What information does this application/service collect and how do they use it?
This post aims to answer that question and help you become familiar with the process of researching a service or application, what to look for, and why it's important.
It should be said that privacy policies are not the end all, be all document and should still be taken with a bit of skepticism. Almost daily it seems that we see companies skirt accountability when it comes to privacy, typically claiming "accidents" or "bugs" or use vague language to leave things open to interpretation. However, reading their policy is still crucial for a better understanding of what data is being collected and how it's being used.
Privacy policies continue to have a persistent stigma of being dense, comprised of nothing but legal jargon, and overall difficult to understand. This was true a decade ago when they were hilariously long and intentionally as convoluted as possible.
Fast forward ten years and policies are easier to read than ever. Thanks to the launch GDRP, everyone is required to tell individuals about how they process your data in a way that is easily accessible, easy to understand, and in clear and plain language.
Thanks to the requirements set into motion by Google and Apple, it's just as easy to vet apps on your phone before you download them.
What to look for
Now that we've found the policy, let's review what we're actually looking for.
- What data do they collect
- How do they use our data
- Who they share our data with
- How long do they keep our data
Luckily, these sections are labeled accordingly, generally grouped together, and follow the same general structure regardless of site or service. Realistically, we can expect the entire process to take around five minutes or less once you've read a few because you'll begin to recognize patterns and be able to pick out the pertinent information quickly.
Let's dive in.
What they collect
This is typically titled What We Collect or Information We Collect About You. In this section we'll find the type of information they collect about us, both what we give voluntarily (e.g. our name, email address, username, etc) and what's collected automatically (e.g. our IP address, OS, browser, device info, etc). In some cases, companies will collect information from outside parties, such as advertisers, social media platforms, and data brokers to merge with the data they have about you to further bulk up your profile.
The breakdown in this section isn't all inclusive so even though it may list some specific examples, always consider the pieces that aren't listed but would make sense that they're gathering. For example, a personal finance app might not explicitly say they're collecting the name of the banks and financial accounts we're linking to it but it's safe to assume they're grabbing it.
How they use your data
This is where they'll tell us how they use our information and why they do so. Sometimes this is grouped in with the What We Collect section and other times it's sitting under the aptly named header How We Use Information About You.
Continuing a theme from the previous section, we need to consider not only what they do say but how they say it and what they omit. After all, this is a legal document created by lawyers who are precise with their words.
For example, the personal finance and budgeting software 'You Need A Budget' states that they never sell our data but that doesn't mean they don't share it. It's quite common to see companies proclaim they would never sell our data under any circumstance but it leaves a convenient hole for them to share it on a whim.
Who they share it with
This section can be found under a variation of How Your Information Is Shared, Data Sharing, or When We Share Information About You.
Similar to how they collect and use our data, we have to not only take what they say at face value but consider what they aren't saying here as well (I'm sure you see a reoccurring pattern here). This is also the section that's the most vague. Often we'll find that they share data with their "partners" or "affiliates" but will fail to list specific companies or entities.
Some common third parties to see here are advertising, analytical, and/or marketing partners, affiliates, contractors, and vendors as part of these lists. Some of these partners are needed for the service to function correctly. For example, if you have to pay for something and you use PayPal to do it, it's natural that some information will be shared with PayPal. Others, such as analytical and marketing partners, are generally doing nothing more than taking your data, analyzing it, and building profiles to be able to directly target you and others and to pass along.
Some companies, such as Google, will claim they only keep the data inside their company or network except for certain situations (generally legal related). This makes it seem like they're fighting the good fight and keeping it to themselves, which they do, until you realize that Google isn't just Google anymore but a continually growing list of companies such as Nest, Android, Waymo, Jigsaw, Calico, Deep Mind, and many more.
Keep in mind that we have no way to verify if anything is actually deleted after the amount of time passes. Even with the GDPR, nobody goes back to these companies to verify deletion after we request to have our data expunged. Always assume that any information we give a company or service will be kept, in some form, indefinitely.
Want to join the discussion? Check out this post, and others, over at the CupWire subreddit and leave a comment.