How did this happen? Without comprehensive privacy legislation in the United States, the Federal Trade Commission uses its “unfair and deceptive” authority under the FTC Act to hold companies accountable for following the policies they publish. As a result, privacy policies are written to minimize a company’s liability rather than to communicate effectively with consumers. The Consumerist accurately summarizes the limitations of privacy policies:
“They’re long. They’re dry. They’re in a particularly tortuous form of legalese, designed to maximize corporate butt-covering and not consumer understanding. They’re hard to find. And they’re so ubiquitous and dull that we ignore them.” (3/11/16)
But, if these documents are generally agreed to be unhelpful, why should we try to make privacy policies easier to understand for consumers? One reason is that these policies are one of the few glimpses we have into what is happening to our personal information. While most consumers may not read them, advocates can use policies to parse what companies actually are doing. The usefulness of privacy policies is limited not only by their length and dense language, but also by the limits of what people understand about technology and its terminology. CDT’s experts read privacy policies a lot, and we asked them to provide some clarity on what privacy policies actually say, and what to look for:
How old it is. Many sites include a revision history as well as the last edited date. Websites are dynamic, and privacy policies need to be kept up to date if there are changes that affect users.
— Mike Grimes, Systems Administrator
Read the definitions. For example, the definition of personal information can tell you a lot. Observe what is excluded because many technical identifiers are in fact VERY personally identifying. For example, they might exclude your device ID, which is unique to your phone/computer/tablet and can be used to connect your online activities to your identity.
— Joe Hall, Chief Technologist
Look for what the policies say on whether the provider requires a warrant for disclosure of content, and at the policy on notice of law enforcement demands. “We require a warrant for law enforcement access to your content.” Some will actually cite the Sixth Circuit opinion in the Warshak case, which imposed the warrant for content rule in all states in the Sixth Circuit. Then, then, look for any clauses that qualify this requirement.
Providers are not obligated to give notice of law enforcement demands, but many do and US law permits simultaneous notice of law enforcement demands absent a court order delaying notice. Look for an undertaking like this: “Unless prohibited by law or a court order, we give notice of law enforcement and national security demands for your content and metadata.”
— Gregory T. Nojeim, Senior Counsel & Director of Freedom, Security and Technology Project
I always think about the categories of information being collected from users, especially categories like biometric information (faceprints, iris scans, fingerprints), financial information, and location information. These are particularly sensitive.
Also, it’s not just about what kinds of information are collected — it’s also about what is done with it. Does the company discuss data retention periods? Deleting and removing information, rather than storing it indefinitely, is crucial in order to promote privacy and security. Third-party sharing is also important to know about — does the company share information with other sites, advertisers, or data brokers? If your data is going to have downstream uses or applications, you should definitely know about it.
— G.S. Hans, Policy Counsel
Sharing is key for me. Who else is getting the information about me? Once information starts going to lots of affiliates and third parties I quickly lose faith that it will receive any privacy protection.
— Chris Calabrese, Vice President for Policy
I look for whether the amount of data that is being collected is excessive and whether it includes highly sensitive data, such as location, health or other biometric data. Once this data is out, I cannot do much about that or the inferences companies may make about me into perpetuity. Then I look for the use and sharing section: are the uses in line with what I expect and does it seem reasonable. I like to see the uses be very much limited to the product or service that I am interested in. The use (or sharing) of my personal data for unrelated purposes is not justified in my opinion.
And finally, any assurances that my personal data is being aggregated or de-identified for those unrelated (marketing or analytics) uses, only worry me. I know that the protections afforded by anonymity or pseudonymity may amount to very little. I know that this data can still be used to make inferences about me and others and result in differential treatment that limits future choices. Furthermore, it is a reminder that my willingness to share my personal information with a company will inevitably implicate those who did not consent to share their data, since in the age of Big Data the information of a few can be used to infer the traits of the many.
— Katharina Kopp, Director, Privacy and Data
For mobile device apps in particular, I like to know what the app is doing with my information when I’m not using it. I do this by searching their privacy policies for key phrases – “when not in use” is a common one. More transparent apps have the courtesy to ask you up-front in-advance questions such as, “Do you grant [insert app name] permission to track your location when the app is not in use?” but others may sneak into their privacy policies that they track you when not in use by default unless you tell them otherwise. Be aware of what information you’re giving your apps, even when you’re not looking!
— Jadzia Butler, Privacy Security and Surveillance Fellow
— Michelle De Mooy, Deputy Director, Privacy & Data Project
— Greg Norcie, Staff Technologist
Thanks to my Contracts professor in law school, I always look at the choice-of-law provision in privacy policies and Terms of Service. A lot of policies use the state of California, which is a good reminder of how important commercial privacy efforts in that state are. But on my phone, in addition to some CA-based services, I’ve got apps that are governed by the laws of Illinois, Michigan, Wales, and the Seychelles.
— Emma Llansó, Free Expression Director
Always start with the definitions because they determine what information is actually protected by the policy. Then review the various section headings; these tell you what the policy prioritizes. I especially like to see headings on customer choice, data sharing, data retention and security. Finally, look for company contact information and note whether a customer complaint process is in place if the policy has been violated.
— Alex Bradshaw, Plesser Fellow