How to skim a privacy policy to spot red flags
At the Help Desk, we read privacy policies so you don't have to.
But what if you really want to?
We do our best to look into the privacy practices of the apps, websites and devices you use the most. Recently, we've done deep dives on tax software, hospital check-in programs and cellphone carriers. But keeping track of companies' privacy habits is an uphill battle. Last month, Washington Post personal tech columnist Geoffrey A. Fowler tried to read all the privacy policies for the apps on his phone. It added up to 1 million words - twice the length of "War and Peace."
This week, a Help Desk reader wrote in asking for some tips on how to scan a privacy policy for the most important points and quickly assess a company's commitment to keeping her safe. That way, she can evaluate the apps and sites she uses rather than waiting for someone else to do it.
Jen Caltrider, lead researcher on Privacy Not Included - a scoring system for apps and gadgets from the nonprofit Mozilla Foundation - unpacks privacy policies for a living, she said, and she's got a whole bag of tricks. I've read quite a few privacy policies, and I always start with the same checks.
Keep in mind: We don't have to become experts in the subtleties of long, confusing legal documents to earn our right to privacy. The burden of protecting privacy should be on the companies that build the technology - not the people who use it, privacy advocates argue.
"If you read a privacy policy and feel lost and confused, you're not alone," Caltrider said. "These documents are written by lawyers for lawyers. They confuse me, and I read them all the time."
That said, here's your official guide to skimming privacy policies. If your eyeballs start to bleed, feel free to send me an email and we can commiserate.
- Find the darn thing. The first step to evaluating a privacy policy is finding it, and unfortunately, companies don't always make it easy.
For apps, the easiest way is to find their listing in the Apple or Google app store and follow the link to the developer's privacy policy. For websites, check at the bottom of the web page for small, linked text that says "privacy" or "privacy policy."
At this point, you might be tempted to just rely on the privacy label Apple or Google displays. Despite good intentions and the easy-to-read format, these labels aren't reliable, Caltrider said. The information is self-reported by companies, and the labels aren't always accurate. For instance, my investigation into photo-sharing widgets LiveIn and Locket Widget found that LiveIn's label in the Apple App Store failed to disclose that it collects data to track you. (It was fixed afterward.)
For connected devices, check the developer's website, and make sure the policy you're reading actually addresses the device you've got, Caltrider said. For example, Amazon has an easily findable privacy policy at the bottom of its website, but there are separate FAQ pages for devices such as Echo Show and Kindle. (Amazon founder Jeff Bezos owns The Washington Post.)
If you can't find the privacy policy, the company might not be keen on you reading it. That's a red flag.
- Check what the company is collecting. The first chunk of most privacy policies outlines what data the company collects from you. Scan this section for anything that doesn't sit right. You may not be surprised to see that the company is collecting the email address you signed up with, for example, but if it's collecting your precise location or audio from your phone's microphone, that's worth a pause. Ask yourself: Is this tech collecting information without a clear purpose?
- Search for key terms. Now, it's time to bust out your keyword search and look for some common offenders. (On a computer, use CTRL+F. On a smartphone, your browser app may have a "find on page" function in its menu.)
First, search for "sell." Will this company sell your data to third parties?
If it says it won't, search next for "affiliates" and "partners." Companies love bragging about not selling your data when they share it liberally with third parties. Does this company carve out room to share your data with "business affiliates" or "partners?" Does it list who those entities are?
If a company says it shares data internally, take a moment to consider how broad its group of companies might be. For instance, the privacy policy for Hinge says the dating app's affiliates include the entire Match Group family of businesses - which included around 45 businesses as of 2018. Facebook parent company Meta, for its part, says: "Meta Products share information with other Meta Companies." Meta products and companies include Facebook, Instagram, WhatsApp, Messenger, Portal, Meta Quest and others.
Last, search for "advertising." If this company does sell or share your data, is it to target you with ads? Sometimes, companies artfully avoid the words "targeted advertising" by saying they use your data to "personalize" or "improve" the service or to make sure the content you see is "interest-based" - so search for those terms, as well.
Speaking of fancy linguistic footwork, look out for terms like "maybe" and "for example." If a company "may" share your data with third parties, "for example" to check for security threats, there are likely some shadier data-sharing examples happening that they declined to call out, Caltrider said.
- Trust your instincts. If it feels weird, it probably is.
Caltrider said she always feels suspicious if a privacy policy is really short or long. Too short means the developers didn't put much thought into the policy. (For instance, after we called out LiveIn and Locket Widget for seemingly failing to disclose data-sharing in their policies, both added new sections that made their policies more complete.)
A super long policy, on the other hand, means "the lawyers really got into trying to cover [themselves] with lots of words," Caltrider said.
Likewise, if the policy feels too good to be true, it might be - at least when it's in a consumer-friendly format written by corporate communications professionals. If you're working your way through a fun privacy game or a beautifully rendered "privacy center," be wary of vague language, Caltrider advised.
Finally, know your rights. If you live in California or the European Union, you get extra privacy protections that many policies outline in a separate section toward the bottom.
- Have fun? Just kidding - reading privacy policies is never fun. But some companies put extra effort into making their policies clear and readable, Caltrider noted. If you find one, send it our way so we can give kudos. Caltrider's favorite privacy policy is from Wysa, a mental health chatbot, she said. Indeed, this policy is exceptionally transparent and a good model as you make comparisons at home.
Related Content
On the front lines, Ukrainian women are often the first responders
The Rainbow Family comes to Colorado, bringing peace, love and anxiety
She died in a Manhattan penthouse but was buried on an island for the poor
