3. What promises are being made about sharing information with third parties?

In addition to listing the types of data collected from you, most privacy policies will also list the reasons for doing so. The most common are:

  • To provide services, including customer service
  • To operate the site/ensure technical functioning of the site
  • To customize content and advertising
  • To conduct research to improve services and develop new services.

They also list the circumstances in which data is shared with third parties, the most common being:

  • To provide information to subsidiaries or partners that perform services for the company
  • To respond to subpoenas, court orders, or legal process, or otherwise comply with law
  • To enforce terms of service
  • To detect or prevent fraud
  • To protect the rights, property, or safety of the company, its users, or the public
  • Upon merger or acquisition

Nearly every company strives to make these purposes and circumstances sound as standard and normal as possible. “Customize” advertising sounds a lot better than “targeted” advertising, as nobody wants to be a “target.” New York Times Digital even assures its readers that print subscribers’ information will be sold to “reputable companies” that offer marketing info or products through direct mail.

They do also admit that they share information with third parties, but as inoffensively as possible. Most of the policies we read began their discussion of information-sharing with a declaration that they don’t share information with third parties, with the following exceptions. Yahoo states, “Yahoo! does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you've requested, when we have your permission, or under the following circumstances.” Microsoft similarly promises, “Except as described in this statement, we will not disclose your personal information outside of Microsoft and its controlled subsidiaries and affiliates without your consent.” Google’s construction is slightly different, but when it states the circumstances in which it shares information, the first circumstance is, “We have your consent. We require opt-in consent for the sharing of any sensitive personal information.”

The crucial issue, then, is how “personal information” is defined. And as discussed earlier, the definition of “personal information” varies widely from company to company. When the definition can vary so much, the promise not to share “personal information” isn’t an easy one to understand.

For example, Google promises not to share “sensitive personal information,” defining it as “information we know to be related to confidential medical information, racial or ethnic origins, political or religious beliefs or sexuality and tied to personal information.” Does that mean that a user’s search queries for B-list celebrities are fair game to Google? Given the varying definitions of “personal” that are used, the strong declaration that “personal information” will generally not be shared is not, ultimately, a very comforting one.

At the same time, many of these companies admit that they will share “aggregate” or “anonymous” information collected from you. But they don’t explain what they’ve done to make that information “anonymous.” As we know from AOL’s experience, a company’s promise that information has been made anonymous is no guarantee that it’ll stay anonymous.

In this context, Ask Network, in contrast, explicitly lists what it is sharing with third parties, so you don’t have to figure out what they consider personal and not personal: (a) your Internet Protocol (IP) address; (b) the address of the last URL you visited prior to clicking through to the Site; (c) your browser and platform type (e.g., a Netscape browser on a Macintosh platform); (d) your browser language; (e) the data in any undeleted cookies that your browser previously accepted from us; and (f) the search queries you submit. For example, when you submit a query, we transmit it (and some of the related information described above) to our paid listing providers in order to obtain relevant advertising to display in response to your query. We may merge information about you into group data, which may then be shared on an aggregated basis with our advertisers.

Ask Network also goes on to promise that that third-parties will not be allowed to “make” the information personal, explicitly acknowledging that the difference between personal and not-personal is not a hard, bright line.

For us at CDP, the issue isn’t whether IP addresses are included in the “personal information” category or not. What we really want to see are honest, meaningful promises about user privacy. We would like to see organizations offer choices to users about how specific pieces of data about them are stored and shared, rather than simply make broad promises about “personal information,” as defined by that company.

It may turn out that “personal” and “anonymous” are categories that are so difficult to define, we’ll have to come up with new terminology that is more descriptive and informative.

Or companies will end up having to do what Wikipedia does: simply state that it "cannot guarantee that user information will remain private."

Questions we asked of each company.

  1. What data collection is happening that is not covered by the privacy policy?
  2. How do they define “personal information”?
  3. What promises are being made about sharing information with third parties?
  4. What is their data retention policy and what does it say about their commitment to privacy?
  5. What privacy choices do they offer to the user?
  6. What input do users have into changes to the policy’s terms?
  7. To what extent does they share the data they collect with users and the public?

Introduction / Conclusion / Preview Blog Posts