This study evaluates the compliance of e-commerce websites in Saudi Arabia with the Personal Data Protection Law (PDPL) one year after its enactment, focusing on disclosures in privacy policies regarding data retention periods, the right to erasure, the right of access, and complaint mechanisms. By combining manual review with large language model (LLM)-assisted automated analysis of privacy policies from 100 platforms, the research offers the first systematic assessment of PDPL implementation in a non-Western context. Findings reveal that only 31% of websites fully disclose all four required elements, with leading and locally based platforms exhibiting even lower compliance rates, indicating structural gaps in adherence. This work not only demonstrates the potential and limitations of LLMs for evaluating privacy policy compliance but also introduces a novel methodological approach for empirical studies of emerging data protection regulations.

In 2024, Saudi Arabia's Personal Data Protection Law (PDPL) came into force. However, little work has been done to assess its implementation. In this paper, we analyzed 100 e-commerce websites in Saudi Arabia against the PDPL, examining the presence of a privacy policy and, if present, the policy's declarations of four items pertaining to personal data rights and practices: a) personal data retention period, b) the right to request the destruction of personal data, c) the right to request a copy of personal data, and d) a mechanism for filing complaints. Our results show that, despite national awareness and support efforts, a significant fraction of e-commerce websites in our dataset are not fully compliant: only 31% of the websites in our dataset declared all four examined items in their privacy policies. Even when privacy policies included such declarations, a considerable fraction of them failed to cover required fine-grained details. Second, the majority of top-ranked e-commerce websites (based on search results order) and those hosted on local e-commerce hosting platforms exhibited considerably higher non-compliance rates than mid- to low-ranked websites and those not hosted on e-commerce platforms. Third, we assessed the use of Large Language Models (LLMs) as an automated tool for privacy policy analysis to measure compliance with the PDPL. We highlight the potential of LLMs and suggest considerations to improve LLM-based automated analysis for privacy policies. Our results provide a step forward in understanding the implementation barriers to data protection laws, especially in non-Western contexts. We provide recommendations for policymakers, regulators, website owners, and developers seeking to improve data protection practices and automate compliance monitoring.