How to Read and Understand a Privacy Policy

‘We value your privacy! Have some cookies.’

Variations of this message are what websites welcome you with nowadays. After seeing it so many times, you’ve probably developed some banner-blindness to it.

But how often do you check Cookie Policies before clicking Accept? Or dare I ask, do you peruse Privacy Policies?

Sure, they’re dry, lengthy reads. Lawyers maybe write them for lawyers, but they’re packed with juicy details that can help you understand what a company does to protect that privacy of yours they care so much about.

Reading Privacy Policies is not the equivalent of checking out the back of a shampoo bottle in the bathroom. It’s a superpower you need in these challenging cybersecurity times.

So, let me tell you all about the essential details you should pay attention to when in Privacy Policies.

What is a Privacy Policy

A privacy policy is a statement or legal document that discloses some or all the ways a party gathers, uses, discloses, and manages a client’s data. And we all know that companies LOVE your data, and they never miss a chance to grab it.

However, it all changed in Europe on May 25th, 2018. That’s when the General Data Protection Regulation, GDPR for short, came into effect, forcing companies to be transparent about their Privacy Policies. Before they can process your personal information, you now have to give your consent.

A Privacy Policy should give you an idea of what the company does to keep your data safe and away from unauthorized third parties. But some firms won’t provide too many details. This is their precautionary strategy against lawsuits and fines. The vaguer the terms, the smaller the risks.

Privacy Policies should be easy for anyone to understand and not dabble in too many legal terms. But not all companies expect you to be interested in this, so sometimes they might post whatever their legal department sent them.

And if you come across vague phrasings like “may use,” “might share,” “occasionally,” and so on, know it’s because they’re trying to cover all past, present, and future use cases in a few sentences.

However, you need to understand what a “might” means. If a company says it “might share your data with advertisers,” you should know when, why, and how that happens.

Based on GDPR recommendations, companies should avoid ambiguous language, and they’re required to be specific and accurate in their Privacy Policy.

What you can learn from a Privacy Policy

You can typically find a privacy policy on the bottom of a web page or within your app store before download.

While scrolling the privacy policy web page, you should see the following details:

• • • Introduction
    • Collected information
    • Methods of collection
    • Use of cookies, log files and tracking
    • Storage and data security
    • Jurisdiction
    • Children section
    • Legal requests
    • Contact details
    • Right to opt-out of data collection and usage

Let’s take them one by one.

Introduction

Welcome to a short description of the company and maybe their take on data privacy. Something nice and easy before they hit you with all the legalese.

Sometimes, the intro also includes details on how the website works, critical aspects of the Privacy Policy, and maybe even the data the company collects.

Collected information

The section usually mentions if the company collects contact information such as your:

• • • Name
    • Email address
    • Location
    • Phone number
    • IP address
    • Type of device
    • Browser used
    • Operating system
    • Internet Service Provider and more

Ideally, companies should only collect the essential info needed to deliver you a service, but that’s not always the case. Privacy by design isn’t the norm yet, but we’re still rooting for it.

Methods of collection

Here you can learn more about how your information and data is collected. Is it an automated process, or only data from, let’s say, fill-in forms are collected?

This section can also let you know how the collected data is shared with third parties, who they are, and why this is necessary. It could be for anything from processing payments to advertising purposes.

Bear in mind there are only six legal bases for processing your personal information:

 

Under GDPR, companies are required to also inform users of how long they store the collected data.

Use of cookies, log files and tracking

If you’re still reading, and I genuinely hope you are, here you can learn how websites use their own or third-party cookies and their information (like credentials, session info, domain, or more).

You should also find an option to disable cookies.

Check out this example of information about website cookies:

Storage and data security

Now it gets fun.

Here you see who’s the owner you’re entrusting with data they can store in places like data centers, cloud services, or in-house.

In some cases, you might also come across security standards and certifications like the ISO27001 certification. That’s to show you the company has some procedures in place for keeping snoopers away from your info.

You can take this as a sign they don’t just take your data for granted and have jumped through some bureaucratic hoops to secure it.

Company jurisdiction

You always want to know under what jurisdiction a company operates because that tells you a lot about what they’re legally obligated to do to protect you. Or how they’re legally forced to keep tabs on you, depending on local regulations.

For example, if a US-based company collects and stores data from users worldwide, it should point out that data protection laws can differ.

According to US law, local governments, courts, or law enforcement have the authority to request that company access to your data, even if you are a customer from outside the US.

However, regardless of their headquarters, all companies should be GDPR compliant if they have European users.

Children section

Maybe you won’t always come across these details, as they’re optional.

If a company has special conditions about collecting personal information from children without parental consent, they should be clearly stated.

Here is an example:

Legal requests

Yet another juicy section. Aren’t you glad you decided to learn more about Privacy Policies?

If a company collaborates with the authorities, that’s clearly stated in the Privacy Policy.

In most cases, companies say that they disclose your information when required by law enforcement inquiries, subpoenas, or court orders. They may also disclose your information if they consider it necessary to protect or defend the general public or third parties’ rights.

At CyberGhost, for instance, we publish a quarterly Transparency Report detailing the number of legal requests we get. Spoiler alert: we keep no logs and have nothing to pass on.

Contact details

Ever went crazy trying to find the contact details of a company? Who would have guessed you can find them in a Privacy Policy as well?

Websites and apps should have straightforward contact procedures. If you have a query or any problem, a Privacy Policy should give you an email address or a contact form, a physical address, a phone number where you could reach someone.

In this section, you could also find the contact details of the company’s Data Protection Officer. That’s your go-to person when you think the company has failed to comply with local regulations or have any worries about your privacy.

Right to opt-out of data collection and usage

Knowing about your privacy choices, like the ability to opt-out from intrusive data collection, is essential.

For instance, some companies allow users to opt-out of having their information shared with third parties for marketing purposes.

The Privacy Policy can also let you know about what you must do to have your account and data deleted from the company files.

Protect your right to privacy

Well, there you have it. You now know what you can learn from reading a Privacy Policy and why it’s an essential document for you as a company’s client.

I hope this has helped you understand you’re usually giving out a lot more information than you suspect and take this as your cue to do more to protect your privacy.

Begin by setting up a solid cybersecurity routine, get yourself a reliable VPN provider, and be more selective with the services that get to have your data.

 

How about you? Did you ever read Privacy Policies before? How do you decide whether to trust a company or not with your data?

Let me know in the comments below.