How to Quickly Get to the Important Truth Inside Any Privacy Policy
An investigative data journalist and a former tech lawyer teach you how to spot tricks and hidden disclosures within these interminable documents—and even how to claw back some privacy
By: Jon Keegan and Jesse Woo
Privacy policies are horrible. They are too long, impenetrable, and full of legalese that amounts to a take it or leave it offer. But the privacy policy is one of the only places where tech companies have to tell us the truth—the truth about what personal data they are collecting, how they share and profit from that data, and at a deeper level, what sort of trade we’re making when we choose to use their apps or platforms.
They follow a predictable structure, meaning you can learn to navigate them, spotting key sections and passages from a safe skimming height, swooping down only to extract the juiciest morsels of information or to leverage an opportunity to opt out of certain collection (or to opt in to deeper, more personalized disclosure).
We can teach you how to do that. Drawing from our shared experience—Jon as a reporter who has read hundreds of these documents in the course of his reporting, and Jesse, an intern with us who also happens to be an attorney who has helped write dozens of privacy policies himself—we have some tips we want to share with you about what to look out for. We also asked some privacy experts to weigh in and share their advice with our readers.
Below you’ll find a detailed description of what to look out for. We realize it’s a lot to get through, so we’ve placed 👀 emojis next to key concepts. If you want to dig in further, we’ve included plenty of description about each. We also outlined three case studies—on GasBuddy, Epic Games, and Temu—that will give you some further details based on real-world examples.
Here’s what you should pay attention to
A privacy policy can lay out a lot of important information that you cannot find anywhere else. Here’s a breakdown of the most useful details contained in most policies, and how to find them.
What information are they collecting?
👀 Look for a section with a title like “Personal information we collect” or “How We Collect and Use Your Personal Data.” This will list types of data the company gathers both “automatically” and from you directly. You may see disclosures that the company collects your location, IP address, biometrics, or information from your web browser, such as cookies or trackers. Be on the lookout for hints that the company uses a tracking technique called fingerprinting, which can identify you even when you go out of your way to decline cookies or block trackers. It does so based on information about your device such as the operating system, manufacturer, or even screen resolution, so keep an eye out for whether that data is being collected.
It is sometimes impossible to know whether the collection described in sections like this is actually happening, said Sebastian Zimmeck, an assistant professor of computer science at Wesleyan University, who studies privacy. “The reason why many privacy policies are not meaningful is because companies ‘may’ collect your information. Or they may not,” Zimmeck wrote in an email.
Location, location, location
In the information collection section, you may see terms related to your whereabouts such as “geolocation,” “geofencing,” or “geotargeting.” This signals that the company is collecting one of the most sensitive categories of data. Researchers have repeatedly shown that the unique nature of our movements can reveal private information about our lives that we may not want others to have, including places of worship, medical providers, or even political protests.
👀 Keep an especially close eye out for the term “precise geolocation,” which the California Consumer Privacy Act defines as “a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.”
Why are they collecting this information, and how do they use it?
👀 Look for a title like “How we use your personal information.” This section represents the company’s explanation for why they need your data in the first place. Sometimes it is pretty straightforward. It’s reasonable for an app to need your payment information to process a transaction or to access your location to give you driving directions, for example. But pay close attention when it is less obvious why a particular category of personal data is being collected. For example, why would a recipe app need your location? Also, be on the lookout for vague and overly broad reasons such as “business activities” and “business purposes,” which can hint at sharing you might not be comfortable with. This may be combined with the section describing the information they collect. Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center (EPIC), said to take any examples provided in this section with a big lump of salt. “In many cases, the ‘for example’ will point out a relatively expected or benign use and distract from other more intrusive potential uses. Those other uses wouldn’t violate the Privacy Policy because they never claimed the example was the only use type,” explained Schroeder.
Why sharing to “business partners” is more worrisome than to “service providers”
👀 Look for a section about third parties your data is sold to or otherwise shared with. You might see references to “service providers,” which are usually just the third parties that process data as needed for the app to function. But look out for mentions of “business partners.” Do they combine or enrich your data with information collected from other “partners”? This is a red flag that you are being profiled. If you’re really lucky, you might find a policy that actually identifies some of those partners. (These could be advertising firms, data brokers, or affiliates.) And usually if another partner is listed, policies will inform you that you are also subject to the partners’ privacy policies, which it seems you are expected to read. It’s up to you to decide how far down the rabbit hole you want to go.
Anonymization/aggregation might not be as good as it sounds
Sometimes a company might say that any data it shares has all identifying information removed.
