Privacy and Access Council of Canada

The voice for privacy and access

Cart

How to decode privacy policies

You were swamped all day with work, and now making dinner is staring you in the face. 

You’re tired, your family is “starving.” 

So you go to the restaurant’s website to order carry out, but you’re slowed down by needing to install yet another app to order carry out from them. Then there it is: the legalese, the permissions. You click “accept” again and again without a thought, just the sound of your stomach growling.

One of those things you probably agreed to in a rush was the app’s privacy policies. Only recently have companies been required to show you their “Privacy Policy” that describes how they’ll handle your data. They may even give you a chance to limit what they can do with your data.   

But they’re not just being nice when they do. The primary purpose of privacy policies is to shield companies from legal action. The result is long, boring, complicated policies filled with impossible to read legal gobbledygook designed to get you to click the “ACCEPT” button without thinking.  

In the moment, getting some dinner definitely takes precedence over reading a policy. But what’s at stake is your data and your privacy. It can feel like an insurmountable task, but keep reading. We’ve simplified it for you!

If you feel like you don’t have any control over your data, you’re not alone. In fact, four out of five people surveyed recently think they have no control over the data collected about them.* 

Actually, we have more control than we might think. We just need the knowledge to decode the secrets hidden in many privacy policies. 

Privacy policies’ hidden secrets

Most privacy regulations require companies to disclose:

  • Types of information collected.
  • Purposes of collection and use.
  • How data is collected, like cookies or other tracking technology.
  • The effective date and validity of the privacy policy.
  • Possible policy changes and how you’ll be notified if they occur. 
  • What, if any, control you have over data processing.
  • Security measures that protect information.
  • What third parties have access to the information, and how they use it.
  • Terms of sharing your information with governmental agencies.
  • The people accountable for the organization’s privacy practices and their contact details.

That’s a lot to wrap your head around. The challenge for people like us is that these disclosures are written by lawyers, and “legalese” is as hard to understand as something written by visitors from outer space.

On top of that, some policies are so involved they contain as many words as you’d find in the chapter of a novel. Facebook’s privacy policy takes about 18 minutes to read. That’s pretty typical when compared to other big companies.** 

Thanks to certain requirements in laws like the EU’s GDPR, privacy policies may be getting shorter and easier to read, but for now knowing a few important keywords can help.

Deciphering words that matter

Look for the privacy policy link (often in the footer of a page) and click to reveal the entire document. If there is no link, use the search feature on the home page to find a privacy statement. If there is none, that speaks volumes.

If you do find a privacy policy, use the “Find on page” function to search for these keywords.

Keyword 

What it probably means if you see it

Third Parties

Your data is going to be sold to other companies, probably a data broker. These companies collect online data and  sell it to pretty much anyone interested in learning more about customers, voters, students, and consumers … like you. It’s legal, but not always honest. 

Except

Whatever the policy just said, doesn’t matter. It’s not uncommon for companies to say they won’t sell your data, “except under certain circumstances.” Those exceptions probably make all the difference.

Such As

This sneaky term is used when companies want to give you a few examples, but not the complete picture. It might as well mean “whatever we want.” 

Retain

This tells you how long a company will keep your data. Companies should only keep your data for as long as you’re their customer. If longer, they’re mining your data. 

Delete

If the company gives you options to delete your data, they’re showing some respect for you. If they don’t, they’re acting like they own your data, not you. 

Date

Check the date the policy was last updated. If it’s recent, the company is taking your privacy more seriously. If not, they might not deserve your trust. 

Control

This might be the most important word to find because it indicates your options in determining how your data is treated. Many companies have privacy settings, but they aren’t always turned on by default. 

What can you do, really?

Based on what you find (or don’t find), you might want to take action. Consumers’ options are limited, but we’re not powerless. 

Take your business elsewhere. Nearly half of us have already ditched companies because of their data policies.*** You can too. Reward companies that do privacy right with your business. When we do, we might help encourage entire industries toward a more ethical future. 

Take control. If a company provides options to do things like consent, opt-out, adjust privacy settings, or delete your data, you should take advantage of them. These tools aren’t helping you if you don’t use them. Get in the habit of checking each website’s or service’s options when you sign-up. 

Be picky. Companies have trained us to not value our data. But think twice before you share anything online. The less data about you out there, the fewer chances it can be used unethically. Even a simple Facebook survey can lead to scandal and disruption.****

Speak up. If you see something weird or alarming in a privacy policy, say something. Your online voice can matter more than you think. Many companies are obsessed with their image, and constantly monitor social media for chatter about them, good and bad.  Change only happens when everyday folks like us put pressure on companies to do the right thing and treat us like people … not ones and zeros. *****

*Source: Pew Research Center. Americans and Privacy Report. 2019.

**Source: New York Times. We Read 150 Privacy Policies. They Were an Incomprehensible Disaster. 2020.

***Source: Cisco. Consumer Privacy Report. 2019. 

****Source: The Guardian. Cambridge Analytica: how did it turn clicks into votes? 2018.

*****Source. The Verge. How to read a privacy policy. 2018.