An investigative data journalist and a former tech lawyer teach you how to spot tricks and hidden disclosures within these interminable documents—and even how to claw back some privacy
By: Jon Keegan and Jesse Woo
They follow a predictable structure, meaning you can learn to navigate them, spotting key sections and passages from a safe skimming height, swooping down only to extract the juiciest morsels of information or to leverage an opportunity to opt out of certain collection (or to opt in to deeper, more personalized disclosure).
We can teach you how to do that. Drawing from our shared experience—Jon as a reporter who has read hundreds of these documents in the course of his reporting, and Jesse, an intern with us who also happens to be an attorney who has helped write dozens of privacy policies himself—we have some tips we want to share with you about what to look out for. We also asked some privacy experts to weigh in and share their advice with our readers.
Below you’ll find a detailed description of what to look out for. We realize it’s a lot to get through, so we’ve placed 👀 emojis next to key concepts. If you want to dig in further, we’ve included plenty of description about each. We also outlined three case studies—on GasBuddy, Epic Games, and Temu—that will give you some further details based on real-world examples.
Here’s what you should pay attention to
What information are they collecting?
👀 Look for a section with a title like “Personal information we collect” or “How We Collect and Use Your Personal Data.” This will list types of data the company gathers both “automatically” and from you directly. You may see disclosures that the company collects your location, IP address, biometrics, or information from your web browser, such as cookies or trackers. Be on the lookout for hints that the company uses a tracking technique called fingerprinting, which can identify you even when you go out of your way to decline cookies or block trackers. It does so based on information about your device such as the operating system, manufacturer, or even screen resolution, so keep an eye out for whether that data is being collected.
It is sometimes impossible to know whether the collection described in sections like this is actually happening, said Sebastian Zimmeck, an assistant professor of computer science at Wesleyan University, who studies privacy. “The reason why many privacy policies are not meaningful is because companies ‘may’ collect your information. Or they may not,” Zimmeck wrote in an email.
Location, location, location
In the information collection section, you may see terms related to your whereabouts such as “geolocation,” “geofencing,” or “geotargeting.” This signals that the company is collecting one of the most sensitive categories of data. Researchers have repeatedly shown that the unique nature of our movements can reveal private information about our lives that we may not want others to have, including places of worship, medical providers, or even political protests.
👀 Keep an especially close eye out for the term “precise geolocation,” which the California Consumer Privacy Act defines as “a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.”
Why are they collecting this information, and how do they use it?
Why sharing to “business partners” is more worrisome than to “service providers”
👀 Look for a section about third parties your data is sold to or otherwise shared with. You might see references to “service providers,” which are usually just the third parties that process data as needed for the app to function. But look out for mentions of “business partners.” Do they combine or enrich your data with information collected from other “partners”? This is a red flag that you are being profiled. If you’re really lucky, you might find a policy that actually identifies some of those partners. (These could be advertising firms, data brokers, or affiliates.) And usually if another partner is listed, policies will inform you that you are also subject to the partners’ privacy policies, which it seems you are expected to read. It’s up to you to decide how far down the rabbit hole you want to go.
Anonymization/aggregation might not be as good as it sounds
Sometimes a company might say that any data it shares has all identifying information removed.
Code words for “ad targeting”
👀 When a company says it uses your data to “personalize” or “enhance” your experience or “improve our services,” that can often mean it is analyzing your data for ad targeting. “Measuring the effectiveness” of advertisements or other activities can mean tracking what you click on or buy. Also look out for mentions of “interest-based advertising,” which means the company is analyzing your activity on the service and allowing third parties to infer your interests for the purpose of targeted advertising, in some cases even away from the site you’re on. If the policy talks about tracking you on other online services, this also means the company is tracking your browsing activity across the internet, not just on its service. It might do this directly or purchase the information from a third party.
Learn your where personal data travels
The company may notify you that your data may be shared with companies in other countries. Today in the U.S. there are few federal restrictions on where user data can be stored, unlike under the EU’s GDPR privacy law. This is important because when data is moved to another country, the legal protections for that data may change along with the jurisdiction. This is one reason people have concerns about where TikTok stores data, for example. 👀 Look for “Transfer of Your Personal Data” or similar text to find this section.
Children’s data/COPPA disclosures
👀 Look for references to “COPPA” or the “Children’s Online Privacy Protection Act,” as well as “children” or “ages.” COPPA is a law that is supposed to offer greater protections for children’s data and make sure parents have the chance to consent on behalf of their children. Look for how the company protects the data for children under 13 and what mechanisms it offers for parents to control data collection and sharing for their kids.
Have your data restricted, deleted, or shared with you
👀 Look for phrases like “Your rights” or “Your choices.” These denote an important section that discloses specific things that you have control over. Depending on where you live (and which privacy laws might apply to you), you may be able to request a copy of your data, correct your data, or ask for it to be deleted. You may even have the option to opt out of having your data shared or sold and still be able to use the service.
Why you should pay attention to “Information for California Residents”
There is currently no general federal consumer privacy law on the books, so the California Consumer Privacy Act (CCPA) is the privacy law that covers the largest number of Americans. If the company is big enough, it’s a sure bet you will see a section specific to this law. Even though the CCPA only applies to California residents, everyone benefits from the transparency that the law compels companies to produce.
