Privacy Policies Flooding Your Inbox?

This policy applies to all operations of the Service. Our lawyers said so. We may refer to the Company as “we,” “us,” or “our”… because companies have feelings, too. To it while we hope you are discouraged from reading this legalese, henceforth you expressly consent to the collection, use, and disclosure of all your personal information, defined as that which defines you. If you’ve ever read a privacy policy (you probably haven’t), it has required a law degree and the focus of an anesthesiologist. But that’s changing—well, sort of.

On May 25, the European Union’s General Data Protection Regulation (GDPR) goes into effect. As a result, companies are updating their data security and privacy rules—often even outside of Europe. Hence the emails you’ve been getting from every app, service or operating system you’ve ever used. In addition to requiring that companies provide greater data controls and transparency, GDPR requires those privacy policies be “concise, easily accessible and easy to understand.” They also need to be written in “clear and plain language.” (Ironically, that’s found on page 11 of the 88-page official document.)

I rounded up 35 privacy policies for the services, apps and operating systems I use on a fairly regular basis. The ones revised to meet the GDPR requirements are, in fact, written in a language humans can understand. But they’re longer. Much longer. Take Twitter. The old version was around 3,800 words. It’s now around 8,890. (By comparison, this column is typically around 1,000 words.) Why longer? GDPR requires companies to detail more about where your data is going. If a service is ad-supported, your data is going lots o’ places. Turns out, explaining these often-shady practices isn’t easy.

Are you going to read policies that stretch the length of a football field? (Seriously, 35 printed policies can score a touchdown—just watch the video.) No, but you can’t continue to be blind to what these companies are doing and keep clicking “accept,” either. So here’s the trade: Read my next 500-or-so words now on how to quickly dissect a privacy policy, and save yourself from reading millions of words in the future. I’ll even show you how to get out of some unnecessarily intrusive stuff without quitting the service altogether.

Privacy policies tend to have a formula:

Part 1: Company tells you what data is collected. This tends to be info you give them, info they collect when you use the service and info from third parties. Facebook even collects “mouse movements.”

Part 2: Company tells you why it needs that data and which other companies may get to access it. Snapchat, for instance, says it will “provide you with an amazing set of products and services that we relentlessly improve.” (Apparently, GDPR doesn’t require humility.)

Part 3: Company tells you what controls—if any—are in place to limit abuse of the data. As LinkedIn helpfully reminds us, “we offer you choices regarding personalised ads, but you cannot opt-out of seeing other ads.”

It has become so boilerplate that robots can read it for you. A tool called Polisis, from data scientists at Switzerland’s Federal Institute of Technology and others, uses machine learning to read the policy and organise what it says into a graphic flow chart, all in under a minute. Hover over different areas to see the original text from the policy in context. I urge you to try it, at least for the big ones like Facebook and Google. You should also open the policies themselves and skim the headlines. Many of the revised policies have bold summaries—some even have videos. Welcome to 2010!

Search the terms

The stuff you’ll want to know is hiding in the crowds of sentences and is just a Ctrl + F away from possibly freaking you out. Experts suggest searching the mass of text for the following keywords:

“Third parties.” How is your data shared with outside developers and marketers? What data is acquired by third parties? About 900 words in, Facebook reveals that it receives “information about your online and offline actions and purchases from third-party data providers.”

“Retain” or “store.” How long is your data retained or stored by the company, and why? It turns out Google keeps most of your stuff for a very long time.

“Children.” Most policies confirm that 13 is the age when children can set up their accounts, but some policies, often from games, make exceptions and give parents more controls.

“Delete.” Can you delete your data and/or take it with you? GDPR’s “the right to be forgotten” regulation requires this to be an option to those in the EU.

Adjust the settings

Maybe you like so-called interest-based ads—search for nail salon, a nail-clipper ad pops up—but maybe you’d change your mind if you realised how much of your information is required to power them. Either way, it’s important to have control over what the company gets to use, so do yourself a favour and search “settings” or “opt-out.” I was quickly able to activate a bunch of new advertising controls LinkedIn has put in place. Some apps that use Google’s advertising platform, including Sonos and Runkeeper, provide links to opt out of the search giant’s massive web-tracking program. Facebook and Instagram vaguely refer to their settings, but don’t tell you how to locate specific controls. It’s like simply directing someone to a cockpit to fly a plane. The real utility of these policies should be to allow us to pull the levers on the data we do or don’t want to share. As we await more and better controls, here’s the TL;DR (too long; didn’t read) version: Read the headlines and search the keywords. Come to think of it, that’s a pretty good way to read this column. Ah, crap.

Credit: Joanna Stern for The Wall Street Journal, 17 May 2018.