One Year After the PDPL: a Glimpse into the E-Commerce World in Saudi Arabia

A new research paper provides a critical, data-driven look at the state of data privacy in Saudi Arabia's e-commerce sector one year after the Personal Data Protection Law (PDPL) took effect. Authored by researchers Eman Alashwali and Abeer Alhuzali, the study audited 100 e-commerce websites against four key PDPL requirements: declaring a data retention period, the right to request data destruction, the right to request a data copy, and a complaint mechanism. The findings reveal a significant compliance gap: only 31% of the audited websites declared all four items in their privacy policies. Even when policies included declarations, they often lacked required fine-grained details. Notably, the study found that top-ranked websites and those hosted on local e-commerce platforms had higher non-compliance rates than mid- or low-ranked sites. Beyond the audit, the paper explores the novel application of Large Language Models (LLMs) as automated tools for privacy policy analysis, suggesting their potential to scale compliance monitoring while also outlining considerations for improving their accuracy in this legal context. This research, available as a pre-print on arXiv, offers crucial insights for regulators and businesses, highlighting the implementation challenges of data protection laws outside Western contexts and pointing toward AI-assisted solutions for enforcement.