Res. Synth. Methods 13, 156–163 (2022). https://doi.org/10.1002/jrsm.1535
Asif, M., Javed, Y., Hussain, M.: Automated analysis of Pakistani websites’ compliance with GDPR and Pakistan data protection act. In: Proceedings of International Conference on Frontiers of Information Technology (FIT), pp. 234–239. IEEE (2021).https://doi.org/10.1109/FIT53504.2021.00051
Bufalieri, L., La Morgia, M., Mei, A., Stefa, J.: GDPR: when the right to access personal data becomes a threat. In: Proceedings of 2020 IEEE International Conference on Web Services (ICWS), pp. 75–83. IEEE (2020).https://doi.org/10.1109/ICWS49710.2020.00017
Chang, Y., Wong, S.F., Libaque-Saenz, C.F., Lee, H.: The role of privacy policy on consumers’ perceived privacy. Gov. Inf. Q. 35, 445–459 (2018). https://doi.org/10.1016/j.giq.2018.04.002
Coleti, T.A., Correa, P.L.P., Filgueiras, L.V.L., Morandini, M.: TR-Model. A metadata profile application for personal data transparency. IEEE Access 8, 75184–75209 (2020). https://doi.org/10.1109/ACCESS.2020.2988566
Fouad, I., Santos, C., Al Kassar, F., Bielova, N., Calzavara, S.: On compliance of cookie purposes with the purpose specification principle. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 326–333. IEEE (2020). https://doi.org/10.1109/EuroSPW51379.2020.00051
Mamakou, X.J., Kardaras, D.K., Papathanassiou, E.A.: Evaluation of websites’ compliance to legal and ethical guidelines: a fuzzy logic–based methodology. J. Inf. Sci. 44, 425–442 (2018). https://doi.org/10.1177/0165551517697610
Nwaeze, A.C., Zavarsky, P., Ruhl, R.: Compliance evaluation of information privacy protection in e-government systems in Anglophone West Africa using ISO/IEC 29100:2011. In: Proceedings of Twelfth International Conference on Digital Information Management (ICDIM), pp. 98–102. IEEE (2017). https://doi.org/10.1109/ICDIM.2017.8244644
Zaeem, R.N., German, R.L., Barber, K.S.: PrivacyCheck: automatic summarization of privacy policies using data mining. ACM Trans. Internet Technol. 18, 1–18 (2018). https://doi.org/10.1145/3127519
Nilmanat, K., Kurniawan, T.: The quest in case study research. Pac. Rim. Int. J. Nurs. Res. Thail. 25, 1–6 (2020)
Woodside, A.G., Wilson, E.J.: Case study research methods for theory building. J. Bus. Ind. Mark. 18, 493–508 (2003). https://doi.org/10.1108/08858620310492374
Yin, R.K.: Case Study Research: Design and Methods. Sage Publications, Thousand Oaks (2003)
Schoch, K., Burkholder, G., Cox, K., Crawford, L., Hitchcock, J.: Research Design and Methods : An Applied Guide for the Scholar-Practitioner. SAGE Publications Inc, Thousand Oaks (2019)
Lenz, A.S.: Using single-case research designs to demonstrate evidence for counseling practices. J. Couns. Dev. 93, 387–393 (2015). https://doi.org/10.1002/jcad.12036
Taherdoost, H.: Sampling methods in research methodology; how to choose a sampling technique for research. SSRN Electron. J. 5, 18–27 (2016). https://doi.org/10.2139/ssrn.3205035
Seawright, J., Gerring, J.: Case selection techniques in case study research: a menu of qualitative and quantitative option. Polit. Res. Q. 61, 294–308 (2008). https://doi.org/10.1177/1065912907313077
Jensen, C., Potts, C.: Privacy policies as decision-making tools: an evaluation of online privacy notices. In: Proceedings of the 2004 conference on Human factors in computing systems - CHI 2004, pp. 471–478. ACM Press, New York (2004).https://doi.org/10.1145/985692.985752
Srinath, M., Wilson, S., Giles, C.L.: Privacy at scale: introducing the PrivaSeer corpus of web privacy policies. In: Proceedings of the 59th Annual Meeting of the Association for Computational Linguistics and the 11th International Joint Conference on Natural Language Processing (Volume 1: Long Papers), pp. 6829–6839. Association for Computational Linguistics, Stroudsburg (2021).https://doi.org/10.18653/v1/2021.acl-long.532
Udayanga, V., Jayarajah, U., Colonne, S.D., Seneviratne, S.A.: Quality of the patient-oriented information on thyroid cancer in the internet. Health Policy Technol. 9, 302–307 (2020). https://doi.org/10.1016/j.hlpt.2020.03.007
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix a: Website Privacy Policy Guidelines
Appendix a: Website Privacy Policy Guidelines
Website Privacy Policy Guidelines | POPIA map** | Description | Questions |
|---|---|---|---|
Accuracy of Data | Information Quality (Condition 5) | The information set out in the privacy policy must be up to date, and the terms discussed in the policy should be accurate and true [52] | Q1. Is the information defined in the privacy policy up to date (are there any timestamps showing when the policy was last updated)? |
Assurances | Accountability (Condition 1) | Defines the third-party laws that govern how the responsible party of the website manages and processes data and ensures that the privacy policy is constructive [6, 49] | Q2. Are the third-party laws that govern how the responsible party of the website manages and processes the data made available (are any details given about POPIA or the Information Regulator of South Africa)? |
Breach Notification | Security Safeguards (Condition 7) | This is the notification guarantee that the website provides to the data subject. If any form of data breach occurs, this breach must be communicated with the data subject. The breach will also be reported to the applicable authority [7, 47] | Q3. Will the data subject be notified if a breach of personal data occurs? |
