How to read a privacy policy
What should you look for in a privacy policy? What red flags should you be worried about?
Privacy policies are legal documents that explain how a company gathers and uses your data.
It’s important to read privacy policies – and normal to feel confused while trying. We’re here to help.
Should I be reading privacy policies?
It’s worth it reading privacy policies. These documents tell you about a company’s data practices. When companies misuse your data, it can cause big problems for you, and privacy policies are tools that help you identify the data and privacy risks of using a service. They can also tell you how to get some control over your data.
A really bad privacy policy tells you a lot about a company – and can help you identify companies that aren’t worth doing business with at all.
How to read a privacy policy
Before you can dig into the fine print with our key questions and search terms, you need to locate it.
How to find a privacy policy
Businesses are legally required to post privacy policies, but that doesn’t mean they’re always easy to find. If you can’t find a privacy policy at all, it’s better to move on and find a company that takes your privacy and safety more seriously.
Finding privacy policies on websites
To find the privacy policy of just about any business or a particular website, scroll down to the very bottom of the site’s homepage. Among the small text down there you should see a link that says “privacy policy”, “privacy notice”, “privacy information” or even just the word “privacy”. This is what you’re looking for.
Sometimes a privacy policy may also be linked to in a site’s “About Us” page. And if all else fails, you can try searching the name of the company and the words “privacy policy” online.
Finding app privacy policies
To find an app’s privacy policy, look at the listing inside the app store. There should be a link to the app developer’s privacy policy somewhere in the app description.
Note: If you’re downloading an app from Google or Apple, you’ll notice they’ve both started displaying summaries of app privacy policies. These are nice, but you still want to find the privacy policy. These descriptions are not 100% reliable – the app developers are the ones filling them out – and it’s likely they’re missing details that really matter.
Find a privacy policy in the Apple app store:
Look at the app’s listing and scroll down until you see “App Privacy”. Right above the summary of the app’s data usage, it should have a link to the developer’s privacy policy in small text. That’s what you want.
Find a privacy policy in the Google app store:
Look at the app’s listing and scroll down until you see “Data safety”. Click the arrow or “see more” to look at the summary of the app’s data collection and security practices. Don’t stop there! At the bottom, there should be small text with a link to the developer’s privacy policy. That’s what you want.
Find a privacy policy for an Amazon Alexa Skill:
Finding the privacy policy for an Alexa Skill can be particularly challenging. Not all Skills developers include a link to their privacy policy in the listing itself, which is a terrible practice. Don’t download a Skill that you can’t find a privacy policy for.
To start, look at the Skill’s listing in Amazon’s Alexa Skills store. At the bottom of the Skill’s page, there may be a privacy policy link under “Skill Details”. If it’s not there, read the entirety of the Skill’s description – you may find a link to the privacy policy anywhere in the text, but most commonly it will be towards the end, if it’s offered at all.
If you can’t find it there, and you’re really set on downloading that Skill, do a web search for the Skill’s name and “privacy policy” and see what you can find.
Reading a privacy policy
In an ideal world, you’d sit down and read the entire privacy policy. But these documents are long and hard to read, often on purpose, so at the very least you want to read enough to find the answers to key questions.
Key questions to answer when reading a privacy policy
- What data is the company gathering on me?
- What is it using it for?
- Is it selling or sharing my data with other parties?
Privacy policies usually follow a standard outline. Let’s walk through reading one together.
- What services does the privacy policy cover?
The first few paragraphs of most privacy policies explain what’s covered in the document, and what companies and services the privacy policy applies to.
Make sure it matches your expectations. Companies may have multiple privacy policies for their different products. It’s common for a business that has both a website and an app to have entirely separate privacy policies for the two, or for a large company with multiple divisions or services to have a different privacy policy for each one.You may learn other surprising things in this section, like that one of your favorite websites is owned by a company you’ve never heard of. That’s not necessarily a red flag on its own, but it may indicate your data is getting shared at a larger scale than you realized.
- What information is the company collecting about you?
The next section is really key. It’s typically called something like “your information” or “data we collect about you”. Here you want to see if the company is gathering more data about you than it needs. If you’re ordering food through a delivery app, it makes sense it’d have your address. But if it’s getting access to your entire personal contacts list, that’s unnecessary, and a red flag. Anything that seems weird probably is. There are certain types of data you want to pay special attention to like location data, anything gathered by cameras or microphones, your web browsing history, or certain kinds of device information like your “advertising ID”.Look out for certain tracking technologies, too. Some apps and sites use tools designed to gather way too much data about you, like cookies, web beacons, pixels and software development kits. If the privacy policy talks about using these, that’s almost definitely a red flag.
- How is your data being used?
Typically, the next section of the privacy policy will explain what the company does with your data. It’s likely called something like “how we use your information” or “our data use”. Companies will list a lot of ways they use your data. Some uses are totally legitimate, and others are cause for concern.Legitimate uses include “providing our services” or “responding to your requests”. That’s just using your data to give you what you’re expecting to get. Other generally harmless uses include “improving our services” and “detecting fraud”. You may start getting a little suspicious about services that use your data for “analyzing traffic” and “market research”. These don’t necessarily guarantee your data is being sold and shared, but it’s possible.
The biggest red flag to watch out for is mentions of advertising. If a privacy policy states it uses your data for “personalized”, “targeted”, “behavioral” or “interest-based” advertising, this is a problem. It almost certainly means a lot of other companies are getting access to your data that don’t have your best interests at heart, or very good security measures in place to protect your data once they have it.
- Who else is getting your data?
Next, privacy policies likely have a section called “information sharing”, “how we share your data” or even just “our partners”. This is where they outline the other companies that get your data.Mentions of both selling and sharing your data are generally red flags. Sharing may sound more innocent than selling, but a company “sharing” your data is almost always just a fancy way of saying they sell it.
Companies often give vague classes of entities they share/sell your data with, like “partners”, “affiliates”, “service providers”, “third parties” or “advertisers”. You want a privacy policy to give you a specific list of specific companies that are getting your data. And again, any time advertisers are involved it means your data is a lot less safe and secure.
- What can you do to protect your data?
At the end of privacy policies, companies generally include some nod to your rights or choices. Many will include a way for you to opt out of some amount of data collection and sharing, even if it’s not very comprehensive. Some may refer you to a separate “cookie policy” to exercise your choices regarding cookies. A lot of the same tips given in this guide apply to reading cookie policies, too.
Should I hit “accept” on cookie pop-ups?
What to do if there are red flags in the privacy policy
If a privacy policy is checking a lot of bad boxes on this list, or you see anything that makes you feel uncomfortable, it’s best to move on and find a company or service that takes your safety and security more seriously.
If for some reason you can’t switch, follow whatever steps the policy offers for protecting your information, and contact the company about your concerns. They may be willing to help you ensure you’ve put all your settings to the highest possible protection.
How to skim a privacy policy
Doing a more systematic reading of a privacy policy is always better. But if you’re really short on time, we recommend doing a ctrl+f search for every mention of the word “data” or “information” and reading those sentences. Look for anything that doesn’t make sense to you – data the company doesn’t need, or weird ways they use your information. Search for mentions of “advertising” – this can especially indicate bad news – and look for the word “opt” to find out how you can opt out of data collection.
Topics
Authors
R.J. Cross
Director, Don't Sell My Data Campaign, PIRG
R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, consumer debt and predatory auto lending, and has testified before Congress. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder. Though she lives in Boston, she will always consider herself a Kansan at heart.