Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Privacy Statements: Where Size Matters

When it Comes to Privacy Policies, Size Does Matter.

When it Comes to Privacy Policies, Size Does Matter.

A couple of weeks ago, I spoke on a panel titled, “The Role of Customer Privacy and Trust in Innovation.” Joining me, the token lawyer, on the panel was a venture capitalist, the editor of a computer security magazine, and a CEO of a high tech start-up. An impressive bunch, but even better, we were giving our presentation in the lecture hall of the Stata Center at MIT, the home of really wicked smart people.

So we have this lecture hall brimming with brainiacs and an A-list panel and the panel moderator asks for a show of hands of everyone who reads the privacy statement on the sites or apps they give their personal information to.

I raised my hand…No one else did…Hmmmm.

Privacy PoliciesAfter, I asked a twenty something young woman from the audience why she thought no one reads privacy statements. She said she figured there wasn’t much she could do about it. She wanted to buy this stuff or get that app and the company could pretty much do whatever they liked. Besides, what did she have to protect? Her privacy headed for the hills when she joined Facebook in high school anyway.

Privacy statements don’t have to be a mystery. There are some differences between them that make it worth the read. Let’s take a look at some of those differences.

First off, size matters. As a general rule, the longer it is, the more you’re hosed. If a privacy statement simply said, “We don’t track or collect anything about you,” then you’d know you’re golden from a privacy standpoint. But they don’t. They go on and on and on, starting with a cheerful, “We respect your privacy.”

The typical privacy statement will cover:

-What information the company collects

-How the information is used

-How they secure your information

-Who they can share it with, and

-How you can complain about what they’re doing with your info

What information the company collects

Companies collect all the stuff you give them and you know about—name, address, credit card number, passwords, etc. They also collect a lot of stuff you don’t know about—your IP address, stuff about your computer, what web site you were just browsing and where you go when you leave the site. Companies can list anything they want just to cover their bases because a company only gets in trouble with their privacy statements when they say they do something and they don’t. This is important so I’ll say it another way. The FTC goes after companies when they say they do X and Y in their privacy statements but leave out Z. Then the company does Z and gets a wrath of the FTC descending upon them.

How the information is used:

This section covers all the mundane uses like processing your order, registering your license and sending you product updates. But it also covers much more interesting uses. Some say they will use your information by combining with other data to serve you up special ads. So they get a little info from you, combine with a Big Data provider, and viola, an intimate profile cocktail. Beware of the words “combine” and “personalized content” in privacy statements.

How they secure your information:

Remember when I said the FTC drops the hammer on companies that don’t live up to their privacy statement? Well this is where it matters the most. Companies say they will use adequate security measures to protect your personal information. But the reality is that there is no security adequate to protect personal information 100% of the time. So when a breach occurs, the FTC says to the company that the privacy statement was essentially false advertising. Score one for privacy advocates.

Who they can share it with:

This is where the floodgates can open. Companies can’t just keep your information to themselves. Sure, there are plenty of benign reasons to share your information, such as with a “trusted vendor” that processes your credit card or the shipping agents so you can get your package. But there are other less appealing folks often listed as well, such as “subsidiaries, partners and affiliates.” If you put the word “marketing” in front of “partners” and “affiliates” the picture becomes clearer.

How you can complain about what they’re doing with your info:

Privacy-oriented companies give you a place to remove your information from marketing databases, modify your personal data, opt-out of certain forms of communication, and provide feedback on the privacy statement. Most don’t. This part comes at the very end of the privacy statement so if you can just scroll to the bottom, you can see if you have a way of getting out of the sharing relationship you’re about to get into.

Congratulations! You are now officially ahead of the pack—more informed and empowered. Now get out there and use this knowledge. The next time you provide your information online, go to the footer of the website and click on the privacy policy. And make sure it’s not the last one you look at.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cyberwarfare

The U.S. is tracking a suspected Chinese spy balloon spotted over U.S. airspace, officials said on Feb. 2, 2023.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...