Those updated privacy policies flooding your inbox, due to Europe's GDPR, are so long that if you print out the ones from 30-some most-used apps, you could span a football field. Really. WSJ's Joanna Stern provides tips on how to tackle the gibberish.
This policy applies to all operations of the Service. Our lawyers said so. We may refer to the Company as “we,” “us,” or “our”... because companies have feelings, too. Thereto whilst we hope you are discouraged from reading this legalese, henceforth you expressly consent to the collection, use, and disclosure of all your personal information, defined as that which defines you.
On May 25, the European Union’s General Data Protection Regulation (GDPR) goes into effect. As a result, companies are updating their data security and privacy rules—often even outside of Europe. Hence the emails you’ve been getting from every app, service or operating system you’ve ever used.
In addition to requiring that companies provide greater data controls and transparency, GDPR requires those privacy policies be “concise, easily accessible and easy to understand.” They also need to be written in “clear and plain language.” (Ironically, that’s found on page 11 of the 88-page official document.)
I rounded up 35 privacy policies for the services, apps and operating systems I use on a fairly regular basis. The ones revised to meet the GDPR requirements are, in fact, written in a language humans can understand. But they’re longer. Much longer.
Take Twitter . The old version was around 3,800 words. It’s now around 8,890. (By comparison, this column is typically around 1,000 words.)
Why longer? GDPR requires companies to detail more about where your data is going. If a service is ad-supported, your data is going lots o’ places. Turns out, explaining these often-shady practices isn’t easy.
Are you really going to read policies that stretch the length of a football field? (Seriously, 35 printed policies can score a touchdown—just watch the video.) No, but you can’t continue to be blind to what these companies are doing and keep clicking “accept,” either.
Privacy policies tend to have a formula:
Part 1: Company tells you what data is collected. This tends to be info you give them, info they collect when you use the service and info from third parties. Facebook even collects “mouse movements.”
Part 2: Company tells you why it needs that data and which other companies may get to access it. Snapchat, for instance, says it will “provide you with an amazing set of products and services that we relentlessly improve.” (Apparently, GDPR doesn’t require humility.)
Part 3: Company tells you what controls—if any—are in place to limit abuse of the data. As LinkedIn helpfully reminds us, “we offer you choices regarding personalized ads, but you cannot opt-out of seeing other ads.”
Polisis, located at pribot.org/polisis, uses machine learning to visualize privacy policies.
It has become so boilerplate that robots can read it for you. A tool called called Polisis, from data scientists at Switzerland’s Federal Institute of Technology and others, uses machine learning to read the policy and organize what it says into a graphic flow chart, all in under a minute. Hover over different areas to see the original text from the policy in context. I urge you to try it, at least for the big ones like Facebook and Google.
You should also open the policies themselves and skim the headlines. Many of the revised policies have bold summaries—some even have videos. Welcome to 2010!
The stuff you’ll really want to know is hiding in the crowds of sentences and is just a Ctrl + F away from possibly freaking you out. Experts suggest searching the mass of text for the following keywords:
“Third parties.” How is your data shared with outside developers and marketers? What data is acquired by third parties? About 900 words in, Facebook reveals that it receives “information about your online and offline actions and purchases from third-party data providers.”
“Retain” or “store.” How long is your data retained or stored by the company, and why? Turns out Google keeps most of your stuff for a very long time. But don’t worry, there’s a cheery video explaining how and why—and that section also tells you how to delete a lot of it.
“Children.” Most policies confirm that 13 is the age when children can set up their own accounts, but some policies, often from games, make exceptions and give parents more controls.
“Delete.” Can you delete your data and/or take it with you? GDPR’s “the right to be forgotten” regulation requires this to be an option to those in the EU.Adjust the settings
Maybe you like so-called interest-based ads—search for nail salon, nail-clipper ad pops up—but maybe you’d change your mind if you realized how much of your information is required to power them. Either way, it’s important to have control over what the company gets to use, so do yourself a favor and search “settings” or “opt-out.”
Companies that use Google’s ad technology direct you to Google’s personalization settings.
I was quickly able to activate a bunch of new advertising controls LinkedIn has put in place. A number of apps that use Google’s advertising platform, including Sonos and Runkeeper, provide links to opt out of the search giant’s massive web-tracking program. Facebook and Instagram vaguely refer to their settings, but don’t tell you how to locate specific controls. It’s like simply directing someone to a cockpit to fly a plane.
The real utility of these policies should be to allow us to pull the levers on the data we do or don’t want to share.
As we await more and better controls, here’s the TL;DR (too long; didn’t read) version: Read the headlines and search the keywords.
Come to think of it, that’s a pretty good way to read this column. Ah, crap.