👀 Within this section, look for portions that begin with “In the past 12 months,” as in, “In the past 12 months, we have collected the following categories of personal information, as described in the CCPA.” This particular “in the past 12 months” disclosure is really one of the clearest pieces of documentation about what a company is actually doing.
Even better, right after that you will usually find “In the past 12 months, we have disclosed personal information to the following categories of recipients.” This section might be the closest you can get to a company’s admitting that it is sharing your data to third parties for targeted advertising, data enrichment, or other uses.
The CCPA also gives California residents the right to delete their data and the right to opt out of data sales or data sharing. When the updated California Privacy Rights Act (CPRA) fully takes effect (which it is scheduled to do on March 29, 2024), these rights will grow to include the right to correct one’s data.
For California residents, another powerful right that the CCPA provides is the right to access their data. Depending on the company, occasionally non-California residents can successfully request their data, so everyone should consider making a request anyway. Just keep in mind the data request process varies greatly from company to company and can include several steps.
Schroeder noted that Temu “has three sentences complaining about how the CCPA defines sale and two about how to actually opt out. That ratio is not great.”
Case Study No. 1: GasBuddy
The policy details this sharing under SHARING OF INFORMATION WITH THIRD PARTIES > Business Partners:
Note that this section allows the company to share your location with its “partners” (it lists Foursquare and Arity as partners elsewhere in the policy). But GasBuddy also informs you that these partners are free to share it with their partners, who are not named in this document or in Foursquare’s and Arity’s privacy policies (which GasBuddy does helpfully link to).
Foursquare’s website lists dozens of “partners” including massive data, advertising, and consumer brands such as Amazon Web Services, Oracle, The Trade Desk, MediaMath, Adobe, LiveRamp, Neustar, Procter & Gamble, Google, Microsoft, Tencent, TikTok, Roku, Snapchat, Twitter, Spotify, Hulu, and Uber. It is not clear how much of your data is shared with these partners when you look for the cheapest gas near you.
GasBuddy and Foursquare did not respond to requests for comment.
Case Study No. 2: Epic Games
The younger part of Fortnite’s audience opens Epic to liability under COPPA, the federal law that protects the privacy of children under (but not including) 13 years of age.
COPPA also requires that, for users under 13, Epic must limit how long it holds personal data to only what is necessary for its original purpose and obtain parental consent before collecting or disclosing it. One thing parents or guardians can do if they have children under 13 who interact with Epic products is check to make sure their kids have accurately reported their age to the platform. This will ensure that COPPA’s protections kick in and they will have the benefit of Epic’s additional parental controls to add an extra layer of safety for children.
Epic spokesperson Jake Jones told The Markup in an email that Fortnite is rated “Teen” and is directed at an older teen- and college-aged audience. “We have implemented high privacy default settings for players under the age of 18,” Jones wrote. “Chat defaults to ‘Nobody,’ profile details default to hidden, parties default to ‘Invite Only,’ and personalized recommendations are defaulted Off.” These changes (and a record-breaking fine) were part of a settlement Epic reached with the FTC last year over allegations they violated children’s privacy and tricked users into making unwanted purchases using techniques called “dark patterns.”
The company has also introduced “cabined accounts” for users under 13 that require parents to opt in for certain features.
When asked why Epic doesn’t anonymize children’s data by default, instead requiring them to send an email specifically asking for this, Jones said, “... some non-anonymized data is needed to provide our services and meet player expectations” and that the process of anonymization “can be quite disruptive to the core game experience for users who didn't specifically request that it be performed.”
Case Study No. 3: Temu
Online marketplace Temu is the number one free app on the iOS and Google app stores as of this writing. Temu is owned by Chinese e-commerce company Pinduoduo (through PDD Holdings). The current version of its site has removed all references to Pinduoduo and instead describes itself as WhaleCo Inc., a Boston-based company.
The popular e-commerce site is known for its insanely low prices, with dozens of items on its homepage listed below $5, with most being under $10. Shoppers can get a silicone drain plug for 99 cents or a “Pocket hug love token” for 89 cents.
For example, when reading through the section that describes what information the company collects from you, notice the “automatic data collection” section. This lists information about your mobile device or computer that is available to the company without your explicit consent.
What may be happening here is device fingerprinting. All of those signals taken together are unique enough to identify your device. This is a common approach companies have taken to get around ad blockers and other privacy-protecting technologies.
While laying claim to a very broad use of your data—note the phrases “improve our service” or “business purposes”—Temu says it anonymizes your data without giving details:
The details of how Temu transforms “personal information into anonymous data” really matter, as researchers have repeatedly shown that location and purchase data can be used to re-identify individuals.
“De-identified data removes explicit identifiers, but still contains multiple personal data elements linked to a single identity, often tied with, say, a number instead of a name. This can still be tied to an individual. This would be another illustration of how companies generally don’t understand what is required to make data truly anonymous,” said Schroeder, the EPIC privacy lawyer.
Temu did not respond to requests for comment.
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.