How To Read A Privacy Policy

A close reading of 15 online privacy policies as of June 2009

The Common Data Project was created to encourage and enable the disclosure of personal data for public re-use through the creation of a technology and legal framework for anonymized data-sharing. Specifically, we think that means creating a new kind of institution called a datatrust, which is exactly what it sounds like: a trusted place to store and share sensitive, personal data.

So why are we spending a lot of time parsing the legalese of some excruciatingly long privacy statements?

We know having an easy to understand, clear-cut privacy policy is critical to the viability of a datatrust. And we felt the first step in figuring out what constitutes an easy to understand, clear-cut privacy policy would be to look at what privacy policies are promising today.

We realize that most users of online services have not and never will read the privacy policies so carefully crafted by teams of lawyers at Google and Microsoft.

And having read all of these documents (many times over), we're not convinced that anyone should read them, other than to confirm what you probably already know: A lot of data is being collected about you, and it's not really clear who gets to use that data, for what purpose, for how long, or whether any or all of it can eventually be connected back to you.

Yet people continue to use Google, Microsoft, Yahoo and more without giving much thought to the privacy implications of giving up their data to these companies.

We at the Common Data Project know that for a datatrust to function properly, we can’t rely on people to simply look the other way, nor do we want them to.

Data collection for Google and Microsoft users is incidental. People go to google.com to search, not to give data. As long as they have a good search experience, the data collection is largely out of sight, out of mind.

A datatrust, on the other hand, will be a service explicitly designed around giving and sharing data. We know that to convince the public that the datatrust can indeed be trusted, a clear privacy story is absolutely necessary.

Below you will find a guided tour of privacy policies for 15 online services from established players like Google, Yahoo! and Microsoft to major retailers like Amazon and Ebay, from Web 2.0 starlets like Facebook to aspiring start-ups hoping to compete on superior privacy guarantees. Our goal was to identify when these policies were ambiguous or simply confusing.

Companies Surveyed

The policies analyzed by CDP include those of the companies and organizations listed below. They were picked for being among the most trafficked sites, as well as for providing a range of services online.

Privacy is not exclusively an online issue, even though the companies surveyed here all operate online. Many of the largest data breaches in the last ten years have involved companies and agencies that actually operate exclusively offline, and the question of how to manage, store, and share large amounts of information is an important question for almost every business today. But we chose to focus on online businesses and organizations because they have been among the most visible in illustrating the dangers, as well as the advantages, of being able to amass great quantities of data.

Here is a quick visual of how their respective privacy policies stack up next to each other, literally.

privacy-policy-visualization.png

Questions we asked of each company.

  1. What data collection is happening that is not covered by the privacy policy?

  2. How do they define “personal information?”

  3. What promises are being made about sharing information with third parties?

  4. What is their data retention policy and what does it say about their commitment to privacy?

  5. What privacy choices do they offer to the user?

  6. What input do users have into changes to the policy’s terms?

  7. To what extent does they share the data they collect with users and the public?

Read remainder of paper (PDF)