Privacy policies are legal documents that explain how a company gathers and uses your data.
It’s important to read privacy policies – and normal to feel confused while trying. We’re here to help.
Should I be reading privacy policies?
It’s worth it reading privacy policies. These documents tell you about a company’s data practices. When companies misuse your data, it can cause big problems for you, and privacy policies are tools that help you identify the data and privacy risks of using a service. They can also tell you how to get some control over your data.
Before you can dig into the fine print with our key questions and search terms, you need to locate it.
Finding privacy policies on websites
Finding app privacy policies
- What data is the company gathering on me?
- What is it using it for?
- Is it selling or sharing my data with other parties?
Privacy policies usually follow a standard outline. Let’s walk through reading one together.
You may learn other surprising things in this section, like that one of your favorite websites is owned by a company you’ve never heard of. That’s not necessarily a red flag on its own, but it may indicate your data is getting shared at a larger scale than you realized.
- What information is the company collecting about you?
The next section is really key. It’s typically called something like “your information” or “data we collect about you”. Here you want to see if the company is gathering more data about you than it needs. If you’re ordering food through a delivery app, it makes sense it’d have your address. But if it’s getting access to your entire personal contacts list, that’s unnecessary, and a red flag. Anything that seems weird probably is. There are certain types of data you want to pay special attention to like location data, anything gathered by cameras or microphones, your web browsing history, or certain kinds of device information like your “advertising ID”.
- How is your data being used?
Legitimate uses include “providing our services” or “responding to your requests”. That’s just using your data to give you what you’re expecting to get. Other generally harmless uses include “improving our services” and “detecting fraud”. You may start getting a little suspicious about services that use your data for “analyzing traffic” and “market research”. These don’t necessarily guarantee your data is being sold and shared, but it’s possible.
- Who else is getting your data?
Next, privacy policies likely have a section called “information sharing”, “how we share your data” or even just “our partners”. This is where they outline the other companies that get your data.
Mentions of both selling and sharing your data are generally red flags. Sharing may sound more innocent than selling, but a company “sharing” your data is almost always just a fancy way of saying they sell it.
- What can you do to protect your data?
Should I hit “accept” on cookie pop-ups?
If for some reason you can’t switch, follow whatever steps the policy offers for protecting your information, and contact the company about your concerns. They may be willing to help you ensure you’ve put all your settings to the highest possible protection.
Director, Don't Sell My Data Campaign, PIRG; Policy Analyst, Frontier Group
R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, predatory auto lending and consumer debt. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder.