Privacy Decrypted #6: How to read a privacy policy

Share this page

Privacy policies explain how organizations collect and secure your personal information, but few people read them. Here’s how to quickly check a privacy policy to take back control of your data.

When you last bought something online, you may have glanced at the terms of use, if only to check the delivery or return details. But did you read the privacy policy? If not, you’re not alone. We explain why you should and how to find the devil in the details to protect your privacy and security.

What is a privacy policy?

A privacy policy, also known as a privacy notice, explains how an organization collects, stores, and uses the personal information you provide. Most websites have to explain what they do with your data to meet legal obligations, such as the European Union’s General Data Protection Regulation (GDPR).

Together with terms of use, privacy notices are vital legal documents that defend your fundamental right to privacy. So why do only 9% of adults in the US say they always read a company’s privacy policy, despite growing concern about online privacy?

Why people ignore privacy policies

Privacy policies are usually long, rambling, and notoriously difficult to understand, as a New York Times privacy project showed. Daunted by a wall of legalese, most people don’t even try.

For many companies, that’s the idea. They intentionally write their policies to give them maximum freedom to do what they want with your data. They often want to cash in and sell your personal details to third-party advertisers and data brokers while making it difficult for you to opt out.

But what happens to your data is your choice. You just need to understand these privacy notices enough to make that choice.

Why you should read a privacy policy

Our blind acceptance of terms of use and privacy notices is at the heart of what Shoshana Zuboff called surveillance capitalism. You give your “consent”, though you’ve barely read or understood what for. Companies can then abuse your data at will — with significant consequences for you and society.

For you, psychological profiling and increasingly sophisticated targeted ads mean much more than just annoying spam in your inbox. They’re about predicting and arguably controlling how you act and the choices you make in life — what Bruce Schneier has dubbed surveillance-based manipulation.

For society as a whole, the Cambridge Analytica scandal showed how such personalized targeting has the potential to undermine our freedom and democracy. “‘Personalization’ sounds like VIP treatment,” argues Carissa Véliz in Privacy is Power, “until you realize it’s a term used to describe techniques designed to tamper with your unique mind”.

Reading a privacy policy is a small but significant way you can fight back. First, you need to determine what personal data an organization will collect and what they’ll do with it.

Second, do they offer ways to opt out of this data gathering? Or are there options to limit sharing information with third parties, such as data brokers and advertisers?

Third, is it clear how they’ll secure your personal information? Is it securely encrypted everywhere? And how long will they retain it?

Overall, is signing up worth the risk? The more personal data you give away, the more likely you’ll fall victim to a data breach or identity theft.

Most importantly, check the privacy policy before you click “agree”. And if they don’t have one, stop there.

Privacy policy in a typewriter

What to look for in a privacy policy

Let’s face it: Unless you’re a lawyer, you probably won’t have the legal knowledge or time to read privacy notices word for word. That could drive you up the wall.

So we’ll focus on 10 key questions and suggest ways you can skim a policy to answer them.

1. What law regulates the processing of my personal data?

First, you need to know whether the organization is subject to strong data protection legislation, which will give you certain rights that the privacy policy should make clear. For example, if the organization is located in an EU state or processes the personal data of people in the EU, the GDPR will apply most of the time.

Does the policy state what law governs the privacy policy? (For more on GDPR and US and UK regulations, see the legal FAQs below.)

2. What personal data do they collect?

Organizations can collect a range of personal information, from your name and address to your bank details and physical location.

Do they list the personal information they collect? Is the type and amount of data collected appropriate to the product or service you’re signing up for?

3. How do they collect your personal data?

There are two main ways organizations can collect your data:

  • You provide details when you sign up or place an order.
  • They use cookies or other tracking technology to track your purchases and browsing history, which can be used to build a more detailed profile of you to share with advertisers or data brokers.

Do they describe clearly how they collect the information, what cookies or other tracking technology they use, and how you can opt out of them? (They may direct you to a separate cookie notice.)

4. How do they use your personal data?

What they do with your data is sometimes called “processing” or “processing activities”. They should list what they’ll use your personal information for, such as:

  • Fulfilling your orders and managing your account
  • Contacting you about updates to their services
  • Emailing you about special offers for products or services

Do they spell out how they’ll use your data? Under the GDPR, marketing communications require your consent, so they should give you a simple way to opt in or out of marketing emails.

5. What are the legal grounds for using your personal data?

They should explain the “legal basis for processing” your data. Under the GDPR, the two most common are:

  • Legitimate interest: what most people would consider reasonable, such as to protect users or prevent fraud
  • Consent: when you explicitly agree to something, for example, to receive marketing emails

Do they state the legal basis for the different ways they use your data? If it’s your consent, do they explain how you can withdraw it if you change your mind?

6. Who do they share your personal data with?

Parties that can access your data are sometimes called “processors” and “sub-processors”. These may be service providers, like accountants or independent contractors; affiliates or subsidiaries of the company; or third-party advertisers or data brokers.

Do they specify who has access to your data? If they share your information with advertisers or data brokers to serve you “personalized” or “interest-based” ads, do they give you an easy way to opt out of this?

7. How will they secure your personal data?

A privacy notice should describe where they will store your data, whether they may transfer it abroad, and the security measures used to protect it.

Do they detail how and where they’ll store your data? Do they explain if and when your data will be encrypted? 

8. How long will they retain your personal data?

Organizations should retain your data for the shortest time possible. A privacy policy should explain how long they plan to keep your data, including any legal obligations that force them to keep it for a fixed time (for example, for tax or anti-fraud purposes).

