This article was originally published in The Markup and is reprinted here with permission. It has been edited for style.
Privacy policies are horrible. They are too long, impenetrable, and full of legalese that amounts to a take it or leave it offer.
But the privacy policy is one of the only places where tech companies have to tell us the truth — the truth about what personal data they are collecting, how they share and profit from that data, and at a deeper level, what sort of trade we’re making when we choose to use their apps or platforms.
They follow a predictable structure, meaning you can learn to navigate them, spotting key sections and passages from a safe skimming height, swooping down only to extract the juiciest morsels of information or to leverage an opportunity to opt out of certain collection (or to opt in to deeper, more personalized disclosure).
We can teach you how to do that. Drawing from our shared experience — Jon as a reporter who has read hundreds of these documents in the course of his reporting, and Jesse, an intern with us who also happens to be an attorney who has helped write dozens of privacy policies himself—we have some tips we want to share with you about what to look out for. We also asked some privacy experts to weigh in and share their advice with our readers.
Below you’ll find a detailed description of what to look out for. We realize it’s a lot to get through, so we’ve placed ➡️ symbols next to key concepts. If you want to dig in further, we’ve included plenty of description about each.
Here’s What You Should Pay Attention to
A privacy policy can lay out a lot of important information that you cannot find anywhere else. Here’s a breakdown of the most useful details contained in most policies, and how to find them.
What Information Are They Collecting?
➡️Look for a section with a title like “Personal information we collect” or “How We Collect and Use Your Personal Data.” This will list types of data the company gathers both “automatically” and from you directly. You may see disclosures that the company collects your location, IP address, biometrics, or information from your web browser, such as cookies or trackers. Be on the lookout for hints that the company uses a tracking technique called fingerprinting, which can identify you even when you go out of your way to decline cookies or block trackers. It does so based on information about your device such as the operating system, manufacturer, or even screen resolution, so keep an eye out for whether that data is being collected.
It is sometimes impossible to know whether the collection described in sections like this is actually happening, said Sebastian Zimmeck, an assistant professor of computer science at Wesleyan University, who studies privacy. “The reason why many privacy policies are not meaningful is because companies ‘may’ collect your information. Or they may not,” Zimmeck wrote in an email.
Location, Location, Location
In the information collection section, you may see terms related to your whereabouts such as “geolocation,” “geofencing,” or “geotargeting.” This signals that the company is collecting one of the most sensitive categories of data. Researchers have repeatedly shown that the unique nature of our movements can reveal private information about our lives that we may not want others to have, including places of worship, medical providers, or even political protests.
➡️Keep an especially close eye out for the term “precise geolocation,” which the California Consumer Privacy Act defines as “a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.”
Why Are They Collecting This Information, and How Do They Use It?
➡️Look for a title like “How we use your personal information.” This section represents the company’s explanation for why they need your data in the first place. Sometimes it is pretty straightforward. It’s reasonable for an app to need your payment information to process a transaction or to access your location to give you driving directions, for example. But pay close attention when it is less obvious why a particular category of personal data is being collected. For example, why would a recipe app need your location? Also, be on the lookout for vague and overly broad reasons such as “business activities” and “business purposes,” which can hint at sharing you might not be comfortable with. This may be combined with the section describing the information they collect. Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center (EPIC), said to take any examples provided in this section with a big lump of salt.
“In many cases, the ‘for example’ will point out a relatively expected or benign use and distract from other more intrusive potential uses. Those other uses wouldn’t violate the Privacy Policy because they never claimed the example was the only use type,” explained Schroeder.
Why Sharing to “Business Partners” Is More Worrisome than to “Service Providers”
➡️Look for a section about third parties your data is sold to or otherwise shared with. You might see references to “service providers,” which are usually just the third parties that process data as needed for the app to function. But look out for mentions of “business partners.” Do they combine or enrich your data with information collected from other “partners”? This is a red flag that you are being profiled. If you’re really lucky, you might find a policy that actually identifies some of those partners. (These could be advertising firms, data brokers, or affiliates.) And usually if another partner is listed, policies will inform you that you are also subject to the partners’ privacy policies, which it seems you are expected to read. It’s up to you to decide how far down the rabbit hole you want to go.
Anonymization/Aggregation Might Not Be as Good as It Sounds
Sometimes a company might say that any data it shares has all identifying information removed.
➡️Its privacy policy might use terms like “de-identified” data in addition to “anonymous” or “aggregated” data. This sounds as if it makes information sharing more private, but there has been a great deal of research showing that it is possible and in some cases quite easy to re-identify personal data even after it has been masked or combined. It doesn’t matter if a company anonymizes your data if its “business partners” are just going to undo that work when they get it.
