Finding Red Flags in Privacy Policies
Ben Ohno | October 6, 2022
Companies tell us in their privacy policies what they do and do not do with our data… or do they?
Privacy has been a consistent subject in the news over the past few years due to data breaches like Cambridge Analytica and Equifax in 2017. As a result, privacy policies are becoming more scrutinized because these privacy policies communicate what kinds of protections users have on their platform. Most users do not read the privacy policy, but there are certain things that a user could look for in a very brief skim of the privacy policy. While there’s no national laws that govern privacy policies in the US, there are certain pieces of information that privacy policies should have. In this blog post, I will highlight some aspects of the privacy policy a user can review manually and some automated capabilities that attempt to do this for the user.
Within the privacy policy:
Privacy policies should have contact information available for users to reach out to. Preferably this will be some kind of contact within the legal counsel side of things. Without this contact information, users would have no avenue to understand their protections of the privacy policy. In addition, if there’s third party access to the data, users should know who these third parties are. In Solove’s Taxonomy, there’s a section around information processing and secondary use of data. In Solove’s Taxonomy, secondary use of data is a privacy risk to users. When companies give data to third party vendors, the third party vendors often do not have to follow the same policies and practices as the company who gave them the data. Lastly, privacy policies with overwhelming vocabulary, jargon and an ambiguous tone can be problematic. Companies with policies that are difficult to understand may be hiding exactly what they are doing with the data.
Outside the privacy policy:
There are certain flags to look for that do not have to do with the content of the privacy policy. Based on this article from Forbes, the privacy policy should be easy to find. If it is not easily findable, the company may be a sign that the company is not transparent about how it handles user data. Another thing to consider is if the company follows their own privacy policy. If there have been privacy breaches for this company in the past, that is a clear sign that they have not followed their privacy policy in the past. Lastly, companies should post when their privacy policy was last updated. A red flag would be if it has been many years since the last update or if a company has not updated the privacy policy after a data breach.
Automated capabilities:
Terms of Service, Didn’t Read (TOSDR), is a site that aims to summarize privacy policies and highlight red flags for users. However, it does not have the ability to read any privacy policy. It has a finite database of larger companies’ privacy policies. Useableprivacy.org is a site that analyzes privacy policies with crowdsourcing, natural language processing, and machine learning. It is a blend of human and machine learning analysis of privacy policies. The site provides a report for each company it has in its database. Outside of sites that summarize privacy policies and flag potential privacy concerns, we can also use natural language processing to determine the reading complexity of a privacy policy. Commonsense.org discusses metrics such as the Automated Reading Index and Coleman-Liau Index as measures for how complex a document is to read.
Looking forward:
Hopefully this blog post was helpful for readers to understand a bit more about privacy policies and what flags and tools to look out for to help people understand privacy policies. The state of privacy now is evolving and the privacy space changes quickly. In the future, I hope that there are federal laws that mandate a standardized easy way to communicate privacy policy content to the user in a concise and manageable way.