Privacy notices can be overwhelming. Learning what to look for will make you a better informed digital citizen and help you protect your personal information. In a nutshell, watch out for:
- Overcollection
When companies gather more information than they need to provide and support their product or service. - Ambiguity of data use
When it is unclear how the company is using your data. - No retention periods
When collected data is kept indefinitely for no legitimate business reason. - Oversharing
When personal information is sold or made available too widely. - No contact information
When there is no channel to contact with questions or issues.
What Is a Privacy Notice?
A privacy notice is a statement that explains what a company does with the personal information they collect when you use their products, services, or websites.
Privacy notices are a lot more prevalent thanks to privacy laws, such as the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which require companies to provide them.
Because privacy notices are usually written to satisfy legal requirements, they are often lengthy and not very easy to read. Here is what to pay attention to in order to make sure the company whose product or service you are about to use is committed to the protection of your privacy.
What Information Is Collected
Privacy notices state what type of information the company collects about you. Keep an eye out for data such as location, financial or health data, or other sensitive information. Consider whether collecting it is reasonable given the product or service you are using. As a consumer, you should always weigh the benefits you get from the product or service against the level of privacy you need to give up.
How the Information Is Collected
Companies can use different means to collect your personal information. They can get it directly from you when you complete online forms or sign up for newsletters. Personal information is also collected automatically, through session cookies and system logs. Cookies are small files sent to your browser by the websites you access that track your visits and activity. Companies can also obtain your information from third parties, by purchasing contact lists or engaging advertising and marketing providers like Google Analytics.
How the Information Is Used
A privacy notice should tell you how the company is using your information. They should not be collecting it just for the sake of having your personal details. Most often, your information will be used to enable technical features or for marketing purposes. This could be helpful to you, as companies can offer you better functionality and more relevant services, or stay in touch with you on topics of interest. However, your information could also enable targeted ads, unwanted marketing communication, and even profiling and automated decision-making. Companies should be transparent about how they are using the data they collect from you and should avoid making vague or ambiguous statements about its use.
How Long the Information Is Retained
Companies should let you know how long they are keeping your information. Under some circumstances, your information may be kept indefinitely. This should only be done for a legitimate business reason or to satisfy a legal requirement. The company should provide you with details about who to contact with concerns about the retention of your information.
How the Information Is Shared
There are legitimate reasons for a company to share your information with others. Sometimes, they need to share it with third-parties to enable technical solutions, or to maintain business processes. Beware of companies selling your personal information or making it available to other entities for profit. Some privacy laws, such as the CCPA, give consumers the right to opt out of their personal information being sold or shared with third parties.
What Your Rights Are
A privacy notice should let you know what your rights are regarding the personal information collected. In some instances, due to privacy regulations such as GDPR and CCPA, you have the right to review, correct, or even erase the information that a company has collected about you. The notice should let you know who to contact with questions or concerns about your personal information.
Additional Resources on the Topic
- Privacy Decrypted #6: How to read a privacy policy (Proton)
- How to Read a Privacy Policy (California Department of Justice)
- How to skim a privacy policy to spot red flags (Washington Post)