An Extended Investigation of the Similarity Between Privacy Policies of Social Networking Sites as a Precursor for Standardization


  • Emma Cradock University of Southampton
  • David Millard University of Southampton
  • Sophie Stalla-Bourdillon University of Southampton



Privacy policies are unsatisfactory in communicating information to users. Social networking sites (SNS) exemplify this, attracting growing concerns regarding their use of personal data, but lack incentives to improve their policies. Standardization addresses many of these issues, but is only possible if policies share attributes which can be standardized. This investigation assessed the similarity of two attributes (the clauses used and the coverage of forty recommendations made by the UK Information Commissioner) between the privacy policies of the six most frequently visited SNS globally. Similarity was also investigated by looking at whether there were any recommendations all SNS did not address and any themes of information discussed in the policies but not included in the ICO Code. Similarity in the clauses was low, yet similarity in the recommendations covered was high, indicating SNS use different clauses, but to convey similar information. There were a number of ICO Code recommendations which none of the SNS addressed and four themes of information that all six SNS addressed, which were not present in the ICO Code. This paper proposes the policies of SNS already share attributes, indicating the feasibility of standardization and five recommendations are made to begin facilitating this.

Author Biographies

  • Emma Cradock, University of Southampton
    PhD Researcher, Web and Internet Science, University of Southampton.
  • David Millard, University of Southampton
    David is a Senior Lecturer of Computer and Web Science at the University of Southampton, UK. He is a founding member of the Web and Internet Science (WAIS) research group, and is also Associate Director of Research for the University’s Centre for Innovation in Technology and Education (CITE), which aims to create 21st century learning tools for University staff and students and develop a more digitally literate university community. David sits on the steering group for the Web Science Doctoral Training Centre (DTC), and is a member of the University’s cross-faculty Digital Economy Group. He is also a Senior Admissions Tutor and the Head of UCAS for ECS.
  • Sophie Stalla-Bourdillon, University of Southampton

    Sophie is an Associate Professor in Information Technology and Intellectual Property Law at the University of Southampton, UK. She is the Director of ILAWS, the Institute for the Law and the Web, and its new core on Law, Internet and Culture ‘iCLIC’. She is a member of the Southampton Centre of Excellence in Cybersecurity and the Web Science Institute.

    Sophie specialises in IT related issues and in particular the impact of traditional bodies of law and fundamental rights and liberties upon Internet regulation. She has been researching and writing on the liability of Internet intermediaries such as Internet service providers, Web 2.0 platforms, search engines, on the legal implications of deep packet inspection practices implemented by Internet service providers, and on the role of hosting providers in relation to malicious webpages. She has recently co-authored a book on Privacy versus Security published by Springer.

    She is now exploring the challenges raised by the Internet of things focusing upon operational trustworthiness enabling technologies (FP7 OPTET) and the implications of data enrichment in a digital age (The Ordnance Survey Data Enrichment Project).

    Sophie is the creator of Peep Beep!, a blog dedicated to privacy and information law.


Aleixo, P. and Pardo, T.A.S. 2008. Finding Related Sentences in Multiple Documents for Multidocument Discourse Parsing of Brazilian Portuguese Texts. In Anais do VI Workshop em Tecnologia da Informação e da Linguagem Humana – TIL, pp. 298-303. Vila Velha, Espírito Santo. October, 26-28.

Alexa. 2014. Actionable Analytics for the Web. [Online]Available: [Accessed: 21st August 2014].

Anderson, H. 2009. A privacy wake-up call for social networking sites. Ent. L.R. 20(7), 245-248

Beck, U. 1992. Risk society: Towards a new modernity (Vol. 17). London: Sage Publications

Becker, J., Heddier, M., Oksuz, A. and Knackstedt, R. (2014). The Effect of Providing Visualizations in Privacy Policies on Trust in Data Privacy and Security. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 3224-3233). IEEE

Boyatzis, R. E. 1998 Transforming qualitative information: Thematic analysis and code development. London: Sage Publications.

Boyd, D. and Hargittai, E. 2010. Facebook privacy settings: Who cares? First Monday 15(8).

Braun, V., and Clarke, V. 2006 Using thematic analysis in psychology. Qualitative research in psychology, 3(2), 77- 101.

Clauset, A., Shalizi, C. R., & Newman, M. E. 2009. Power- law distributions in empirical data. SIAM review, 51(4), 661- 703.

Cranor, L. F. 2012. Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice Journal on Telecommunications and High Technology Law 10(2), 273-307.

