- Why people ignore privacy policies
- To agree, or not to agree, that is your question
Why people ignore privacy policies
Privacy policies are usually long, rambling, and notoriously difficult to understand, as a New York Times privacy project(new window) showed. Daunted by a wall of legalese, most people don’t even try.
For many companies, that’s the idea. They intentionally write their policies to give them maximum freedom to do what they want with your data. They often want to cash in and sell your personal details to third-party advertisers and data brokers while making it difficult for you to opt out.
But what happens to your data is your choice. You just need to understand these privacy notices enough to make that choice.
For you, psychological profiling(new window) and increasingly sophisticated targeted ads mean much more than just annoying spam in your inbox. They’re about predicting and arguably controlling how you act and the choices you make in life — what Bruce Schneier has dubbed surveillance-based manipulation(new window).
For society as a whole, the Cambridge Analytica scandal(new window) showed how such personalized targeting has the potential to undermine our freedom and democracy. “‘Personalization’ sounds like VIP treatment,” argues Carissa Véliz in Privacy is Power(new window), “until you realize it’s a term used to describe techniques designed to tamper with your unique mind”.
Second, do they offer ways to opt out of this data gathering? Or are there options to limit sharing information with third parties, such as data brokers and advertisers?
Third, is it clear how they’ll secure your personal information? Is it securely encrypted everywhere? And how long will they retain it?
Let’s face it: Unless you’re a lawyer, you probably won’t have the legal knowledge or time to read privacy notices word for word. That could drive you up the wall.
So we’ll focus on 10 key questions and suggest ways you can skim a policy to answer them.
1. What law regulates the processing of my personal data?
2. What personal data do they collect?
Organizations can collect a range of personal information, from your name and address to your bank details and physical location.
Do they list the personal information they collect? Is the type and amount of data collected appropriate to the product or service you’re signing up for?
3. How do they collect your personal data?
There are two main ways organizations can collect your data:
- You provide details when you sign up or place an order.
Do they describe clearly how they collect the information, what cookies or other tracking technology they use, and how you can opt out of them? (They may direct you to a separate cookie notice.)
4. How do they use your personal data?
What they do with your data is sometimes called “processing” or “processing activities”. They should list what they’ll use your personal information for, such as:
- Fulfilling your orders and managing your account
- Contacting you about updates to their services
- Emailing you about special offers for products or services
Do they spell out how they’ll use your data? Under the GDPR, marketing communications require your consent, so they should give you a simple way to opt in or out of marketing emails.
5. What are the legal grounds for using your personal data?
They should explain the “legal basis for processing” your data. Under the GDPR, the two most common are:
- Legitimate interest: what most people would consider reasonable, such as to protect users or prevent fraud
- Consent: when you explicitly agree to something, for example, to receive marketing emails
Do they state the legal basis for the different ways they use your data? If it’s your consent, do they explain how you can withdraw it if you change your mind?
6. Who do they share your personal data with?
Parties that can access your data are sometimes called “processors” and “sub-processors”. These may be service providers, like accountants or independent contractors; affiliates or subsidiaries of the company; or third-party advertisers or data brokers.
Do they specify who has access to your data? If they share your information with advertisers or data brokers to serve you “personalized” or “interest-based” ads, do they give you an easy way to opt out of this?
7. How will they secure your personal data?
A privacy notice should describe where they will store your data, whether they may transfer it abroad, and the security measures used to protect it.
Do they detail how and where they’ll store your data? Do they explain if and when your data will be encrypted?
8. How long will they retain your personal data?
Do they explain why and how long they’ll retain your data before deleting it?
9. Can you correct or delete your data?
A fundamental requirement of the GDPR is what’s known as the “right to be forgotten”: your right to access and delete your personal details.
Can you request your personal data from the organization and ask that it be corrected or permanently deleted at any time? Do they explain how to do that?
Privacy policies should be updated regularly as products and circumstances change.
Do they say how they’ll let you know about changes to the policy and how you can opt out if you don’t accept them?
