Galexia

Privacy White Lists - Don't be Fooled (2009)

2.1. Mexico – the AMIPCI Trust Mark

In Mexico a generic e-commerce trustmark is in operation that includes some privacy requirements. The trustmark is administered by AMIPCI (Mexican Internet Association) with some Government funding and support. There are approximately 278 members and information is available in Spanish and English.[4]

The AMIPCI rules state that all certified members must:

Comply with the provisions of the guidelines or principles on privacy of APEC information, also known as Asia-Pacific Economic Cooperation (APEC).

The Galexia study made the following findings:

Issue

Test

Non-Compliance %

No working seal

A working seal does not appear on the organisation’s web site

5%

Membership has expired

The membership is not current

5%

Privacy policy not available

The organisation’s privacy policy is not available

17%

Overall non-compliance

Cumulative total

23%

 

A cumulative total for each table has been included so that organisations are only counted as non-compliant once, even though they may be non-compliant across several categories.

The Galexia study of the AMIPCI trustmark also tested whether the claim that organisations comply with the APEC Privacy Framework is valid, as this is the privacy standard required by AMIPCI. The APEC Privacy Framework contains nine high-level Principles and it is quite complex to test a privacy policy against all of them. However, Principle 2: Notice is relevant to website privacy policies and does contain an item that is easy to check – item (e) regarding notice of access and correction rights and processes:

APEC Privacy Framework Principle 2: Notice
Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information that should include:
...
(e) the choices and mean the personal information controller offers individuals for limiting the use and disclosure of, and for accessing and correcting their personal information.

Some sites have a privacy policy, but 68 of the AMIPCI trustmark sites (30%) did not comply with the one APEC Privacy Principle that Galexia was able to check (Principle 2 Notice regarding access rights). Many of the privacy policies are only one paragraph long and it is difficult to understand how they can have been certified by AMIPCI as compliant with the APEC Privacy Framework. While the APEC standard is weak, it cannot be complied with in a one paragraph privacy policy. A more thorough examination of AMIPCI members is likely reveal an even lower level of compliance.

AMIPCI Strengths

  • The AMIPCI white list is available to the public;
  • Data is relatively up-to-date (although a few seals had expired, no expiry was more than three months old);
  • Information is available in multiple languages;
  • A deep verification link is provided wherever the seal appears; and
  • Privacy standards are published (although only in the form of a link to APEC).

AMIPCI Weaknesses

  • Many of the privacy policies were very short (one paragraph only); and
  • AMIPCI overstates compliance with the APEC Privacy Framework.

[4] <http://www.sellosdeconfianza.org.mx/lisneg.php>