‘We value your privacy! Have some cookies.’
Variations of this message are what websites welcome you with nowadays. After seeing it so many times, you’ve probably developed some banner-blindness to it.
But how often do you check Cookie Policies before clicking Accept? Or dare I ask, do you peruse Privacy Policies?
Sure, they’re dry, lengthy reads. Lawyers maybe write them for lawyers, but they’re packed with juicy details that can help you understand what a company does to protect that privacy of yours they care so much about.
Reading Privacy Policies is not the equivalent of checking out the back of a shampoo bottle in the bathroom. It’s a superpower you need in these challenging cybersecurity times.
So, let me tell you all about the essential details you should pay attention to when in Privacy Policies.
However, it all changed in Europe on May 25th, 2018. That’s when the General Data Protection Regulation, GDPR for short, came into effect, forcing companies to be transparent about their Privacy Policies. Before they can process your personal information, you now have to give your consent.
Privacy Policies should be easy for anyone to understand and not dabble in too many legal terms. But not all companies expect you to be interested in this, so sometimes they might post whatever their legal department sent them.
And if you come across vague phrasings like “may use,” “might share,” “occasionally,” and so on, know it’s because they’re trying to cover all past, present, and future use cases in a few sentences.
However, you need to understand what a “might” means. If a company says it “might share your data with advertisers,” you should know when, why, and how that happens.
- Collected information
- Methods of collection
- Storage and data security
- Children section
- Legal requests
- Contact details
- Right to opt-out of data collection and usage
Let’s take them one by one.
Welcome to a short description of the company and maybe their take on data privacy. Something nice and easy before they hit you with all the legalese.
The section usually mentions if the company collects contact information such as your:
- Email address
- Phone number
- IP address
- Type of device
- Browser used
- Operating system
- Internet Service Provider and more
Ideally, companies should only collect the essential info needed to deliver you a service, but that’s not always the case. Privacy by design isn’t the norm yet, but we’re still rooting for it.
Methods of collection
Here you can learn more about how your information and data is collected. Is it an automated process, or only data from, let’s say, fill-in forms are collected?
This section can also let you know how the collected data is shared with third parties, who they are, and why this is necessary. It could be for anything from processing payments to advertising purposes.
Bear in mind there are only six legal bases for processing your personal information:
Under GDPR, companies are required to also inform users of how long they store the collected data.
If you’re still reading, and I genuinely hope you are, here you can learn how websites use their own or third-party cookies and their information (like credentials, session info, domain, or more).
You should also find an option to disable cookies.
Check out this example of information about website cookies:
Storage and data security
Now it gets fun.
Here you see who’s the owner you’re entrusting with data they can store in places like data centers, cloud services, or in-house.
In some cases, you might also come across security standards and certifications like the ISO27001 certification. That’s to show you the company has some procedures in place for keeping snoopers away from your info.
You can take this as a sign they don’t just take your data for granted and have jumped through some bureaucratic hoops to secure it.
You always want to know under what jurisdiction a company operates because that tells you a lot about what they’re legally obligated to do to protect you. Or how they’re legally forced to keep tabs on you, depending on local regulations.
For example, if a US-based company collects and stores data from users worldwide, it should point out that data protection laws can differ.
According to US law, local governments, courts, or law enforcement have the authority to request that company access to your data, even if you are a customer from outside the US.
However, regardless of their headquarters, all companies should be GDPR compliant if they have European users.
Maybe you won’t always come across these details, as they’re optional.
If a company has special conditions about collecting personal information from children without parental consent, they should be clearly stated.
Here is an example:
Yet another juicy section. Aren’t you glad you decided to learn more about Privacy Policies?
In most cases, companies say that they disclose your information when required by law enforcement inquiries, subpoenas, or court orders. They may also disclose your information if they consider it necessary to protect or defend the general public or third parties’ rights.
In this section, you could also find the contact details of the company’s Data Protection Officer. That’s your go-to person when you think the company has failed to comply with local regulations or have any worries about your privacy.
Right to opt-out of data collection and usage
Knowing about your privacy choices, like the ability to opt-out from intrusive data collection, is essential.
For instance, some companies allow users to opt-out of having their information shared with third parties for marketing purposes.
Protect your right to privacy
I hope this has helped you understand you’re usually giving out a lot more information than you suspect and take this as your cue to do more to protect your privacy.
How about you? Did you ever read Privacy Policies before? How do you decide whether to trust a company or not with your data?
Let me know in the comments below.