What do privacy policies actually say?

Last year, the Common Data Project started a project to survey and analyze the privacy policies of some of the largest, most visited Internet companies. Reading the policies was truly as painful as expected, horrifically boring and difficult to decipher. We found that many companies are as vague and wordy as they can be, which is surely no surprise to anyone interested in online privacy. So why did we do it?CDP is committed to understanding and articulating a set of “best practices” for data collection and privacy protection. We don’t simply want to criticize companies for their obfuscation. We want to set forth standards that declare it is both possible and desirable to make privacy an integral part of data collection, and not just an afterthought.But what’s the status quo? What are major companies promising now? What language are they using, and what implications are there for the kind of privacy concerns people actually have?The first question we asked: What data collection is happening on the site that is not covered by the privacy policy?It might seem like an odd question. But the fact that there is data collection going on that’s not covered captures so much of what is confusing for people who are used to the bricks-and-mortar world. When you walk into your neighborhood grocery store, you might not be surprised that the owner is keeping track of what is popular, what is not, and what items people in the neighborhood seem to want. You would be surprised, though, if you found out that some of the people in the store who were asking questions of the customers didn’t work for the grocery store. You would be especially surprised if you asked the grocery store owner about it, and he said, “Oh those people? I take no responsibility for what they do.” (Even Walmart, master of business data, probably doesn't let third parties into its stores to do customer surveys that aren't on Walmart's behalf.)But in the online world, that happens all the time. I’m not talking about the fact that when you click on a link and leave a site, you will end up subject to new rules. I’m talking about data collection by third party advertisers that’s happening while you sit there, looking at that site. Companies rarely vouch for what these third party advertisers are doing. Some companies, such as AOL, Microsoft, Yahoo, Facebook, Amazon, and the New York Times Digital, will at least explicitly acknowledge there are third parties that use cookies on their sites with their own policies around data collection. The user is then directed to these third parties’ privacy policies, as New York Times Digital does here. (Note that some of these links are outdated, at least at the time of this post.)Google, in contrast, doesn’t mention third party advertisers on its privacy policy directly, alluding to the separate controls for opting out of their tracking on a separate page discussing advertising and privacy.Companies that don’t allow third party advertisers, like Craigslist, of course have no reason to declare this is happening.We live in a pretty topsy-turvy world. Let’s say you’re an ordinary user with some vague concerns about privacy. You’ve never read a privacy policy in your life (the way I never had until I started working with CDP), and you decide, oh, I’m going to read Yahoo’s privacy policy. And then you find out that you have to read several more policies if you really want to know who is collecting data from you, how, and for what. Can you imagine if the grocery store owner told you you had to go talk to six different people to understand what was being tracked in that store?We'll eventually publish a report summarizing our findings on our website, but we're going to keep rolling out these posts analyzing different aspects of online privacy policies. We'd love to hear what you think about our analysis, whether you agree or vehemently disagree. Tune in for more.