News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

| How to read a privacy policy

rss_feed

""

""

By The Common Data Project
As part of its mission to educate the public about online privacy issues, the Common Data Project embarked on a project to discover how companies compete on the basis of privacy. CDP surveyed the online privacy policies of large Internet companies, social networks and start-ups to develop a "how-to-read" guide for those unable to understand or unwilling to engage in the lengthy and complex privacy policies that are so common in today's marketplace. Using seven questions, the CDP set out to extract the information users need in order to understand the practices behind the policies and to participate in the public debate about online data collection.

The Common Data Project was created to encourage and enable the disclosure of personal data for public re-use through the creation of a technology and legal framework for anonymized data-sharing. Specifically, we think that means creating a new kind of institution called a datatrust, which is exactly what it sounds like: a trusted place to store and share sensitive, personal data.

So why did we spend a lot of time parsing the legalese of some excruciatingly long privacy statements?

We know that an easy-to-understand, clear-cut privacy policy is critical to the viability of a datatrust. And we felt the first step in figuring out what constitutes an easy-to-understand, clear-cut privacy policy would be to look at what privacy policies are promising today.

We realize that most users of online services have not and never will read the privacy policies so carefully crafted by teams of lawyers at large companies. And having read all of these documents (many times over), we're not convinced that anyone should read them, other than to confirm what they probably already know: A lot of data is being collected about them, and it's not really clear who gets to use that data, for what purpose, for how long, or whether any or all of it can eventually be connected back to them.

Yet people continue to use Google, Microsoft, Yahoo and other sites without giving much thought to the privacy implications of giving up their data to companies.

We at the Common Data Project know that for a datatrust to function properly, we can't rely on people to simply look the other way, nor do we want them to.

Data collection for Google and Microsoft users is incidental. People go to Google.com to search, not to give data. As long as they have a good search experience, the data collection is largely out of sight, out of mind.

A datatrust, on the other hand, will be a service explicitly designed around giving and sharing data. We know that to convince the public that the datatrust can indeed be trusted, a clear privacy story is absolutely necessary.

Below we offer a guided tour through the privacy policies of 15 online services--from established players to major retailers to Web 2.0 starlets and aspiring start-ups that hope to compete on superior privacy guarantees. Our goal was to identify where their policies were ambiguous or simply confusing.

Companies surveyed

The companies and organizations whose policies the CDP analyzed were chosen for being among the most trafficked sites, as well as for providing a range of services online.

Privacy is not exclusively an online issue, even though the companies surveyed here all operate online. Many of the largest data breaches over the last 10 years have involved companies and agencies that actually operate exclusively offline, and the question of how to manage, store, and share large amounts of information is an important question for almost every business today. However, we chose to focus on online businesses and organizations because they have been among the most visible in illustrating the dangers and advantages of amassing great quantities of data.

For a graph visit www.commondataproject.org.

The analysis

To guide the analysis, we used seven questions to help pinpoint the issues deemed as most crucial for users' privacy.

  • What data collection is happening that is not covered by the privacy policy?
  • How do they define "personal information"? 
  • What promises are being made about sharing information with third parties? 
  • What is their data retention policy and what does it say about their commitment to privacy? 
  • What privacy choices do they offer to the user? 
  • What input do users have into changing to the policy's terms? 
  • To what extent do they share the data they collect with users and the public?

1. What data collection is happening that is not covered by the privacy policy?
This first question might seem like an odd one. But the fact that there is data collection going on that's not covered by the "privacy policy" captures so much of what is confusing for users who are accustomed to the bricks-and-mortar world.

When you walk into your neighborhood grocery store, you might not be surprised that the owner is keeping track of what is popular, what is not, and what items people in the neighborhood seem to want. You would be surprised, though, if you found out that some of the people in the store who were asking questions of the customers didn't work for the grocery store. You would be especially surprised if you asked the grocery store owner about it, and he said, "Oh those people? I take no responsibility for what they do." But in the online world, that happens all the time. Obviously, when a user clicks on a link and leaves a site, he or she ends up subject to new rules. But even when a user doesn't leave a site, there's data collection by third-party advertisers that's happening while you sit there.

In this section, we review how companies handle this in their privacy policies.  

2. How do they define "personal information"?
Most privacy certification programs, such as Truste, require that the privacy policy identify what kinds of personally identifiable information (PII) are being collected. As a result, nearly every privacy policy we looked at included a long list of the types of information being collected.

In this section, we examine how companies approach this disclosure. Some companies categorize, others label, and others use the disclosure to tout the fact they collect no information whatsoever. This section also explores how companies approach the topic of re-anonymization.

3. What promises are being made about sharing information with third parties?
In addition to listing the types of data collected from you, most privacy policies will also list the reasons for doing so. The most common are:

  • To provide services, including customer service
  • To operate the site/ensure technical functioning of the site 
  • To customize content and advertising 
  • To conduct research to improve services and develop new services.