Q4. Does the policy contain the steps and processes that will be followed if a breach occurs? | |||
Q5. Will the breach be reported to the appropriate authority? | |||
Clarity of the Privacy Policy | Openness (Condition 6) | It must be easy to comprehend and not be long and tedious, which may discourage users from reading it [37, 51] | Q6. Is the policy easy to comprehend and not long and tedious? The FRES and FGL scores can be calculated to determine if the policy is easy to comprehend. Readable.com can be used to determine the FRES score, FGL score and word count |
Cross-border data transfer and Portability | Further Processing Limitation (Condition 4) | The user or data subject must be aware of any personal data or information transferred outside the original borders of consent [47, 50] | Q7. Are any details given on cross-border data transfer? |
Data Collection Sources and Purpose | Processing limitation (Condition 2) | Includes the sources and purpose of collecting the data [47]. Only data that is essential for processing should be collected, and the collection volume should not exceed the privacy policy definitions [37] | Q8. Are the data collection sources and purposes defined? |
Q9. Is it defined that only the data that is essential for processing is collected and that the collection volume will not exceed the privacy policy definitions? | |||
Data Processing and Consent | Processing limitation (Condition 2) | Encompasses the requirements and purpose for data processing. The data subject must provide consent for any data that will be processed, and the type of data to be processed should be made clear in the privacy policy [47, 53] | Q10. Is consent obtained from the data subject before any data is processed? |
Q11. Is the type of data that will be processed made clear in the privacy policy? | |||
Data Retention | Purpose Specification (Condition 3) | Defines the data retention period of the processing body. The privacy policy should also provide details on when the data subject’s personal data will be deleted or removed [37] | Q12. Is the data retention period by the processing body provided? |
Q13. Are details provided on when the data subject’s data will be deleted or removed? | |||
Data Security Measures | Security Safeguards (Condition 7) | The personal information and data of the user must be protected and secured by the data operator. Personal data must also be guarded and protected when transferred [52]. The data operator should provide assurances and steps taken to protect the integrity of the data [49] | Q14. Information and data of the user must be protected and secured by the data operator, are security measures in place to protect the data? |
Q15. Personal data must also be guarded and protected when transferred. The data operator should provide assurances and steps taken to protect the integrity of the data. Are these steps defined? | |||
Disclosure of Privacy Policy | Openness (Condition 6) | It is vital for the privacy policy to be visible and openly available on the website accessed, informing the user of their rights [48] | Q16. Is the privacy policy openly available on the website? |
Entity | Openness (Condition 6) | Provides information on the website, data operator and processor. In addition, the website should provide contact details on how the data subject can contact them [6] | Q17. Information about the website, data operator and processor must be provided in the privacy policy, is this information available? |
Q18. Does the website provide contact details for the data subject on how to contact them? | |||
Transparency and Ease of Access | Openness (Condition 6) | The privacy policy should be uncomplicated to find on the website, and access to the privacy policy should not be complicated or misleading [37] | Q19 Is the privacy policy easily found on the website (access to the privacy policy should not be complicated or misleading)? This can be calculated by counting the number of clicks it takes to reach the website privacy policy |
Third-Party Data Users and Disclosure of Personal Data | Further Processing Limitation (Condition 4) | If data is being shared or distributed with a third-party company, the data subject should be alerted, and consent should be obtained [47]. The roles of each third-party data user must be clearly defined [50] | Q20. If data is being shared or distributed with a third-party company, the data subject should be alerted, and consent should be obtained, is this consent mentioned or discussed in the privacy policy? |
Q21. Are the roles of each third-party data user clearly defined? | |||
User Control | Data subject participation (Condition 8) | The data subject must be able to control who accesses their data [49]. Additionally, it must be possible for data subjects to ask for their data to be deleted. Finally, the sharing and processing of their data should be controllable [7] | Q22. Can the data subject control who accesses their data? |
Q23. Is it possible for the data subject to ask for their data to be deleted? |
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Vorster, A., da Veiga, A. (2023). Proposed Guidelines for Website Data Privacy Policies and an Application Thereof. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-38530-8_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38529-2
Online ISBN: 978-3-031-38530-8
eBook Packages: Computer ScienceComputer Science (R0)