Do they explain why and how long they’ll retain your data before deleting it?

9. Can you correct or delete your data?

A fundamental requirement of the GDPR is what’s known as the “right to be forgotten”: your right to access and delete your personal details.

Can you request your personal data from the organization and ask that it be corrected or permanently deleted at any time? Do they explain how to do that?

10. How will you know if they change the privacy policy?

Privacy policies should be updated regularly as products and circumstances change.

Do they say how they’ll let you know about changes to the policy and how you can opt out if you don’t accept them?

How to quickly review a privacy policy

Don’t try to read a privacy policy line by line. Skim through it to find the answers to the main questions above, using the section headers as a guide.

The easiest way to find the passages you need to read in more detail is to search for the following key words (hit Control+F on a Windows or Linux computer or Command+F on a Mac):

  • share: Who do they share your personal data with and why?
  • third parties: What third parties — subcontractors, affiliates, advertising partners, and data brokers — have access to your data?
  • control: What control do you have over the data that is shared?
  • consent: Do they specify what sharing requires your approval? 
  • choice, opt out: What options do you have? How can you opt out of marketing emails and phone calls or stop sharing your data with third parties?
  • cookies: What cookies or other tracking technology do they use? Can you prevent third parties from placing cookies on your devices?
  • retain, correct, delete (or erase): Do you have the right to request your personal information and have it deleted? 
  • store, storage, encrypt: How securely will they store your data and for how long?
  • right: What are your rights, especially regarding data sharing and deletion?
  • contact: Who can you contact to complain about the handling of your data?

To help you decide, you can get a general overview of many companies’ privacy practices by searching on Terms of Service; Didn’t Read (ToS;DR).

To agree, or not to agree, that is your question

Now you’ve read or skimmed the privacy policy, here are some final thoughts before you decide whether to accept it.

First, don’t be fooled by false claims that “we do not sell your data”. While an organization may not directly sell your data, if they use personalized advertising, other companies will be able to pay for ads and get your personal information in return.

Second, beware of vague wording. If a company constantly talks about what it “may” or “might” do with your data, think twice about committing to an outfit that’s so cavalier about your privacy.

Finally, take a tip from Marc Løebekken, Head of Legal here at Proton, who has one golden rule when reading (or writing) a privacy policy: “Say what you do. Do what you say.”

Is the organization genuinely trying to explain what it does, updating its privacy policy regularly and living by it? Or do they have an old, opaque privacy notice and a history of dodgy data sharing and security breaches? If so, think again.

If you’re committed to taking back control of your personal data, you can also secure your email with our free encrypted Proton Mail. At Proton, our mission is to create ways for everyone to be secure online and in control of their information at all times, so join us. Together, we can build an internet where privacy is the default.


Privacy policy legal FAQs

What is the GDPR and how does it affect privacy policies?

The GDPR, short for General Data Protection Regulation, is the European Union’s data protection law, which came into force in 2018. It sets out how companies should protect and secure personal data, including requirements for privacy policies (see table below). Any organization that handles the personal data of people in the EU must comply with the GDPR, wherever the organization is in the world. For more details, see our Complete guide to GDPR compliance.

Does the US have a data protection law equivalent to the GDPR?

The US has no federal law equivalent to the GDPR, but individual states have started to pass similar data protection legislation, like the California Consumer Privacy Act. For more on US regulations, see the Complete Guide to Privacy Laws in the US.

Does the UK still apply the GDPR after Brexit?

Yes, the UK has retained the GDPR after Brexit in a domestic law known as the UK GDPR.

Check your rights: Main GDPR articles governing privacy policies

GDPR articleTitleTopics covered
Art. 5Principles relating to processing of personal dataSets out the general principles: how your personal data should be processed transparently for specific, legitimate purposes and stored securely for a limited time.
Art. 6Lawfulness of processingExplains the six grounds for processing your data legally, including “legitimate interest” and “consent”.
Art. 12Transparent information, communication and modalities for the exercise of the rights of the data subject [you]Sets out the requirement for privacy policies, though it does not explicitly use the term: how an organization must explain its privacy practices “in a concise, transparent, intelligible and easily accessible form”.
Art. 13Information to be provided where personal data are collected from the data subject [you]Describes what information an organization should give you when you submit personal details directly, for example, by filling in a form or placing an order.
Art. 14Information to be provided where personal data have not been obtained from the data subject [you]Describes what information an organization should give you when it gathers details about you that you haven’t submitted directly, for example, by tracking your purchase history or browsing activity.
Art. 15Right of access by the data subject [you]Your right to access personal data about you held by an organization and obtain a copy. 
Art. 16Right to rectificationYour right to get an organization to correct the personal data about you that it holds.
Art. 17Right to erasure (“right to be forgotten”)Your right to get an organization to permanently delete the personal data about you that it holds.
Art. 18Right to restriction of processingYour right to restrict what an organization does with your personal data.

Share this page

Related articles

Emails you send with most email providers aren’t private. We explain how to add password protection or enhanced encryption to messages in Gmail and Outlook and how to send a genuinely private email with Proton Mail. You can password-protect emails i
Since Proton began in 2014, we’ve focused on building a better internet where privacy is the default. While there’s still much work to be done, the inclusion of Proton CEO Andy Yen on TIME Magazine’s 100 NEXT list is a positive (and humbling) sign th
When Proton began in 2014, our only service was Proton Mail. Proton VPN, our second service, came out in 2017, and we recently released Proton Calendar and Proton Drive. As we grew and released new services, we realized we needed to unify the Proton