Language
Here’s What You’re Actually Agreeing To When You Accept a Privacy Policy

News

HomeHome / News / Here’s What You’re Actually Agreeing To When You Accept a Privacy Policy
search
RECENT NEWS

Jul 25, 2023

Southern Command: Russian logistics severely impacted by attacks on Crimean bridges

Aug 06, 2023

Teamsters celebrate NLRB decision on STG Logistics, see path to greater unionization

Jul 05, 2023

Internet Providers That Won FCC Grants Try To Escape Broadband Commitments

Jul 07, 2023

Naval Ship Maintenance, Repair, and Overhaul (MRO) Market 2023 Trends

Jun 19, 2023

Norden Invests in Biofuel Company to Build Future Fuel Supply

SEND YOUR INQUIRY
SUBMIT

Mar 30, 2024

Here’s What You’re Actually Agreeing To When You Accept a Privacy Policy

Published April 14, 2023 Thorin Klosowski Share this post Almost every new app or product that is connected to the internet forces you to accept a long, indecipherable privacy policy in order to use

Published April 14, 2023

Thorin Klosowski

Share this post

Almost every new app or product that is connected to the internet forces you to accept a long, indecipherable privacy policy in order to use it. These documents outline the company’s data-collection practices. But what exactly are you agreeing to when you accept?

“Privacy policies are fundamentally an announcement of the ways a company that is providing you a product or service might collect, use, and transfer your data,” said John Davisson, director of litigation for the Electronic Privacy Information Center (EPIC). “How specific they are about those different categories of activities is going to depend on how much the company wants to disclose.” A privacy policy can change slightly based on the jurisdiction, but ultimately “it’s largely up to the company what goes in there,” Davisson said. A privacy policy is there to tell you that a company can or may share your data. It is not required to ask if you’re cool with that.

The phrase “privacy policy” can easily be misunderstood to mean that a company has a policy of protecting your privacy. But according to Jennifer King, a privacy and data policy fellow at the Stanford Institute for Human Centered Artificial Intelligence, that isn’t the case. “They have to tell you what they’re doing,” King said, “but there’s nothing about them that promises any privacy.” Some companies have taken to calling these statements “privacy notices” or “privacy statements.”

The United States has no national privacy law, so in the majority of states there are no requirements outlining what a privacy policy must include. There are also no limits on the amount of data a company can collect, and no rules about how the company uses that data, as long as it gives you a notice about it first. Such notices describing how data is collected, used, and shared constitute the bulk of most privacy policies.

Large companies that operate around the world have to comply with standards established in Europe under the General Data Protection Regulation (GDPR). But that hasn’t necessarily made a significant dent in how privacy policies are structured in the US. They’re not what we would call readable or understandable for most people, because they’re written by and for lawyers.

That’s not to say that privacy policies in the US are totally toothless. These notices have to be truthful, which is how cases like the 2022 Federal Trade Commission fine against Twitter crop up: The social media company was caught using phone numbers collected for two-factor authentication for advertising purposes, contradicting its privacy policy, and had to pay a $150 million penalty. The FTC has only so many resources, though, and smaller companies in particular don’t undergo much scrutiny.

All of this means it’s still mostly up to individuals to try to comprehend privacy policies as best they can.

Privacy policies tend to be impenetrable walls of text that are incomprehensible for anyone without a law degree.

“Companies are not interested in disclosing in clear terms what information they’re collecting from you, how they’re using it, or whether they’re going to transfer it,” Davisson said. “You might reasonably think as a consumer that it is intended for your benefit, but that is typically not how a company sees it. This is a way of defining what they can do with your information in the broadest possible terms they can get away with.”

This practice isn’t always nefarious—privacy policies are simply difficult to write, especially when you factor in the variety of jurisdictions that many companies operate in and the sheer amount of data that a company collects (which is a separate but different problem).

Policies are also about protecting the company from litigation, according to privacy attorney Whitney Merrill. “The more specific you are, the greater the risk that an accident can turn into an FTC case,” Merrill said. “So there’s this idea that, potentially, you want to be overly inclusive and broad.”

Privacy policies can cover everything a company makes, including the products, the marketing website, the apps, and sometimes even what data the company collects from job applicants. This broad scope makes the company’s privacy policy worthless if you’re just trying to figure out what it’s doing with, say, the data it collects from your smart scale.

You’ll encounter some exceptions, of course. For example, Garmin does a good job of differentiating its various product privacy policies, which is important since the company sells everything from marine-navigation equipment to fitness trackers.

And there’s nothing stopping companies from making privacy policies more readable. Malwarebytes’s privacy policy, for example, manages to include both legalese and simpler language, and Automattic puts the most important details up top, making everything easier to understand at a glance.