Cranor, L.F., Idouchi, K., Leon, P.G., Sleeper, M. & Ur, B. 2013 Are They Actually Any Different? Comparing Thousands of Financial Institutions’ Privacy Practices. In Proceedings of the 12th Workshop on the Economics of Information Security (WEIS 2013), Jun 11-12, Washington, DC.

Earl Ferrers (HL Deb (1993-1994 549 col. 37).

Electronic Privacy Information Center (2009) Complaint, Request for Investigation, Injunction, and Other Relief [Online] Available: [Accessed: 21st July 2015]

European Parliament and of the Council. 1995. DIRECTIVE 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Online] Available at: http://eur- 5L0046:en:HTML [Accessed 21st December 2014].

Glaser, B. G. 1978. Theoretical sensitivity: Advances in the methodology of grounded theory (Vol. 2). Mill Valley, CA: Sociology Press.

Great Britain. Data Protection Act 1998: Elizabeth II (1998) London: The Stationary Office

Grossklags, J., and Acquisti, A. 2007. When 25 Cents is Too Much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information. In WEIS. [Online] Available at: [Accessed: 21st December 2014].

Information Commissioner’s Office. 2010. Privacy notices code of practice [Online] Available at: des/~/media/documents/library/Data_Protection/Detailed_specialist_guides/PRIV ACY_NOTICES_COP_FINAL.ashx [Accessed 21st July 2015]

Jaccard, P. 1912. The distribution of the flora in the alpine zone. 1. New phytologist, 11(2), 37-50.

Kelley, P. G., Cesca, L., Bresee, J., & Cranor, L. F. (2010, April). Standardizing privacy notices: an online study of the nutrition label approach. In Proceedings of the SIGCHI Conference on Human factors in Computing Systems (pp. 1573-1582). ACM.

Kosinski, M., Stillwell, D., and Graepel, T. 2013. Private traits and attributes are predictable from digital records of human behavior. Proceedings of the National Academy of Sciences, 110(15), 5802-5805.

McDonald, A. M. and Cranor, L. F. 2008. The Cost of reading privacy policies ISJLP, 4, 543.

Oecd. Working Party On Security And Privacy In The Digital Economy (2014) Protecting Privacy in a Data-driven Economy: Taking Stock of Current Thinking [Online] Available at: g%282014%293&doclanguage=en [Accessed 23 June 2015]

Olurin, M., Adams, C., and Logrippo, L. 2012. Platform for privacy preferences (P3P): Current status and future directions. In Privacy, Security and Trust (PST), 2012 Tenth Annual International Conference on (pp. 217-220). IEEE.

Oxford University Press Oxford English Mini Dictionary. 2011. New York: Oxford University Press

Rasmussen, C., and Dara, R. 2014. Recommender Systems for Privacy Management: A Framework. In High-Assurance Systems Engineering (HASE), 2014 IEEE 15th International Symposium on (pp. 243-244). IEEE.

Robinson, N., Grauz, H., Botterman, M. and Valeri, L. 2009. Review of the European Data Protection Directive [Online] Available at: detailed_specialist_guides/review_of_eu_dp_directive.ashx [Accessed 4th September 2014]

Rowland, D., Kohl, U. and Charlesworth, A. 2012. Information Technology Law. 4th Ed. Oxon: Routledge Publishing

Ryan, G. W., and Bernard, H. R. 2003. Techniques to identify themes. Field methods, 15(1), 85-109.

Scribbins, K. 2001. Privacy@ net: an international comparative study of consumer privacy on the internet. Consumers International [Online] Available: y@net%20an%20international%20comparative%20study%2 0of%20consumer%20privacy%20on%20the%20internet.pdf [Accessed 21st December 2014].

Sellars, S. 2011. Online privacy: do we have it and do we want it? A review of the risks and UK case law. European Intellectual Property Review, 33(1), 9-17.

Society Of Computers And Law (2015) SCL Consultation: The ICO’s Privacy Notices Code - 29 July 2015 – Morning Meeting [Online] Available from: [Accessed: 17th June 2015]

Special Eurobarometer 359. 2011. Attitudes on Data Protection and Electronic Identity in the European Union [Online] Available at: pdf [Accessed 4th September 2014]

Strauss, A., and Corbin, J. M. 1990. Basics of qualitative research: Grounded theory procedures and techniques. London: Sage

Tsai, J. Y., Egelman, S., Cranor, L. Acquisti, A. 2011. The Effect of Online Privacy Information on Purchasing Behaviour: An Experimental Study, Information Systems Research, 1047-7047, Vol. 22(2) 254-268.

United States. Children's Online Privacy Protection Act 1998. 15 U.S.C. 6501–6505