CupWire


Privacy Policies

Posted by cupwire on Tagged guides

What information does this application/service collect and how do they use it?

This post aims to answer that question and help you become familiar with the process of researching a service or application, what to look for, and why it's important.

It should be said that privacy policies are not the end all, be all document and should still be taken with a bit of skepticism.  Almost daily it seems that we see companies skirt accountability when it comes to privacy, typically claiming "accidents" or "bugs" or use vague language to leave things open to interpretation.  However, reading their policy is still crucial for a better understanding of what data is being collected and how it's being used.

Finding the privacy policy

Privacy policies continue to have a persistent stigma of being dense, comprised of nothing but legal jargon, and overall difficult to understand.  This was true a decade ago when they were hilariously long and intentionally as convoluted as possible.  

Fast forward ten years and policies are easier to read than ever.  Thanks to the launch GDRP, everyone is required to tell individuals about how they process your data in a way that is easily accessible, easy to understand, and in clear and plain language.  

Most websites follow the unspoken rule of having their privacy policy at the bottom of the page, sitting in the footer under its own "Privacy" section.  Other labels it might be under are Terms of Service, Terms of Use, Privacy Center, and occasionally, Security.

Example of privacy policy and ToS labels in the footer of a website

Thanks to the requirements set into motion by Google and Apple, it's just as easy to vet apps on your phone before you download them.

Google said they're going to remove apps that don't have a privacy policy in early 2017 and put guidelines in place saying developers must disclose what data the app collects, uses, and who it shares with.

Back in October 2018, Apple changed its guidelines requiring all new applications to have a privacy policy in tow or else they'll be rejected from the store.

Example of where to look for the privacy policy when checking applications in the app store (left: Android, right: iOS)

What to look for

Now that we've found the policy, let's review what we're actually looking for.

  1. What data do they collect
  2. How do they use our data
  3. Who they share our data with
  4. How long do they keep our data  

Luckily, these sections are labeled accordingly, generally grouped together, and follow the same general structure regardless of site or service. Realistically, we can expect the entire process to take around five minutes or less once you've read a few because you'll begin to recognize patterns and be able to pick out the pertinent information quickly.

Let's dive in.

What they collect

This is typically titled What We Collect or Information We Collect About You.  In this section we'll find the type of information they collect about us, both what we give voluntarily (e.g. our name, email address, username, etc) and what's collected automatically (e.g. our IP address, OS, browser, device info, etc).  In some cases, companies will collect information from outside parties, such as advertisers, social media platforms, and data brokers to merge with the data they have about you to further bulk up your profile.

Example of what information Reddit collects

The breakdown in this section isn't all inclusive so even though it may list some specific examples, always consider the pieces that aren't listed but would make sense that they're gathering.  For example, a personal finance app might not explicitly say they're collecting the name of the banks and financial accounts we're linking to it but it's safe to assume they're grabbing it.

How they use your data

This is where they'll tell us how they use our information and why they do so.  Sometimes this is grouped in with the What We Collect section and other times it's sitting under the aptly named header How We Use Information About You.

How Reddit uses the information they collect

Continuing a theme from the previous section, we need to consider not only what they do say but how they say it and what they omit.  After all, this is a legal document created by lawyers who are precise with their words.

For example, the personal finance and budgeting software 'You Need A Budget' states that they never sell our data but that doesn't mean they don't share it. It's quite common to see companies proclaim they would never sell our data under any circumstance but it leaves a convenient hole for them to share it on a whim.

You Need A Budget won't sell your information. Instead, they'll share it for free

Who they share it with

This section can be found under a variation of How Your Information Is Shared, Data Sharing, or When We Share Information About You.

example of how Reddit shares your data

Similar to how they collect and use our data, we have to not only take what they say at face value but consider what they aren't saying here as well (I'm sure you see a reoccurring pattern here).  This is also the section that's the most vague.  Often we'll find that they share data with their "partners" or "affiliates" but will fail to list specific companies or entities.  

Some common third parties to see here are advertising, analytical, and/or marketing partners, affiliates, contractors, and vendors as part of these lists.  Some of these partners are needed for the service to function correctly.  For example, if you have to pay for something and you use PayPal to do it, it's natural that some information will be shared with PayPal.  Others, such as analytical and marketing partners, are generally doing nothing more than taking your data, analyzing it, and building profiles to be able to directly target you and others and to pass along.

Some companies, such as Google, will claim they only keep the data inside their company or network except for certain situations (generally legal related).  This makes it seem like they're fighting the good fight and keeping it to themselves, which they do, until you realize that Google isn't just Google anymore but a continually growing list of companies  such as Nest, Android, Waymo, Jigsaw, Calico, Deep Mind, and many more.

Retention

Knowing how long companies keep our data is an important, albeit slightly less crucial, piece to the puzzle. Is it kept forever?  30 days?  Or is everything erased immediately upon account deletion?  Sometimes this will have its own section but you may find it lumped into other categories or in the terms of service section instead of the privacy policy.

example of You Need A Budget's data retention policy

Keep in mind that we have no way to verify if anything is actually deleted after the amount of time passes. Even with GDPR , nobody goes back to these companies to verify deletion after we request to have our data expunged.  Always assume that any information we give a company or service will be kept, in some form, indefinitely.

Want to join the discussion?  Check out this post, and others, over at the CupWire subreddit and leave a comment.