1. What data collection is happening that is not covered by the privacy policy?

This first question might seem like an odd one. But the fact that there is data collection going on that’s not covered by the “privacy policy” captures so much of what is confusing for users who are used to the bricks-and-mortar world.

When you walk into your neighborhood grocery store, you might not be surprised that the owner is keeping track of what is popular, what is not, and what items people in the neighborhood seem to want. You would be surprised, though, if you found out that some of the people in the store who were asking questions of the customers didn’t work for the grocery store.

You would be especially surprised if you asked the grocery store owner about it, and he said, “Oh those people? I take no responsibility for what they do.”

Even Walmart, "The Godfather" of business data, probably doesn’t let third parties into its stores to do customer surveys that aren’t on Walmart’s behalf.

But in the online world, that happens all the time. Obviously, when a user clicks on a link and leaves a site, he or she ends up subject to new rules. But even when a user doesn’t leave a site, there’s data collection by third party advertisers that’s happening while you sit there. Companies rarely vouch for what these third party advertisers are doing. Some companies, such as AOL, Microsoft, Yahoo, Facebook, Amazon, and the New York Times Digital, will at least explicitly acknowledge there are third parties that use cookies on their sites with their own policies around data collection. The user is then directed to these third parties’ privacy policies. (Note that in the case of New York Times Digital, some of these links are outdated, at least at the time of writing.)

Google, in contrast, doesn’t mention third party advertisers on the “privacy policy,” alluding to the separate controls for opting out of their tracking on a separate page discussing advertising and privacy.

Companies that don’t allow third party advertisers, like Craigslist, of course have no reason to declare this is happening. But most companies do allow third party advertisers. So an ordinary user with some vague concerns about privacy could decide to finally sit down and read a privacy policy, and then find out that he or she has to read several more policies to really understand who is collecting data, how, and for what. This is an incredible shift from the average user’s realm of experience—what grocery store owner would tell a customer to go talk to six different people to understand what was being tracked in that store?

On a related note, many companies have a separate “Terms of Use” which should also be read if a user wants to fully understand his or her rights. For example, when Facebook recently tried to change its terms of use to change its rights to member-generated content, the terms it wanted to change were not in its privacy policy. Yet the privacy of Facebook members was certainly being implicated. So in addition to the various privacy policies that apply to every link, third-party ad, and the site itself, the user must read the terms of use as well.

Questions we asked of each company.

  1. What data collection is happening that is not covered by the privacy policy?
  2. How do they define “personal information”?
  3. What promises are being made about sharing information with third parties?
  4. What is their data retention policy and what does it say about their commitment to privacy?
  5. What privacy choices do they offer to the user?
  6. What input do users have into changes to the policy’s terms?
  7. To what extent does they share the data they collect with users and the public?

Introduction / Conclusion / Preview Blog Posts