Skip navigation
How to Quickly Get to the Important Truth Inside Any Privacy Policy
By Jon Keegan and Jesse Woo
August 3, 2023 08:00 ET
The BreakdownPrivacy
How to Quickly Get to the Important Truth Inside Any Privacy Policy
August 3, 2023 08:00 ET
An investigative data journalist and a former tech lawyer teach you how to spot tricks and hidden disclosures within these interminable documents—and even how to claw back some privacy
By
Jon Keegan and Jesse Woo
Privacy policies are horrible. They are too long, impenetrable, and full of legalese that amounts to a take it or leave it offer. But the privacy policy is one of the only places where tech companies have to tell us the truth—the truth about what personal data they are collecting, how they share and profit from that data, and at a deeper level, what sort of trade we’re making when we choose to use their apps or platforms.
They follow a predictable structure, meaning you can learn to navigate them, spotting key sections and passages from a safe skimming height, swooping down only to extract the juiciest morsels of information or to leverage an opportunity to opt out of certain collection (or to opt in to deeper, more personalized disclosure).
We can teach you how to do that. Drawing from our shared experience—Jon as a reporter who has read hundreds of these documents in the course of his reporting, and Jesse, an intern with us who also happens to be an attorney who has helped write dozens of privacy policies himself—we have some tips we want to share with you about what to look out for. We also asked some privacy experts to weigh in and share their advice with our readers.
Below you’ll find a detailed description of what to look out for. We realize it’s a lot to get through, so we’ve placed 👀 emojis next to key concepts. If you want to dig in further, we’ve included plenty of description about each. We also outlined three case studies—on GasBuddy, Epic Games, and Temu—that will give you some further details based on real-world examples.
↩︎ link
Anatomy of a privacy policy
Privacy policies usually follow a predictable structure
↩︎ link
Here’s what you should pay attention to
A privacy policy can lay out a lot of important information that you cannot find anywhere else. Here’s a breakdown of the most useful details contained in most policies, and how to find them.
↩︎ link
What information are they collecting?
👀 Look for a section with a title like “Personal information we collect” or “How We Collect and Use Your Personal Data.” This will list types of data the company gathers both “automatically” and from you directly. You may see disclosures that the company collects your location, IP address, biometrics, or information from your web browser, such as cookies or trackers. Be on the lookout for hints that the company uses a tracking technique called fingerprinting, which can identify you even when you go out of your way to decline cookies or block trackers. It does so based on information about your device such as the operating system, manufacturer, or even screen resolution, so keep an eye out for whether that data is being collected.
It is sometimes impossible to know whether the collection described in sections like this is actually happening, said Sebastian Zimmeck, an assistant professor of computer science at Wesleyan University, who studies privacy. “The reason why many privacy policies are not meaningful is because companies ‘may’ collect your information. Or they may not,” Zimmeck wrote in an email.
↩︎ link
Location, location, location
In the information collection section, you may see terms related to your whereabouts such as “geolocation,” “geofencing,” or “geotargeting.” This signals that the company is collecting one of the most sensitive categories of data. Researchers have repeatedly shown that the unique nature of our movements can reveal private information about our lives that we may not want others to have, including places of worship, medical providers, or even political protests.
👀 Keep an especially close eye out for the term “precise geolocation,” which the California Consumer Privacy Act defines as “a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.”
↩︎ link
Why are they collecting this information, and how do they use it?
👀 Look for a title like “How we use your personal information.” This section represents the company’s explanation for why they need your data in the first place. Sometimes it is pretty straightforward. It’s reasonable for an app to need your payment information to process a transaction or to access your location to give you driving directions, for example. But pay close attention when it is less obvious why a particular category of personal data is being collected. For example, why would a recipe app need your location? Also, be on the lookout for vague and overly broad reasons such as “business activities” and “business purposes,” which can hint at sharing you might not be comfortable with. This may be combined with the section describing the information they collect. Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center (EPIC), said to take any examples provided in this section with a big lump of salt. “In many cases, the ‘for example’ will point out a relatively expected or benign use and distract from other more intrusive potential uses. Those other uses wouldn’t violate the Privacy Policy because they never claimed the example was the only use type,” explained Schroeder.
↩︎ link
Why sharing to “business partners” is more worrisome than to “service providers”
👀 Look for a section about third parties your data is sold to or otherwise shared with. You might see references to “service providers,” which are usually just the third parties that process data as needed for the app to function. But look out for mentions of “business partners.” Do they combine or enrich your data with information collected from other “partners”? This is a red flag that you are being profiled. If you’re really lucky, you might find a policy that actually identifies some of those partners. (These could be advertising firms, data brokers, or affiliates.) And usually if another partner is listed, policies will inform you that you are also subject to the partners’ privacy policies, which it seems you are expected to read. It’s up to you to decide how far down the rabbit hole you want to go.
↩︎ link
Anonymization/aggregation might not be as good as it sounds
Sometimes a company might say that any data it shares has all identifying information removed.
👀 Its privacy policy might use terms like “de-identified” data in addition to “anonymous” or “aggregated” data. This sounds as if it makes information sharing more private, but there has been a great deal of research showing that it is possible and in some cases quite easy to re-identify personal data even after it has been masked or combined. It doesn’t matter if a company anonymizes your data if its “business partners” are just going to undo that work when they get it.
↩︎ link
Code words for “ad targeting”
👀 When a company says it uses your data to “personalize” or “enhance” your experience or “improve our services,” that can often mean it is analyzing your data for ad targeting. “Measuring the effectiveness” of advertisements or other activities can mean tracking what you click on or buy. Also look out for mentions of “interest-based advertising,” which means the company is analyzing your activity on the service and allowing third parties to infer your interests for the purpose of targeted advertising, in some cases even away from the site you’re on. If the policy talks about tracking you on other online services, this also means the company is tracking your browsing activity across the internet, not just on its service. It might do this directly or purchase the information from a third party.