Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

One Year After the PDPL: a Glimpse into the E-Commerce World in Saudi Arabia

Eman Alashwali, Abeer Alhuzali

TL;DR

This paper analyzed 100 e-commerce websites in Saudi Arabia against the PDPL, examining the presence of a privacy policy and the policy's declarations of four items pertaining to personal data rights and practices, and assessed the use of Large Language Models (LLMs) as an automated tool for privacy policy analysis to measure compliance with the PDPL.

Abstract

In 2024, Saudi Arabia's Personal Data Protection Law (PDPL) came into force. However, little work has been done to assess its implementation. In this paper, we analyzed 100 e-commerce websites in Saudi Arabia against the PDPL, examining the presence of a privacy policy and, if present, the policy's declarations of four items pertaining to personal data rights and practices: a) personal data retention period, b) the right to request the destruction of personal data, c) the right to request a copy of personal data, and d) a mechanism for filing complaints. Our results show that, despite national awareness and support efforts, a significant fraction of e-commerce websites in our dataset are not fully compliant: only 31% of the websites in our dataset declared all four examined items in their privacy policies. Even when privacy policies included such declarations, a considerable fraction of them failed to cover required fine-grained details. Second, the majority of top-ranked e-commerce websites (based on search results order) and those hosted on local e-commerce hosting platforms exhibited considerably higher non-compliance rates than mid- to low-ranked websites and those not hosted on e-commerce platforms. Third, we assessed the use of Large Language Models (LLMs) as an automated tool for privacy policy analysis to measure compliance with the PDPL. We highlight the potential of LLMs and suggest considerations to improve LLM-based automated analysis for privacy policies. Our results provide a step forward in understanding the implementation barriers to data protection laws, especially in non-Western contexts. We provide recommendations for policymakers, regulators, website owners, and developers seeking to improve data protection practices and automate compliance monitoring.

One Year After the PDPL: a Glimpse into the E-Commerce World in Saudi Arabia

TL;DR

This paper analyzed 100 e-commerce websites in Saudi Arabia against the PDPL, examining the presence of a privacy policy and the policy's declarations of four items pertaining to personal data rights and practices, and assessed the use of Large Language Models (LLMs) as an automated tool for privacy policy analysis to measure compliance with the PDPL.

Abstract

In 2024, Saudi Arabia's Personal Data Protection Law (PDPL) came into force. However, little work has been done to assess its implementation. In this paper, we analyzed 100 e-commerce websites in Saudi Arabia against the PDPL, examining the presence of a privacy policy and, if present, the policy's declarations of four items pertaining to personal data rights and practices: a) personal data retention period, b) the right to request the destruction of personal data, c) the right to request a copy of personal data, and d) a mechanism for filing complaints. Our results show that, despite national awareness and support efforts, a significant fraction of e-commerce websites in our dataset are not fully compliant: only 31% of the websites in our dataset declared all four examined items in their privacy policies. Even when privacy policies included such declarations, a considerable fraction of them failed to cover required fine-grained details. Second, the majority of top-ranked e-commerce websites (based on search results order) and those hosted on local e-commerce hosting platforms exhibited considerably higher non-compliance rates than mid- to low-ranked websites and those not hosted on e-commerce platforms. Third, we assessed the use of Large Language Models (LLMs) as an automated tool for privacy policy analysis to measure compliance with the PDPL. We highlight the potential of LLMs and suggest considerations to improve LLM-based automated analysis for privacy policies. Our results provide a step forward in understanding the implementation barriers to data protection laws, especially in non-Western contexts. We provide recommendations for policymakers, regulators, website owners, and developers seeking to improve data protection practices and automate compliance monitoring.
Paper Structure (77 sections, 3 figures, 12 tables)

This paper contains 77 sections, 3 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. Research Questions
  4. Contributions and Key Findings
  5. Background and Related Work
  6. Data Protection Laws and the Saudi's PDPL
  7. Privacy Policies
  8. Privacy Policy Analysis
  9. Manual Analysis
  10. Automated Analysis
  11. Privacy Policy Analysis in the Saudi Arabian Context
  12. Methods
  13. List of Saudi E-Commerce Websites
  14. Compiling
  15. Validating
  16. ...and 62 more sections

Figures (3)

  • Figure 1: Screenshot of the Wappalyzer Chrome extension's output for profiling the technologies used by a website, which includes the e-commerce hosting platform.
  • Figure 2: The LLM prompt template used in our automated coarse-grained privacy policy analysis. The LLM retrieves the "policy_text" from a text file, the question and its options from a CSV file.
  • Figure 3: Screenshot for the Wappalyzer's rating and downloads count