Code Words for ‘Ad Targeting’
➡️When a company says it uses your data to “personalize” or “enhance” your experience or “improve our services,” that can often mean it is analyzing your data for ad targeting. “Measuring the effectiveness” of advertisements or other activities can mean tracking what you click on or buy. Also look out for mentions of “interest-based advertising,” which means the company is analyzing your activity on the service and allowing third parties to infer your interests for the purpose of targeted advertising, in some cases even away from the site you’re on. If the policy talks about tracking you on other online services, this also means the company is tracking your browsing activity across the internet, not just on its service. It might do this directly or purchase the information from a third party.
Learn Your Where Personal Data Travels
The company may notify you that your data may be shared with companies in other countries. Today in the US there are few federal restrictions on where user data can be stored, unlike under the EU’s GDPR privacy law. This is important because when data is moved to another country, the legal protections for that data may change along with the jurisdiction. This is one reason people have concerns about where TikTok stores data, for example.
➡️Look for “Transfer of Your Personal Data” or similar text to find this section.
Children’s Data/COPPA Disclosures
➡️Look for references to “COPPA” or the “Children’s Online Privacy Protection Act,” as well as “children” or “ages.” COPPA is a law that is supposed to offer greater protections for children’s data and make sure parents have the chance to consent on behalf of their children. Look for how the company protects the data for children under 13 and what mechanisms it offers for parents to control data collection and sharing for their kids.
Have Your Data Restricted, Deleted, or Shared With You
➡️Look for phrases like “Your rights” or “Your choices.” These denote an important section that discloses specific things that you have control over. Depending on where you live (and which privacy laws might apply to you), you may be able to request a copy of your data, correct your data, or ask for it to be deleted. You may even have the option to opt out of having your data shared or sold and still be able to use the service.
Why You Should Pay Attention to ‘Information for California Residents’
➡️One of the first things we look for when we are reading a privacy policy is a section typically labeled as being “for California residents.” Here’s why.
There is currently no general federal consumer privacy law on the books, so the California Consumer Privacy Act (CCPA) is the privacy law that covers the largest number of Americans. If the company is big enough, it’s a sure bet you will see a section specific to this law. Even though the CCPA only applies to California residents, everyone benefits from the transparency that the law compels companies to produce.
➡️Within this section, look for portions that begin with “In the past 12 months,” as in, “In the past 12 months, we have collected the following categories of personal information, as described in the CCPA.” This particular “in the past 12 months” disclosure is really one of the clearest pieces of documentation about what a company is actually doing.
Even better, right after that you will usually find “In the past 12 months, we have disclosed personal information to the following categories of recipients.” This section might be the closest you can get to a company’s admitting that it is sharing your data to third parties for targeted advertising, data enrichment, or other uses.
The CCPA also gives California residents the right to delete their data and the right to opt out of data sales or data sharing. When the updated California Privacy Rights Act (CPRA) fully takes effect (which it is scheduled to do on March 29, 2024), these rights will grow to include the right to correct one’s data.
For California residents, another powerful right that the CCPA provides is the right to access their data. Depending on the company, occasionally non-California residents can successfully request their data, so everyone should consider making a request anyway. Just keep in mind the data request process varies greatly from company to company and can include several steps.
➡️You also may encounter what looks to be an ironclad, clearly worded promise: “We do not sell your data.” But this promise needs some unpacking. This phrase is directly related to how the CCPA defines “selling” data. And you may see the companies complaining about it in the words surrounding this phrase, as online marketplace Temu does in its privacy policy:
“We do not sell your personal information as that term is generally understood but we recognize that the CCPA defines “personal information” in such a way that making available identifiers linked to you for a benefit may be considered a “sale.” The CCPA broadly defines “personal information” and “selling” such that making available or sharing identifiers linked to you for a benefit may be considered a sale.”
Schroeder noted that Temu “has three sentences complaining about how the CCPA defines sale and two about how to actually opt out. That ratio is not great.”
We also outlined three case studies — on GasBuddy, Epic Games, and Temu — that will give you some further details based on real-world examples.
Now you have a few things to look for when you are about to sign up for a new service. When you’re in that situation, it’s worth taking a few moments to scan through the service’s privacy policy. Now that you know how they are structured, they should be less intimidating when you see a new one.
Additional Resources
How Data Journalists Can Use Anonymization to Protect Privacy
How to Protect Yourself from Metadata
Forensic Tools Open New Front for Using Phone Data to Prosecute Journalists
Jon Keegan is an investigative data journalist at The Markup. Before joining The Markup he was a Senior Research Fellow at the Tow Center for Digital Journalism at Columbia University, researching signals of trust in online news and studying the role of AI in journalism. He also worked at The Wall Street Journal for 18 years, where he ran the interactive graphics team.
Jesse Woo is a former privacy lawyer and tech policy expert who is currently pursuing an MS in computer science at Columbia, focusing mainly on computer networks and machine learning. His policy work focuses on cross-border data flow issues and mutual legal assistance reforms, as well as privacy localism and municipal open data