What Do Privacy Policies (We've Actually Read) Really Say?

We have read and dissected the fine print of over a dozen online privacy policies of major players like Google, Microsoft, Facebook and Amazon to newcomers like Cuil and Mint in an effort to take a snapshot of the privacy rights we have today.

This is still a work-in-progress. In the meantime, here are the first four installments of the report in blog-form.

What do privacy policies actually say?

April 24th, 2009 by Grace Meng
Last year, the Common Data Project started a project to survey and analyze the privacy policies of some of the largest, most visited Internet companies. Reading the policies was truly as painful as expected, horrifically boring and difficult to decipher. We found that many companies are as vague and wordy as they can be, which is surely no surprise to anyone interested in online privacy. So why did we do it? READ MORE

Don’t take it personally: how “personal” information is defined in privacy policies

April 28th, 2009 by Grace Meng
Most privacy certification programs, like Truste, require that the privacy policy identify what kinds of personally identifiable information (PII) are being collected. It’s a requirement that’s meant to promote transparency—the user must be informed!

As a result, nearly every privacy policy we looked at included a long list of the types of information being collected. But who can process a long catalog of items? What popped out at me, after reading policy after policy, was the way so many of the companies we surveyed categorize the information they collect into 1) “personal information” that you provide, such as name and email address, often when you sign up for an account; and 2) cookie and log data, including IP address, browser type, browser language, web request, and page views.

When the first category is called “personal” information, the second category implicitly becomes “not-personal” information. But the queries we put into search engines—what could be more personal? How much could you learn about me, just looking at the history of things I’ve bought on Amazon, let alone the things I’ve Googled? What is an IP address if not a marker linking my computer to the actions I (and others) take on that computer? READ MORE

Promises, promises: what information is being shared with third parties?

May 8th, 2009 by Grace Meng
If you read a bunch of privacy policies in a row, they all start to sound the same. They all seem to collect a whole lot of information from you, whether or not they call it “personal,” and they all seem to have similar reasons for doing so. READ MORE

Data retention: are we missing the point?

May 12th, 2009 by Grace Meng
Data retention has been a controversial issue for many years, with American companies not measuring up to the European Union’s more stringent requirements. But for us at CDP, it obscures what’s really at stake and often confuses consumers. READ MORE

Questions we asked of each company.

  1. What data collection is happening that is not covered by the privacy policy?
  2. How do they define “personal information”?
  3. What promises are being made about sharing information with third parties?
  4. What is their data retention policy and what does it say about their commitment to privacy?
  5. What privacy choices do they offer to the user?
  6. What input do users have into changes to the policy’s terms?
  7. To what extent does they share the data they collect with users and the public?

Introduction / Conclusion / Preview Blog Posts