The easiest way to find the passages you need to read in more detail is to search for the following key words (hit Control+F on a Windows or Linux computer or Command+F on a Mac):
- share: Who do they share your personal data with and why?
- third parties: What third parties — subcontractors, affiliates, advertising partners, and data brokers — have access to your data?
- control: What control do you have over the data that is shared?
- consent: Do they specify what sharing requires your approval?
- choice, opt out: What options do you have? How can you opt out of marketing emails and phone calls or stop sharing your data with third parties?
- cookies: What cookies or other tracking technology do they use? Can you prevent third parties from placing cookies on your devices?
- retain, correct, delete (or erase): Do you have the right to request your personal information and have it deleted?
- store, storage, encrypt: How securely will they store your data and for how long?
- right: What are your rights, especially regarding data sharing and deletion?
- contact: Who can you contact to complain about the handling of your data?
To help you decide, you can get a general overview of many companies’ privacy practices by searching on Terms of Service; Didn’t Read (ToS;DR)(new window).
To agree, or not to agree, that is your question
First, don’t be fooled by false claims that “we do not sell your data”(new window). While an organization may not directly sell your data, if they use personalized advertising, other companies will be able to pay for ads and get your personal information in return.
Second, beware of vague wording. If a company constantly talks about what it “may” or “might” do with your data, think twice about committing to an outfit that’s so cavalier about your privacy.
If you’re committed to taking back control of your personal data, you can also secure your email with our free encrypted Proton Mail. At Proton, our mission is to create ways for everyone to be secure online and in control of their information at all times, so join us. Together, we can build an internet where privacy is the default.
What is the GDPR and how does it affect privacy policies?
The GDPR, short for General Data Protection Regulation(new window), is the European Union’s data protection law, which came into force in 2018. It sets out how companies should protect and secure personal data, including requirements for privacy policies (see table below). Any organization that handles the personal data of people in the EU must comply with the GDPR, wherever the organization is in the world. For more details, see our Complete guide to GDPR compliance(new window).
Does the US have a data protection law equivalent to the GDPR?
The US has no federal law equivalent to the GDPR, but individual states have started to pass similar data protection legislation, like the California Consumer Privacy Act(new window). For more on US regulations, see the Complete Guide to Privacy Laws in the US(new window).
Does the UK still apply the GDPR after Brexit?
Yes, the UK has retained the GDPR after Brexit in a domestic law known as The UK GDPR(new window).
Check your rights: Main GDPR articles governing privacy policies
|GDPR article||Title||Topics covered|
|Art. 5||Principles relating to processing of personal data(new window)||Sets out the general principles: how your personal data should be processed transparently for specific, legitimate purposes and stored securely for a limited time.|
|Art. 6||Lawfulness of processing(new window)||Explains the six grounds for processing your data legally, including “legitimate interest” and “consent”.|
|Art. 12||Transparent information, communication and modalities for the exercise of the rights of the data subject(new window) [you]||Sets out the requirement for privacy policies, though it does not explicitly use the term: how an organization must explain its privacy practices “in a concise, transparent, intelligible and easily accessible form”.|
|Art. 13||Information to be provided where personal data are collected from the data subject(new window) [you]||Describes what information an organization should give you when you submit personal details directly, for example, by filling in a form or placing an order.|
|Art. 14||Information to be provided where personal data have not been obtained from the data subject(new window) [you]||Describes what information an organization should give you when it gathers details about you that you haven’t submitted directly, for example, by tracking your purchase history or browsing activity.|
|Art. 15||Right of access by the data subject(new window) [you]||Your right to access personal data about you held by an organization and obtain a copy.|
|Art. 16||Right to rectification(new window)||Your right to get an organization to correct the personal data about you that it holds.|
|Art. 17||Right to erasure (“right to be forgotten”)(new window)||Your right to get an organization to permanently delete the personal data about you that it holds.|
|Art. 18||Right to restriction of processing(new window)||Your right to restrict what an organization does with your personal data.|