Website Privacy Policies Don’t Always Tell the Whole Story

JoeBakal/Shutterstock.com

The agreements of the 50 most popular websites in America are composed of 145,641 words. This is why.

Websites didn’t used to write privacy policies. As late as 1998 only 14 percent of websites disclosed anything about their data-gathering techniques, even as 92 percent collected “great amounts of personal information” about their customers, according to the Federal Trade Comission. But customers and the government soon caught on, and over the next few years the number of sites that disclosed how they use data caught up to the number that collected it. Today you probably couldn’t find a popular site that doesn’t have a privacy policy.

We work with data and research digital rights issues, and we were curious whether most popular websites respect your privacy as much as they claim to. So we gathered up and analyzed the 145,641 words that make up the privacy policies of the 50 most popular American websites. (Collectively, they amount to a text that’s about as long as The Grapes of Wrath .) What we found was that these policies tell you very little about the data these websites have on you. And that’s the point.

Today’s privacy policies don’t tell consumers the whole story for two main reasons. First, websites have adopted a kind of precautionary legalese to inoculate themselves against lawsuits and fines. The vaguer and more elastic their language, the more risk reduced. Second, over the past ten years, a new industry of “data brokerage” has arisen to help sites learn more about the people like you and me on the other side of the screen. These firms cross-reference and synthesize data to create richly detailed profiles that can include purchasing habits, political affiliations, sexual orientation, religious beliefs, and medical history. Gathering and analyzing that data is big business, and it creates a strong financial incentive for the firms that collect it to make it as difficult as possible for you to opt out of their net.

* * *

It’s easy to get lost in the opaque language of privacy policies.  LinkedIn says it will only share your information “as reasonably necessary in order to provide our features and functionality to you.” Facebook pronounces, “We may use any of the non-personally identifiable attributes we have collected (including information you may have decided not to show to other users, such as your birth year or other sensitive personal information or preferences) to select the appropriate audience for those advertisements.” Tumblr says, “You may access Third Party Services through the Services, for example by clicking on externally-pointing links.” Privacy policies are clearly written for lawyers, not consumers.

It’s not that privacy is so complicated that this is the only way companies can express themselves when it comes to user data. Casey Oppenheim, co-founder of Disconnect , an app that lets you block a website’s third-party data gatherers, says there’s another reason web companies are so cagey about data: “They know that if they tell people every single way they’re collecting information and using it, then most users will share less information, which would mean less money for them.”

So what if you wanted to clarify something you read in a privacy policy, before clicking “Accept?” Most companies list support channels on privacy policies, but when we tried them out we found that some more hospitable than others. Of the 50 sites we examined, ten provided email addresses for dedicated privacy teams. But the other 40 lumped customer’s privacy inquiries in with the rest of their customer feedback. eBay welcomes customers who are concerned about its use of their data to mail a letter to an address in San Jose.

We emailed Paypal about a particular line in their policy: “We do not sell or rent your personal information to third parties for their marketing purposes without your explicit consent.”  We had a simple, but important question: “What do you mean by explicit consent?” After five email exchanges, we were no closer to having a specific answer to our question. We did, however, get many helpful tips about how to set up a Paypal account.

Statements about not selling personal information concerned us because their entire meaning is dependent on the definition of “consent.” The privacy lawyers and consumer rights advocates we talked to told us that in America, a consumer can “consent” to a website’s data sharing policy by failing to proactively “opt-out” of the default settings. You can “consent” simply by using a website. The term “explicit consent” requires an affirmative step on the part of the customer, which generally means ticking a box that says you have read and accepted a website’s terms and conditions. But as John Oliver said on Last Week Tonight , if Apple put the full text of Mein Kampf in its iTunes Terms of Service, we’d all still click “Agree.”

This ambiguity surrounding “consent” becomes disconcerting when one considers what one is “consenting” to, namely widespread data collection by third party companies.

* * *

Here's the thing: It’s not just Facebook and Twitter that are keeping tabs on your activity. Many of the most popular sites enlist “third parties” to gather your data for them. Privacy policies may lack clear descriptions of data collection practices, but almost all mention third parties. When you visit a website like huffingtonpost.com, not only does The Huffington Post collect your data, but 33 other companies do as well, according to the Disconnect app. By law, websites only need to tell you that they interact with these other companies, not what these companies do with your information. Sites don’t even need to tell you which companies they hire. According to their privacy policies, forty eight of the top fifty websites in America use third parties. Only nine say which ones.

Marcus Moretti & Michael Naughton

Oppenheim says that the most popular websites partner with ad and analytics companies to grab data and personalize ads so they don’t have to themselves. “Those companies are tracking you on their site, and they’re tracking you via your IP or your device information, which they log on their own servers, and make sure they know how you behave on the most popular sites across the web,” he said. “And the only thing ESPN has to say in its privacy statement is that they allow other people to look at their aggregate information.”

