How To Read A Privacy Policy: Advice from CDT Experts
Advocates have long demanded that companies notify users of how they use personal data. By increasing transparency in an opaque technical system, users are more able to make informed choices about what services to use. Most of the information about a company’s practices is listed in a privacy policy; however, substantial research and arguments have demonstrated that users are usually overwhelmed by these documents, rendering them nearly useless as a tool for consumer education.
How did this happen? Without comprehensive privacy legislation in the United States, the Federal Trade Commission uses its “unfair and deceptive” authority under the FTC Act to hold companies accountable for following the policies they publish. As a result, privacy policies are written to minimize a company’s liability rather than to communicate effectively with consumers. The Consumerist accurately summarizes the limitations of privacy policies:
“They’re long. They’re dry. They’re in a particularly tortuous form of legalese, designed to maximize corporate butt-covering and not consumer understanding. They’re hard to find. And they’re so ubiquitous and dull that we ignore them.” (3/11/16)
Academics and advocates have tried to help users understand these legal documents. Recently, Carnegie Mellon University and Fordham Law School released a public tool called “Usable Privacy“. The tool gives consumers a way to quickly review privacy policies across the web. Color-coded sidebars show categories of data practices, such as “third-party collection/sharing”, that link to the relevant areas of the privacy policy. Users can search through 193 policies now, and the team promises more to come.
But, if these documents are generally agreed to be unhelpful, why should we try to make privacy policies easier to understand for consumers? One reason is that these policies are one of the few glimpses we have into what is happening to our personal information. While most consumers may not read them, advocates can use policies to parse what companies actually are doing. The usefulness of privacy policies is limited not only by their length and dense language, but also by the limits of what people understand about technology and its terminology. CDT’s experts read privacy policies a lot, and we asked them to provide some clarity on what privacy policies actually say, and what to look for:
How old it is. Many sites include a revision history as well as the last edited date. Websites are dynamic, and privacy policies need to be kept up to date if there are changes that affect users.
— Mike Grimes, Systems Administrator
Read the definitions. For example, the definition of personal information can tell you a lot. Observe what is excluded because many technical identifiers are in fact VERY personally identifying. For example, they might exclude your device ID, which is unique to your phone/computer/tablet and can be used to connect your online activities to your identity.
— Joe Hall, Chief Technologist
Look for what the policies say on whether the provider requires a warrant for disclosure of content, and at the policy on notice of law enforcement demands. “We require a warrant for law enforcement access to your content.” Some will actually cite the Sixth Circuit opinion in the Warshak case, which imposed the warrant for content rule in all states in the Sixth Circuit. Then, then, look for any clauses that qualify this requirement.
Providers are not obligated to give notice of law enforcement demands, but many do and US law permits simultaneous notice of law enforcement demands absent a court order delaying notice. Look for an undertaking like this: “Unless prohibited by law or a court order, we give notice of law enforcement and national security demands for your content and metadata.”
— Gregory T. Nojeim, Senior Counsel & Director of Freedom, Security and Technology Project
I always think about the categories of information being collected from users, especially categories like biometric information (faceprints, iris scans, fingerprints), financial information, and location information. These are particularly sensitive.
Also, it’s not just about what kinds of information are collected — it’s also about what is done with it. Does the company discuss data retention periods? Deleting and removing information, rather than storing it indefinitely, is crucial in order to promote privacy and security. Third-party sharing is also important to know about — does the company share information with other sites, advertisers, or data brokers? If your data is going to have downstream uses or applications, you should definitely know about it.
— G.S. Hans, Policy Counsel
Sharing is key for me. Who else is getting the information about me? Once information starts going to lots of affiliates and third parties I quickly lose faith that it will receive any privacy protection.
— Chris Calabrese, Vice President for Policy
I look for whether the amount of data that is being collected is excessive and whether it includes highly sensitive data, such as location, health or other biometric data. Once this data is out, I cannot do much about that or the inferences companies may make about me into perpetuity. Then I look for the use and sharing section: are the uses in line with what I expect and does it seem reasonable. I like to see the uses be very much limited to the product or service that I am interested in. The use (or sharing) of my personal data for unrelated purposes is not justified in my opinion.
And finally, any assurances that my personal data is being aggregated or de-identified for those unrelated (marketing or analytics) uses, only worry me. I know that the protections afforded by anonymity or pseudonymity may amount to very little. I know that this data can still be used to make inferences about me and others and result in differential treatment that limits future choices. Furthermore, it is a reminder that my willingness to share my personal information with a company will inevitably implicate those who did not consent to share their data, since in the age of Big Data the information of a few can be used to infer the traits of the many.
— Katharina Kopp, Director, Privacy and Data
For mobile device apps in particular, I like to know what the app is doing with my information when I’m not using it. I do this by searching their privacy policies for key phrases – “when not in use” is a common one. More transparent apps have the courtesy to ask you up-front in-advance questions such as, “Do you grant [insert app name] permission to track your location when the app is not in use?” but others may sneak into their privacy policies that they track you when not in use by default unless you tell them otherwise. Be aware of what information you’re giving your apps, even when you’re not looking!
— Jadzia Butler, Privacy Security and Surveillance Fellow
How a company communicates a privacy policy is an important signal to me for how they view their users – if it’s a bunch of dense legal text that you can only access from a minuscule link at the bottom of their page, they probably are more concerned with their liability than with the privacy of their users. When a company takes the time to design a policy that is easy to find, straightforward, easy to understand, and visually compelling it means at least two things: 1) They took their time figuring out how to communicate the policy and so had to review their data practices, 2) They are smart enough to know that people are loyal to brands they trust, and trust begins with effective communication. Of course, even cleverly designed policies can contain a lot of concerning practices. Personally, I care about whether I can opt out of some products and services, what the defaults are for automatic removal of content, whether they are collecting a proportional amount of information based on the service I want to use, how long they hold onto my data, and how they handle disputes with customers (not a fan of binding mandatory arbitration).
— Michelle De Mooy, Deputy Director, Privacy & Data Project
I look to see if the company attempts to provide a condensed, simplified version of their privacy policy. Research has shown it would cost approximately 780 billion dollars if every consumer read every privacy policy for every website they visit. Most users are not lawyers nor technologists, and often cannot understand the incredibly complex legalese used in most privacy policies. In my experience, companies that go “the extra mile” to communicate their practices tend to be more privacy-respecting.
— Greg Norcie, Staff Technologist
Thanks to my Contracts professor in law school, I always look at the choice-of-law provision in privacy policies and Terms of Service. A lot of policies use the state of California, which is a good reminder of how important commercial privacy efforts in that state are. But on my phone, in addition to some CA-based services, I’ve got apps that are governed by the laws of Illinois, Michigan, Wales, and the Seychelles.
— Emma Llansó, Free Expression Director
Always start with the definitions because they determine what information is actually protected by the policy. Then review the various section headings; these tell you what the policy prioritizes. I especially like to see headings on customer choice, data sharing, data retention and security. Finally, look for company contact information and note whether a customer complaint process is in place if the policy has been violated.
— Alex Bradshaw, Plesser Fellow
