In 2024, Saudi Arabia's Personal Data Protection Law (PDPL) came into force. However, little work has been done to assess its implementation. In this paper, we analyzed 100 e-commerce websites in Saudi Arabia against the PDPL, examining the presence of a privacy policy and, if present, the policy's declarations of four items pertaining to personal data rights and practices: a) personal data retention period, b) the right to request the destruction of personal data, c) the right to request a copy of personal data, and d) a mechanism for filing complaints. Our results show that, despite national awareness and support efforts, a significant fraction of e-commerce websites in our dataset are not fully compliant: only 31% of the websites in our dataset declared all four examined items in their privacy policies. Even when privacy policies included such declarations, a considerable fraction of them failed to cover required fine-grained details. Second, the majority of top-ranked e-commerce websites (based on search results order) and those hosted on local e-commerce hosting platforms exhibited considerably higher non-compliance rates than mid- to low-ranked websites and those not hosted on e-commerce platforms. Third, we assessed the use of Large Language Models (LLMs) as an automated tool for privacy policy analysis to measure compliance with the PDPL. We highlight the potential of LLMs and suggest considerations to improve LLM-based automated analysis for privacy policies. Our results provide a step forward in understanding the implementation barriers to data protection laws, especially in non-Western contexts. We provide recommendations for policymakers, regulators, website owners, and developers seeking to improve data protection practices and automate compliance monitoring.

翻译：2024年，沙特阿拉伯《个人数据保护法》（PDPL）正式生效。然而，针对其实施情况的评估研究尚显不足。本文依据PDPL对沙特100家电子商务网站展开分析，重点考察隐私政策的制定情况及其对四项个人数据权利与实践的声明：a) 个人数据留存期限，b) 请求销毁个人数据的权利，c) 请求获取个人数据副本的权利，d) 投诉反馈机制。研究结果表明，尽管国家层面已开展宣传与支持工作，样本中仍有大量电商网站未完全合规：仅31%的网站在隐私政策中完整声明了全部四项内容。即使隐私政策包含相关声明，其中相当部分也未能涵盖法规要求的细粒度信息。其次，基于搜索结果排序的头部电商网站及使用本地电商托管平台的网站，其不合规比例显著高于中低排名网站及未使用电商平台的网站。第三，我们评估了将大语言模型（LLMs）作为隐私政策自动化分析工具以检测PDPL合规性的可行性，指出LLMs的应用潜力，并提出改进基于LLM的隐私政策自动化分析的考量要素。本研究为理解数据保护法（特别是在非西方语境下）的实施障碍提供了新视角，并为政策制定者、监管机构、网站所有者及开发者提出了改善数据保护实践与自动化合规监测的建议。