How to read a privacy policy and what to look for

Placeholder while loading article actions

At Help Desk, we read privacy policies so you don’t have to.

What if you really wanted to?

We do our best to review the privacy practices of the apps, websites, and devices you use most. Recently, we did extensive research on tax software, hospital registration programs, and mobile carriers. But keeping track of companies’ privacy habits is an uphill battle. Last month, personal tech columnist Geoffrey A. Fowler tried to read all of the apps’ privacy policies on his phone. He added up to 1 million words – twice the length of “War and Peace”.

This week, a Help Desk reader wrote in asking for advice on how to scan a privacy policy for the most important points and quickly assess a company’s commitment to keeping it secure. This way, she can rate the apps and sites she uses rather than waiting for someone else to.

Jen Caltrider, lead researcher at Privacy Not Include — a rating system for apps and gadgets from the nonprofit Mozilla Foundation — unpacks privacy policies for a living, she said, and she has it all. a bunch of tips. I’ve read quite a few privacy policies, and I always start with the same checks.

Keep in mind: We don’t need to become experts in the intricacies of long and confusing legal documents to earn our right to confidentiality. The burden of privacy should fall on the companies that build the the technology — not the people using it, privacy advocates say.

“If you’re reading a privacy policy and feeling lost and confused, you’re not alone,” Caltrider said. “These documents are written by lawyers for lawyers. They confuse me and I read them all the time.

That said, here is your official guide to browsing privacy policies. If your eyeballs start bleeding, feel free to email me and we can sympathize.

The first step in evaluating a privacy policy is to find it, and unfortunately, companies don’t always make it easy.

For apps, the easiest way is to find their listing in the Apple or Google app store and follow the link to the developer’s privacy policy. For websites, look at the bottom of the web page for a small linked text that says “privacy” or “privacy policy.”

At this point, you might be tempted to rely solely on the privacy label that Apple or Google displays. Despite the good intentions and easy-to-read format, these labels are unreliable, Caltrider said. Information is self-reported by companies and labels are not always accurate. For example, my investigation of the LiveIn and Locket Widget photo-sharing widgets revealed that LiveIn’s label in the Apple App Store did not reveal that it collects data to track you. (This was later corrected.)

Teens are flocking to new photo-sharing apps. Are they safe?

For connected devices, check the developer’s website and make sure the policy you read actually applies to the device you have, Caltrider said. For example, Amazon has a privacy policy easily found at the bottom of its website, but there are separate FAQ pages for devices like Echo Show and Kindle. (Amazon founder Jeff Bezos owns The Washington Post.)

If you can’t find the privacy policy, the company might not want you to read it. It’s a red flag.

Check what the company collects

The first part of most privacy policies describes what data the company collects from you. Scan this section for anything wrong. You might not be surprised if the company collects the email address you signed up with, for example, but if they collect your precise location or audio from your phone’s microphone, it’s worth worth taking a break. Ask yourself: does this technology collect information without a specific purpose?

Many apps use your personal contacts. Few will tell you what they do with it.

Now it’s time to break out your keyword research and search for common offenders. (On a computer, use CTRL+F. On a smartphone, your browser app may have a “Find on Page” feature in its menu.)

First, search for “sell”. Will this company sell your data to third parties?

If it says it won’t, then search for “affiliates” and “partners”. Companies love to brag about not selling your data when they generously share it with third parties. Does this company make room to share your data with “affiliated companies” or “partners”? Does it list who these entities are?

If a business says it shares data internally, take a moment to think about the scope of its business group. For example, Hinge’s privacy policy states that the dating app’s affiliates include the entire Match Group family of companies – which included around 45 companies in 2018. Facebook’s parent company Meta, for its part, states: “Meta Products shares information with other Meta Enterprises.” Meta products and companies include Facebook, Instagram, WhatsApp, Messenger, Portal, Meta Quest and others.

Finally, search for “advertisement”. If this company is selling or sharing your data, is it to target you with ads? Sometimes companies cleverly avoid the words “targeted advertising” by saying that they use your data to “personalize” or “improve” the service or to ensure that the content you see is “interest-based”. – then search for those terms as well. .

Speaking of fancy linguistic footwork, pay attention to terms like “maybe” and “for example.” If a company “may” share your data with third parties, “for example” to check for security threats, there are likely more shady data-sharing examples it declined to call, Caltrider said.

If that sounds weird to you, it probably is.

Caltrider said she’s always suspicious if a privacy policy is really short or long. Too short means the developers haven’t given the policy much thought. (For example, after calling out LiveIn and Locket Widget for apparently failing to disclose data sharing in their policies, both added new sections that made their policies more comprehensive.)

A super long font, on the other hand, means “the lawyers really got into trying to cover [themselves] with many words,” Caltrider said.

Likewise, if the policy sounds too good to be true, it might be, at least when written in a user-friendly format written by professional corporate communications professionals. If you’re navigating your way through a fun privacy game or a beautifully rendered “privacy center,” beware of vague language, Caltrider advised.

Finally, know your rights. If you live in California or the European Union, you have additional privacy protections that many policies describe in a separate section at the bottom.

Companies accumulate personal data about you. Here’s how to get them to delete it.

Just kidding – reading privacy policies is never fun. But some companies are going the extra mile to make their policies clear and readable, Caltrider noted. If you find one, send it to us so we can congratulate you. Caltrider’s preferred privacy policy comes from Wysa, a mental health chatbot, she said. Indeed, this policy is exceptionally transparent and a good model when doing home comparisons.

Lance B. Holton