👀 Its privacy policy might use terms like “de-identified” data in addition to “anonymous” or “aggregated” data. This sounds as if it makes information sharing more private, but there has been a great deal of research showing that it is possible and in some cases quite easy to re-identify personal data even after it has been masked or combined. It doesn’t matter if a company anonymizes your data if its “business partners” are just going to undo that work when they get it.
Code words for “ad targeting”
👀 When a company says it uses your data to “personalize” or “enhance” your experience or “improve our services,” that can often mean it is analyzing your data for ad targeting. “Measuring the effectiveness” of advertisements or other activities can mean tracking what you click on or buy. Also look out for mentions of “interest-based advertising,” which means the company is analyzing your activity on the service and allowing third parties to infer your interests for the purpose of targeted advertising, in some cases even away from the site you’re on. If the policy talks about tracking you on other online services, this also means the company is tracking your browsing activity across the internet, not just on its service. It might do this directly or purchase the information from a third party.
Learn your where personal data travels
The company may notify you that your data may be shared with companies in other countries. Today in the U.S. there are few federal restrictions on where user data can be stored, unlike under the EU’s GDPR privacy law. This is important because when data is moved to another country, the legal protections for that data may change along with the jurisdiction. This is one reason people have concerns about where TikTok stores data, for example. 👀 Look for “Transfer of Your Personal Data” or similar text to find this section.
Children’s data/COPPA disclosures
👀 Look for references to “COPPA” or the “Children’s Online Privacy Protection Act,” as well as “children” or “ages.” COPPA is a law that is supposed to offer greater protections for children’s data and make sure parents have the chance to consent on behalf of their children. Look for how the company protects the data for children under 13 and what mechanisms it offers for parents to control data collection and sharing for their kids.
Have your data restricted, deleted, or shared with you
👀 Look for phrases like “Your rights” or “Your choices.” These denote an important section that discloses specific things that you have control over. Depending on where you live (and which privacy laws might apply to you), you may be able to request a copy of your data, correct your data, or ask for it to be deleted. You may even have the option to opt out of having your data shared or sold and still be able to use the service.
Why you should pay attention to “Information for California Residents”
👀 One of the first things we look for when we are reading a privacy policy is a section typically labeled as being “for California residents.” Here’s why.
There is currently no general federal consumer privacy law on the books, so the California Consumer Privacy Act (CCPA) is the privacy law that covers the largest number of Americans. If the company is big enough, it’s a sure bet you will see a section specific to this law. Even though the CCPA only applies to California residents, everyone benefits from the transparency that the law compels companies to produce.
👀 Within this section, look for portions that begin with “In the past 12 months,” as in, “In the past 12 months, we have collected the following categories of personal information, as described in the CCPA.” This particular “in the past 12 months” disclosure is really one of the clearest pieces of documentation about what a company is actually doing.
Even better, right after that you will usually find “In the past 12 months, we have disclosed personal information to the following categories of recipients.” This section might be the closest you can get to a company’s admitting that it is sharing your data to third parties for targeted advertising, data enrichment, or other uses.
The CCPA also gives California residents the right to delete their data and the right to opt out of data sales or data sharing. When the updated California Privacy Rights Act (CPRA) fully takes effect (which it is scheduled to do on March 29, 2024), these rights will grow to include the right to correct one’s data.
For California residents, another powerful right that the CCPA provides is the right to access their data. Depending on the company, occasionally non-California residents can successfully request their data, so everyone should consider making a request anyway. Just keep in mind the data request process varies greatly from company to company and can include several steps.
👀 You also may encounter what looks to be an ironclad, clearly worded promise: “We do not sell your data.” But this promise needs some unpacking. This phrase is directly related to how the CCPA defines “selling” data. And you may see the companies complaining about it in the words surrounding this phrase, as online marketplace Temu does in its privacy policy:
Schroeder noted that Temu “has three sentences complaining about how the CCPA defines sale and two about how to actually opt out. That ratio is not great.”
Case Study No. 1: GasBuddy
GasBuddy is an app that lets users find the cheapest gas near them. To do this, the app needs access to their location to power a localized map. It shares this information with data brokers Foursquare and Allstate’s Arity, according to GasBuddy’s privacy policy. Those companies, in turn, are allowed to share the data on to others, making the GasBuddy privacy policy an example of how broadly your data can be granted to third parties.
The policy details this sharing under SHARING OF INFORMATION WITH THIRD PARTIES > Business Partners:
Note that this section allows the company to share your location with its “partners” (it lists Foursquare and Arity as partners elsewhere in the policy). But GasBuddy also informs you that these partners are free to share it with their partners, who are not named in this document or in Foursquare’s and Arity’s privacy policies (which GasBuddy does helpfully link to).
