The Washington PostDemocracy Dies in Darkness

How to skim a privacy policy to spot red flags

Privacy policies are hard to read on purpose. Here is what to look for in a pinch.

The Help Desk reads privacy policies for you. But what if you need to check something more? (iStock/Washington Post Illustration)

At the Help Desk, we read privacy policies so you never have to. But what if you really want to? We do our best to look into the privacy practices of the apps, websites and devices you use the most. We have done deep dives on tax software, medical records and cellphone carriers.

But keeping track of corporate privacy habits is an uphill battle. Technology columnist Geoffrey A. Fowler recently tried to read all the privacy policies for the apps on his phone. It added up to 1 million words, twice the length of “War and Peace.”

A Help Desk reader wrote in asking for some tips on how to scan a privacy policy for the most important points and quickly assess a company’s commitment to keeping her safe. That way she can evaluate the apps and sites she uses, rather than wait for someone else to do it.

Jen Caltrider, lead researcher on Privacy Not Included, a scoring system for apps and gadgets from the nonprofit Mozilla Foundation, unpacks privacy policies for a living, she said, and she has a whole bag of tricks. I have read quite a few privacy policies, and I always start with the same checks.

Being an expert in the subtleties of confusing legal documents is not necessary to earn our right to privacy. The burden of protecting privacy should be on the firms that build the technology, not the people who use it, privacy advocates argue.

“If you read a privacy policy and feel lost and confused, you are not alone,” Caltrider said. “These documents are written by lawyers for lawyers. They confuse me, and I read them all the time.” That said, here is your official guide to skimming privacy policies. If your eyeballs start to bleed, feel free to send me an email and we can commiserate.

Find the darn thing

The first step to evaluating a privacy policy is finding it, and unfortunately, companies don’t always make it easy. For apps, the easiest way is to find their listing in the Apple or Google store and follow the link to the developer’s privacy policy. For websites, check at the bottom of the web page for linked text that says “privacy policy.”

At this point, you might be tempted to just rely on the privacy label Apple or Google displays. Despite good intentions and simple formats, these labels are not reliable, Caltrider said. The information is reported by the companies, and the labels are not always accurate. For instance, my investigation into photo widgets LiveIn and Locket Widget found that the LiveIn label in the Apple store failed to disclose that it collects data to track you. It was fixed afterward.

Teens are flocking to the new photo apps but are they safe to use?

For connected devices, check the developer’s website, and make sure the policy you are reading actually addresses the device you have, Caltrider said. For instance, Amazon has an easily findable privacy policy at the bottom of its website, but there are separate pages for frequently asked questions for devices such as the Kindle and Echo Show. If you have a hard time finding the privacy policy, the company might not be keen on you reading it. That is a red flag.

See what data is used

The first chunk of most privacy policies outlines what data the company collects from you. Scan this section for anything that does not sit right. You may not be surprised to see that the company is collecting the email address you signed up with, for instance, but if it is collecting your precise location or audio from your microphone, that is worth a pause. Is this technology collecting information without a clear purpose?

Lots of apps use personal contacts. Few will tell you what they do.

Search for key terms

Now time to bust out your keyword search and look for some common offenders. On a computer, use “control find” on your keyboard. On a smartphone, your browser app may have a “find on page” function in its menu. First, search for “sell.” Will this company sell your data to third parties?

If it not, search next for “affiliates” and “partners.” Companies love bragging about not selling your data when they share it liberally with third parties. Does this company carve out room to share your data with “business affiliates” or “partners?” Does it list who those entities are?

If a company says that it shares data internally, take a moment to consider how broad its group of companies might be. For instance, the privacy policy for Hinge says its dating app affiliates include the entire Match Group family of businesses, which included around 45 businesses as of 2018. Facebook parent company Meta, for its part, says, “Meta Products share information with other Meta Companies.” Meta products and companies include Facebook, Instagram, WhatsApp, Messenger, Portal and others.

Last, search for “advertising.” If this company does sell or share your data, is it to target you with ads? Sometimes, companies artfully avoid the words “targeted advertising” by saying they use your data to “personalize” or “improve” the service or to make sure the content you see is “based on interests.” You should search for those terms as well.

Speaking of fancy linguistic footwork, look out for terms like “may” and “for example.” If a company “may” share your data with third parties, “for example” to check for security threats, there are likely some shadier cases of data collection happening there that the company declined to call out, Caltrider said.

Trust your instincts

If it feels weird, it probably is. Caltrider said she always feels suspicious if a privacy policy is really short or really long. Too short means the developers did not put much thought into the policy. For instance, after we called out LiveIn and Locket Widget for seemingly failing to disclose data sharing in their policies, both added new sections that made their policies more complete. A super long policy, on the other hand, means “the lawyers really got into trying” to cover themselves “with lots of words,” Caltrider said.

Likewise, if the policy feels too good to be true, it might be, at least when it is seen in a format friendly to consumers written by corporate communications professionals. If you are working your way through a fun privacy game or a beautifully rendered “privacy center,” be wary of vague language, Caltrider advised. Finally, know your rights. If you live in California or the European Union, for instance, you get extra privacy protections that many policies outline in a separate section toward the bottom.

How to delete your personal data that companies are now hoarding

Try to have some fun

Just kidding. Reading privacy policies is never fun. But some companies put extra effort into making their policies clear and readable, Caltrider noted. If you find one, send it our way so we can give kudos. Caltrider has a favorite privacy policy from Wysa, a mental health chatbot, she said. Indeed, this policy is exceptionally transparent and a good model as you make comparisons at home.

Help Desk: Making tech work for you

Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.

Go deeper: Tech in Your Life | Tech at Work | Your Data and Privacy | Internet Access | What’s New | Ethical Issues

Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android

Ask a question: Send the Help Desk your personal technology questions.

Loading...