The Secure Surfing Organization rates privacy policies that are maintained in the Privacy Policy Library.
A policy can have more than one rating if it meets more than one standard. This will most frequently happen when a policy has a positive rating, but also exposes users to some unnecessary risk. For example, Sears.ca has a privacy policy that is rated both Strong and CYA.
It is rated Strong because it embraces the 10 Privacy Principles and sets out in detail its privacy practices. However in two spots in its policy, Sears also includes the unacceptably expansive phrase “as permitted by law.” Some corporate privacy advisors claim such disclaimers are required to cover the actions (colloquially, CYA) of unintended or unforseen disclosure.
Including the “as permitted by law” phrase effectively neuters much of the rest of a policy, because it literally means that if disclosing information is not explicitly illegal, then they might disclose.
Thus a double rating of Strong and CYA.