Privacy policies are so dense that it’s no surprise most people merely skim them. As you’re reviewing a policy, however, there are a few aspects in particular to watch out for, namely the sharing or sale of data, which can lead to unexpected consequences (such as when private groups buy location data); the collection of biometric information, such as health data or photos; and law enforcement disclosures. Nearly every company’s privacy policy includes a note stating that it will respond to valid subpoena requests, possibly handing over your data without your knowledge. All of these details are important, though in the case of the sale of data, it’s often impossible to discern whether a policy is talking about the website you’re reading the policy on, which is built for the sole purpose of marketing, or the product (or app) itself.

Two specific red-flag phrases warrant your attention: “improve products and services” and “mergers or acquisitions.”

Without any specific details, the phrase “improve products and services” can mean basically anything, Merrill told us. This term covers mostly harmless information, such as bug reports or metrics about whether anyone is clicking a certain button. But “improve products and services” could also include the training of artificial intelligence or machine learning. For example, photos that you submit to a service could train a facial-recognition program, or video footage from a security camera might be used to train the software to better distinguish between a cardboard box and a person. We weren’t able to find a good example of a privacy policy that clearly stated when a company used data for either artificial intelligence or machine learning training. Instead, such data use is bundled into “improving products and services” as “a way to paint that use as this eternally improving cycle of how we make everything better,” Stanford’s Jennifer King said.

Then there’s the matter of how a company handles data transfers when another company purchases it. Typically the new owner gets all the data that the acquired company collected over the years, which means you’re suddenly using a product from a company that you may not like or feel comfortable with. For example, Tile owners may have been uneasy when the Bluetooth tracker manufacturer was purchased by Life360, and Fitbit users may not have wanted to own a device made by Google.

Such privacy issues are most clearly apparent with robot vacuum company iRobot, which Amazon is in the process of acquiring. Recently, MIT Technology Review found that iRobot was sharing beta testers’ data—including images captured by the robot vacuum’s camera—with third-party contractors to train its AI. That data may soon be owned by Amazon if the deal goes through.

Companies can also choose to highlight their privacy or security practices on separate pages in simple language, which is preferable.

Notable companies that offer easy-to-understand privacy disclosures include Apple, Arlo, and Zoom. Though all these companies still have traditional privacy notices, they also include landing pages that explain the general vision of how the company approaches privacy—and your data—in a way that is significantly more readable than most policies. These statements are as binding as any policy is: “If they represent to a consumer, even outside of a formal privacy policy, that they won’t sell your data to third parties, or won’t collect biometric information, and it turns out they have done that, that is a classic deceptive trade practice,” Davisson said.

This notion also applies to interviews with journalists—which is why Wirecutter sends companies a Q&A survey regarding their data practices—as well as to company blog posts or what a company lists on its Apple App Store privacy label or Google Play data-safety label (though a recent Mozilla study showed that few apps in the Google Play Store had data-safety labels that accurately reflected information in the company’s privacy policy).

When you are offered ways to opt out of data collection, take them. On your iPhone, for example, you can ask apps not to track your activity across your phone. Android offers a similar though less-powerful built-in feature, but you can get even stronger privacy protections than Apple offers by using a third-party Android app from DuckDuckGo. We have tips for protecting privacy in your desktop web browser, as well. On devices that connect to the internet, take some time to poke around the settings to disable any data collection if you can. For devices with companion apps, review the app permissions and disable them if necessary, especially location, which apps often ask for but rarely need. If you’re in California, Colorado, Connecticut, Virginia, or Utah, you have the right to ask companies (PDF) to delete or not share your information, though the scope of how that works varies in each state. You can also opt out from data-broker lists, and it’s worthwhile to check out tools such as Consumer Reports’s Permission Slip app, which can automate some of that process for free. You can also contact any company via email to ask questions about its privacy policy.

Without a privacy law that puts guardrails on the way companies collect, use, and share data, searching privacy policies for red flags and opting out of data collection wherever you can are the best possible (though imperfect) ways for you to safeguard your privacy.

This article was edited by Arthur Gies and Caitlin McGarry.

by Thorin Klosowski

Follow these simple steps to lock down your devices and accounts and take back some control over who has access to your data.

by Thorin Klosowski

Digital privacy laws help control how your data is stored, shared, and used by big businesses—but those protections vary wildly depending on where you live.

by Thorin Klosowski

A few simple things to at least prevent the worst problems and keep most of your private information as safe as possible from hacks or security negligence.

by David Huerta and Yael Grauer

A virtual private network (VPN) is a useful way to improve security or privacy in certain situations, but it’s difficult to find one that’s trustworthy.