Privacy policies decoded: What you’re really agreeing to

Yup. We’ve probably all done it. After all, privacy policies are the worst. They’re full of legalese and, worse than that, they’re dreadfully long. 

You all know we’re serious about data privacy, and we think you should be in control of your digital footprint. The first place to start is by understanding privacy policies. If you haven’t read up on the topic yet, this NYT article is a great piece to read. 

Privacy policies are important. Without them, we could all be living like Joan in that Black Mirror episode. And, as the same episode illustrates, the dangers of sketchy privacy policies aren't as far-fetched as they seem.

Remember that whole thing where millions of Facebook users' data was harvested without their knowledge and used to influence elections? Yeah, that wasn't exactly great for data privacy, but it’s not just a one-off experience. It’s more common than you think.

Before you click accept, here’s what to watch out for when skimming privacy policies:

👀 “Government access to user data”: this term usually means they share info with the federal government. Take a look at Google’s report to see what we mean–from January to June of 2022, they had more than 211,000 requests to share data. Some of that data was requested across country lines. For example, in December 2020, Colombia, Latvia, Netherlands, Canada, and Switzerland requested GSUITE user data from the United States and Ireland. 

But will you be notified if Google is going to share your data? Probably not. In their FAQs, they note that they “can notify the account holder” and “When we do notify the account holder about a legal request, we do so by email.” That’s not exactly crystal clear.

Do they or don’t they? It depends on the jurisdiction. 

The type of info they send can vary–from the name, account creation information, sign-in IP addresses and timestamps, to email headers, stored text message content, stored voicemail content, private blog post and comment content, and beyond. 

👀 “Precise geolocation.” Like you see in this privacy policy means that the vendor can pinpoint you within about 1,800 feet. Sometimes, it makes sense for an app to have your precise location (thank you, map apps. How would we get anywhere without you?!) but does Pepsi really need to know where you are? It depends on who you ask.

From the vendor’s perspective, this data–like most–is valuable. They might use it to see where you go and target specific ads based on where you shop. And, what’s weirder–they might use it to tell if you’re a returning customer or if you’ve seen one of their ad campaigns, even if you’re not physically in the store. 

👀 “Financial Info” and “Sensitive Info” which, according to Apple’s Privacy Details page, usually means “ racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data.”

👀“The use of third-party services” which is required for various functionalities, like analytics and advertising. Obviously, these third parties may have their own privacy policies, adding another layer of complexity for users to understand.

👀“Limited liability.” Some privacy policies include clauses that limit the company’s liability in case of a data breach or misuse of data, protecting the vendor more than the user.

This isn’t an exhaustive list of things to watch out for, but it is a good place to get started. If you’re considering ways to protect yourself and your data online, you may want to check out Delete Desk or Yorba’s free app so you can easily surface data breaches, check for vendors with shady privacy policies, and easily unsubscribe or delete accounts that don’t align with your values.

Want to know what to tackle first? Take a look at our suggested first steps.