Analysis of Privacy Compliance by Classifying Policies Before and After the Japanese Law Revision

Abstract

Companies and organizations inform users of how they handle personal data through privacy policies on their websites. Particular information, such as the purposes of collecting personal data and what data are provided to third parties is required to be disclosed by laws and regulations. An example of such a law is the Act on the Protection of Personal Information in Japan. In addition to privacy policies, an increasing number of companies are publishing security policies to express compliance and transparency of corporate behavior. However, it is challenging to update these policies against legal requirements due to the periodic law revisions and rapid business changes. In this study, we developed a method for analyzing privacy policies to check whether companies comply with legal requirements. In particular, the proposed method classifies policy contents using bidirectional encoder representations from transformers and evaluates privacy compliance by comparing the classification results with legal requirements. In addition, we analyzed security policies using the proposed method, to confirm whether the combination of privacy and security policies contributes to privacy compliance. In this study, we collected and evaluated 1,298 privacy policies and 139 security policies for Japanese companies. The results revealed that over 90% privacy policies adequately describe the handling of personal information by first parties, user rights, and security measures, and over 90% insufficiently describe the data retention and specific audience. These differences in the number of descriptions depend on industry guidelines and business characteristics. Additionally, security policies were found to improve the compliance rates of 48 out of 139 companies by describing security practices not included in privacy policies. Finally, we conducted a comparative analysis of policies before and after the Japanese law revision. We identified that although companies updated their policies, these updates were insufficient to meet the new law requirements.