Foursquare’s website lists dozens of “partners” including massive data, advertising, and consumer brands such as Amazon Web Services, Oracle, The Trade Desk, MediaMath, Adobe, LiveRamp, Neustar, Procter & Gamble, Google, Microsoft, Tencent, TikTok, Roku, Snapchat, Twitter, Spotify, Hulu, and Uber. It is not clear how much of your data is shared with these partners when you look for the cheapest gas near you.
GasBuddy and Foursquare did not respond to requests for comment.
Case Study No. 2: Epic Games
Epic is a video game developer and publisher that owns popular franchises as well as important tools and platforms in the industry. The company collects a lot of data to run its games and services, which are popular among kids, particularly the multiplayer online game Fortnite. Epic’s privacy policy is notable for the ways in which it offers special protections for young users (if they proactively ask for them) and for how it specifically denies that Epic’s services and games like Fortnite are in any way directed at them.
The younger part of Fortnite’s audience opens Epic to liability under COPPA, the federal law that protects the privacy of children under (but not including) 13 years of age.
Under Epic’s privacy policy, those between the ages of 13 and 18 can ask Epic to delete or anonymize some of their data by sending Epic an email.
COPPA also requires that, for users under 13, Epic must limit how long it holds personal data to only what is necessary for its original purpose and obtain parental consent before collecting or disclosing it. One thing parents or guardians can do if they have children under 13 who interact with Epic products is check to make sure their kids have accurately reported their age to the platform. This will ensure that COPPA’s protections kick in and they will have the benefit of Epic’s additional parental controls to add an extra layer of safety for children.
Epic’s privacy policy indicates that the company may assume its users are 13 or older by default, specifically saying that it does not direct its services at young children. This disclaimer is there because under COPPA, when a company either targets their services at children under 13 or has actual knowledge that such a child is using their service, there are additional protections for that child’s data.
Epic spokesperson Jake Jones told The Markup in an email that Fortnite is rated “Teen” and is directed at an older teen- and college-aged audience. “We have implemented high privacy default settings for players under the age of 18,” Jones wrote. “Chat defaults to ‘Nobody,’ profile details default to hidden, parties default to ‘Invite Only,’ and personalized recommendations are defaulted Off.” These changes (and a record-breaking fine) were part of a settlement Epic reached with the FTC last year over allegations they violated children’s privacy and tricked users into making unwanted purchases using techniques called “dark patterns.”
The company has also introduced “cabined accounts” for users under 13 that require parents to opt in for certain features.
When asked why Epic doesn’t anonymize children’s data by default, instead requiring them to send an email specifically asking for this, Jones said, “... some non-anonymized data is needed to provide our services and meet player expectations” and that the process of anonymization “can be quite disruptive to the core game experience for users who didn't specifically request that it be performed.”
Case Study No. 3: Temu
Online marketplace Temu is the number one free app on the iOS and Google app stores as of this writing. Temu is owned by Chinese e-commerce company Pinduoduo (through PDD Holdings). The current version of its site has removed all references to Pinduoduo and instead describes itself as WhaleCo Inc., a Boston-based company.
The popular e-commerce site is known for its insanely low prices, with dozens of items on its homepage listed below $5, with most being under $10. Shoppers can get a silicone drain plug for 99 cents or a “Pocket hug love token” for 89 cents.
Temu’s privacy policy is interesting for the subtle, indirect ways it may allow you to be tracked.
For example, when reading through the section that describes what information the company collects from you, notice the “automatic data collection” section. This lists information about your mobile device or computer that is available to the company without your explicit consent.
What may be happening here is device fingerprinting. All of those signals taken together are unique enough to identify your device. This is a common approach companies have taken to get around ad blockers and other privacy-protecting technologies.
While laying claim to a very broad use of your data—note the phrases “improve our service” or “business purposes”—Temu says it anonymizes your data without giving details:
The details of how Temu transforms “personal information into anonymous data” really matter, as researchers have repeatedly shown that location and purchase data can be used to re-identify individuals.
“De-identified data removes explicit identifiers, but still contains multiple personal data elements linked to a single identity, often tied with, say, a number instead of a name. This can still be tied to an individual. This would be another illustration of how companies generally don’t understand what is required to make data truly anonymous,” said Schroeder, the EPIC privacy lawyer.
Temu’s privacy policy was updated on July 27, 2023, to add “Please note that we do not allow our third-party advertising partners to collect your personal information for advertising purposes from the Temu mobile application for iOS devices.” A similar note was added to the section related to interest-based advertisements.
Temu did not respond to requests for comment.
Now you have a few things to look for when you are about to sign up for a new service. When you’re in that situation, it’s worth taking a few moments to scan through the service’s privacy policy. Now that you know how they are structured, they should be less intimidating when you see a new one.
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.