On May 25, the European Union’s General Data Protection Regulation (GDPR) goes into effect. As a result, companies are updating their data security and privacy rules—often even outside of Europe. Hence the emails you’ve been getting from every app, service or operating system you’ve ever used. In addition to requiring that companies provide greater data controls and transparency, GDPR requires those privacy policies be “concise, easily accessible and easy to understand.” They also need to be written in “clear and plain language.” (Ironically, that’s found on page 11 of the 88-page official document.)
I rounded up 35 privacy policies for the services, apps and operating systems I use on a fairly regular basis. The ones revised to meet the GDPR requirements are, in fact, written in a language humans can understand. But they’re longer. Much longer. Take Twitter. The old version was around 3,800 words. It’s now around 8,890. (By comparison, this column is typically around 1,000 words.) Why longer? GDPR requires companies to detail more about where your data is going. If a service is ad-supported, your data is going lots o’ places. Turns out, explaining these often-shady practices isn’t easy.
Privacy policies tend to have a formula:
Part 1: Company tells you what data is collected. This tends to be info you give them, info they collect when you use the service and info from third parties. Facebook even collects “mouse movements.”
Part 2: Company tells you why it needs that data and which other companies may get to access it. Snapchat, for instance, says it will “provide you with an amazing set of products and services that we relentlessly improve.” (Apparently, GDPR doesn’t require humility.)
Part 3: Company tells you what controls—if any—are in place to limit abuse of the data. As LinkedIn helpfully reminds us, “we offer you choices regarding personalised ads, but you cannot opt-out of seeing other ads.”
It has become so boilerplate that robots can read it for you. A tool called Polisis, from data scientists at Switzerland’s Federal Institute of Technology and others, uses machine learning to read the policy and organise what it says into a graphic flow chart, all in under a minute. Hover over different areas to see the original text from the policy in context. I urge you to try it, at least for the big ones like Facebook and Google. You should also open the policies themselves and skim the headlines. Many of the revised policies have bold summaries—some even have videos. Welcome to 2010!
Search the terms
The stuff you’ll want to know is hiding in the crowds of sentences and is just a Ctrl + F away from possibly freaking you out. Experts suggest searching the mass of text for the following keywords:
“Third parties.” How is your data shared with outside developers and marketers? What data is acquired by third parties? About 900 words in, Facebook reveals that it receives “information about your online and offline actions and purchases from third-party data providers.”
“Retain” or “store.” How long is your data retained or stored by the company, and why? It turns out Google keeps most of your stuff for a very long time.
“Children.” Most policies confirm that 13 is the age when children can set up their accounts, but some policies, often from games, make exceptions and give parents more controls.
“Delete.” Can you delete your data and/or take it with you? GDPR’s “the right to be forgotten” regulation requires this to be an option to those in the EU.
Adjust the settings
Maybe you like so-called interest-based ads—search for nail salon, a nail-clipper ad pops up—but maybe you’d change your mind if you realised how much of your information is required to power them. Either way, it’s important to have control over what the company gets to use, so do yourself a favour and search “settings” or “opt-out.” I was quickly able to activate a bunch of new advertising controls LinkedIn has put in place. Some apps that use Google’s advertising platform, including Sonos and Runkeeper, provide links to opt out of the search giant’s massive web-tracking program. Facebook and Instagram vaguely refer to their settings, but don’t tell you how to locate specific controls. It’s like simply directing someone to a cockpit to fly a plane. The real utility of these policies should be to allow us to pull the levers on the data we do or don’t want to share. As we await more and better controls, here’s the TL;DR (too long; didn’t read) version: Read the headlines and search the keywords. Come to think of it, that’s a pretty good way to read this column. Ah, crap.
Credit: Joanna Stern for The Wall Street Journal, 17 May 2018.