A few privacy policies stood out to us for the right reasons. The privacy policy at Xvideos—a porn site—is seven sentences long and, like the videos it hosts, lays it all out there. Wikipedia and StackOverflow—since they’re entirely community-supported—don’t need to sell your data or serve you personalized ads. These two sites were also the only ones to acknowledge that your IP address can personally identify you—something the E.U. has recognized since 2008. In the U.S., IP addresses are still not legally considered to be personally identifying information—which means companies can record your computer’s address without it being considered “personal information.”

Taken together, the way America’s most popular websites write their privacy policies makes it almost impossible in practice for people to be fully informed about their Internet use and how their data is collected. “The modern privacy policy is a compliance document,” says Gautam Hans, a fellow at the Center for Democracy & Technology in Washington, D.C. “They’re how companies make sure they comply with the law and don’t run afoul of FTC rules. That’s mostly it.”

It’s not just the quality of these documents; it’s the quantity as well. A 2008 Carnegie Mellon study found that it would take the average Internet user between 181 and 304 hours to read all the privacy policies for the websites she visits each year. Note that you would have to repeat this exercise every year, because most companies update their policies annually.

This is all strategic: If texts are sufficiently long and boring, then customers won’t bother to read or question them. So you might never find out that social widgets—including the ones on the page you’re currently reading—let Facebook, Twitter, and the like watch what you do on the sites that use them.

Or you might never know that Internet companies can use the data they have on you as collateral —if that company is unable to repay a debt, your data is transferred to the lender who can then do whatever she wants with it.

And you might never know that ostensibly impersonal data can, collectively, be reconstructed to identify you personally. Many of the 50 websites we looked at assured users that any information shared with third parties is “anonymized.” But according to Hans, third parties can decipher anonymized data to figure out who it belongs to. “Because anonymization techniques are computing-based, they can ultimately be reversed through more sophisticated computing,” said Hans. “Having a 100 percent success rate of anonymization is not possible.”

Personal information like location data can be de-anonymized with as little as two data points: where you work and where you live, each of which is publicly available. Anonymized Netflix user data can be decoded by comparing it with public IMDB.com data. Specific data on your device can be paired with specific data on your browser version to identify you and your entire browsing history, according to Oppenheim.

* * *

There is a camp of people who don’t care about data collection. If you are a responsible Internet user, they say, you have nothing to fear.

But that camp is shrinking. According to Pew , half of Americans are “worried about the amount of personal information about them that is online.” In 2009, only a third of the population felt that way. As more people learn how much of their personal information is in the hands of strangers with algorithms, they become concerned.  “The ‘I don’t have anything to hide’ argument is on its last legs,” Oppenheim says.

And it’s not just about a stranger knowing intimate details about your life. The prevalence of invisible third parties drastically reduces the speed at which a webpage loads. According to a study by Disconnect , these invisible sites slow down the average page by roughly 27 percent on desktop.

Moreover, that your personal data is held by anyone at all means that your identity is at greater risk of being stolen. 34 million Americans have already experienced identity theft, according to the Bureau of Justice Statistics .

And the future could hold new possibilities of discrimination by data. In the past, banks would “redline” neighborhoods with minority populations and refuse to give loans to these residents. Now some, including the White House , fear that financial institutions or employers might “digitally redline” people based on the profiles they assemble through data collection.

* * *

Moving forward, it’s all about transparency. New measures will have to be honest and place the consumer first. Last fall, data broker Acxiom launched a feature that lets you look yourself up on their servers and, after personal verification, adjust the data they have on you (but not remove it). It was a self-serving gesture of openness that in fact gets the company more accurate and more valuable data, for free. But such measures accomplish nothing in the way of genuine respect for user privacy.

Hans thinks that an entirely new document type is needed—one whose audience would be customers, not lawyers. “Companies should try to create a direct, consumer-friendly, concise document that consumers can see and get information about practices that are most relevant to them in the use of their service,” he says. “These are the things that consumers are most concerned about, and should be told about in a way that’s clearer than the privacy policy currently is.”

Progress will come in the form of plain language privacy policies that make consumers want to read. Until then, users can use apps like Disconnect which offer quick ways to inform yourself about websites’ data-gathering techniques. Other plugins let you block third party cookies, and you can send a “Do Not Track” signal by adjusting your browser’s preferences.  The most popular websites field thousands of items of feedback every day, but some of them do listen. Write them asking for simplified privacy information. And, where possible, choose the service that respects your privacy over the one that doesn’t.

Writing a respectful, readable privacy policy really shouldn’t be that hard, Oppenheim says. “Think about how good Facebook and Google are at presenting complicated things in a simple way. These companies definitely have a way to do this.” They just have to want to.

( Image via JoeBakal / Shutterstock.com )

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.