They also list the circumstances in which data is shared with third parties, the most common being:

  • To provide information to subsidiaries or partners that perform services for the company
  • To respond to subpoenas, court orders, or legal process, or otherwise comply with law 
  • To enforce terms of service 
  • To detect or prevent fraud 
  • To protect the rights, property, or safety of the company, its users, or the public 
  • Upon merger or acquisition

This section examines various companies' approaches to communicating this message. Language aimed at normalizing and euphemizing the information being relayed was common.

For us at CDP, the issue isn't whether IP addresses are included in the "personal information" category or not. What we really want to see are honest, meaningful promises about user privacy. We would like to see organizations offer choices to users about how specific pieces of data about them are stored and shared, rather than simply make broad promises about "personal information," as defined by that company.

It may turn out that "personal" and "anonymous" are categories that are so difficult to define, we'll have to come up with new terminology that is more descriptive and informative. Or companies will end up having to do what Wikipedia does: simply state that it "cannot guarantee that user information will remain private."

4. What is their data-retention policy and what does it say about their commitment to privacy?
Data retention has been a controversial issue for many years, with American companies not measuring up to the European Union's more stringent requirements. But for us, it obscures what's really at stake and often confuses consumers.

For many privacy advocates, limiting the amount of time data is stored reduces the risk of exposure. The theory, presumably, is that sensitive data is like toxic waste, and the less of it lying around, the better off we are. But that theory, as appealing as it is, doesn't address the fact that our new abilities to collect and store data are incredibly valuable, not just to major corporations, but to policymakers, researchers, and even the average citizen. Focusing on this issue of data retention hasn't necessarily led to better privacy protections. In fact, it may be distracting us from developing better solutions.

This section explores how some companies handle (or don't) the topic of data retention in their privacy policies.

5. What privacy choices do they offer to the user?
Over the last year or two, there have been some interesting changes in the way some companies view privacy. They're starting to understand that people not only care about whether the telemarketer calls them during dinner, but also whether that telemarketer already knows what they're eating for dinner.

This section explores the evolution and offers one option for taking it a significant step forward.

6. What input do users have into changes to the policy's terms?
Not surprisingly, none of the policies we looked at stated that users would have a say into changes to the privacy terms. In this section, we review what companies do say in this regard, and also shed light on how Facebook's recent handling of policy term changes did open the door for users to have a say, why this is good, and why they had to do it.

7. To what extent do they share the data they collect with users and the public?
When we started this privacy policy survey, our goal was simple: find out what these policies actually say. But our larger goal was to place the promises companies made about users' privacy in a larger context-how do these companies view data? Do they see it as something that wholly belongs to them? Ultimately, their attitude towards this data very much shapes their attitude towards user privacy.

This section discusses companies' data-sharing activities and what it means, or could mean, for consumers.

Conclusion

By our standards, none of the privacy policies we surveyed quite measure up. Most of them provide incomplete information on what "personal information" means. Many of them fail to make clear that they are actively sharing information with third-parties. Even when they change their policies on something like data retention to placate privacy advocates, the changes do little to provide real privacy. The legal right companies reserve to change their policies at any time reminds us that right now, the balance of power is clearly in their favor. When they do offer users choices, the choices fail to encompass all the ways online data collection implicates users' privacy.

But we don't believe that we are stuck with the status quo. In fact, there are many positive signs of companies making smart moves, because they're realizing they need buy-in from their users to survive in the long-term.

Already, during recent Facebook controversies, we've seen users trying to determine how their data is shared. Google has created new tools that allow users a wider range of choices for controlling how their data is tracked. And every day, we see new examples of how data can be shared with users and customers as part of a service, rather than being treated just as a byproduct that is solely for the companies' use and enrichment.

We hope that our analysis will help push debate in the right direction. We hope that companies will see there can be real value and return in being more honest with their consumers. At the same time, we hope that as consumers and privacy advocates, we can work with companies towards useful solutions that balance privacy rights against the value of data for all of us.

About the Common Data Project
The Common Data Project is new not-for-profit organization dedicated to changing the way we think about and use personal data. At the heart of its mission is its development of a new kind of institution called a "datatrust," a repository of sensitive information donated by institutions and individuals for public use. We are exploring organizational structures that will enable the datatrust to be structurally transparent and participatory, while also testing some exciting new technology that could drastically raise industry standards for what it means to guarantee "anonymization" of data. We are also taking what we've learned from our survey of existing privacy policies to explore the possibility of creating licenses for personal information.  Such licenses would allow individuals to release personal data and define their own terms of use, in the spirit of Creative Commons licenses for intellectual property. For more information on our work, please see our Web site at www.commondataproject.org and our blog at www.myplaceinthecrowd.org.

Comments

If you want to comment on this post, you need to login.

Related Stories
Related Stories
Recent Comments