Johannesburg — THE need for stricter data protection laws was highlighted this week with research proving that SA websites are lax in the amount of care they show towards the privacy of their customers.

SA's top 100 websites deny consumers the protection they should enjoy, paint a poor picture of the internet industry and must significantly improve their privacy policies to meet global information standards.

The study by Information Systems students at the University of Cape Town was the first time that the data protection behaviour of local websites has been analysed. Its chief findings were that: The top 100 websites fail dismally in fair information principles. Of the 96 sites that collect data that can identify an individual, only 10 use internationally accepted policies of telling the consumer what they will do with that data and giving them choices about its use.

Of the 96 sites that collect personal identifying data, 50% will share the information with third parties without the individual's consent and 83% do not obtain the user's consent before sending them more communications.

Two-thirds of the websites fail to comply fully with the Electronic Communications and Transactions (ECT) Act.

The survey was conducted on the 10 most popular websites in 10 industries, including media, shopping, business and finance, recreation and travel.

Privacy issues arise when websites collect information such as a name, address, telephone number, e-mail address and credit card details that can identify an individual. Of SA's top 100 sites, 96% collect that personal information, while 84% collect generic data such as gender, age or income that cannot identify the individual.

Yet only 24% of sites that collect identifying details say anything about what exactly is collected, and only 56% say whether that information will be disclosed to third parties. Nineteen say they may share personal details with third parties, while 37 promise they will not do so.

Only five sites give users an opportunity to "opt in" and receive future communications, with 24 sites letting users "opt out" of any future contact. Sixteen do not give a choice, and presumably send people further communications whether they want them or not.

Once your personal details are captured by a website, only 25% let users review some of the information held about them and correct any inaccuracies.

Only 14% let users delete any of those personal details.

The survey found that shopping and business websites outperform the other sectors in their fair treatment of data. Education and government sites were at the bottom of the class, with the vast majority failing to post a privacy policy and none giving users a choice about how their data is used. Government sites said nothing about third party disclosure practices and were silent on any security measures used to protect confidential information.

By ignoring the provisions of the ECT Act, businesses were engaging in illegal behaviour, the report said.

But the act itself had a limited scope and had undermined the consumer protection which it was designed to provide. "The disregard for fair information practices underscores the pressing need for effective data privacy legislation," the report concludes.