- The company does not mention privacy in the policy.
- The company does not mention how customers can protect their privacy.
- The company does not mention how customers can contact the company if they have questions about their privacy rights.
- The company does not mention how customers can complain if their privacy is violated.
Shady Data Collection and Sales
The first things to look for are the simplest: If a privacy policy states that the company shares or sells data to third parties, then you know that data isn’t safe. It is, of course, quite rare that it’s admitted to so boldly, and there are plenty of legitimate reasons to share some of your data—like sharing your location with their website host, for example—so it’s no silver bullet. Think of it more like the first rung of a ladder.
The next step is to see what information is collected. If it’s just simple stuff, like your name and email address, there’s usually no problem: This is information that the service needs to create an account, and there’s little to no money in that data. However, as a general rule, the more information sites want from you—and the more exotic that data—the greater the chance that it’s being sold onward.
A lot of data doesn’t really need to be collected. Your phone number, for example: There’s really no reason for anybody to have this besides professional or governmental services. Another is information about your device that can be used to track it. Also known as device fingerprinting, it’s only necessary for specific software. Another big one is your location, which is necessary for map-based apps and nothing else. Then there’s a host of other examples: Most smartphone apps, for instance, don’t need access to your contacts list.
However, the above only counts when companies are being honest about what they’re doing. If they’re not, there are a few other ways to figure out that something fishy is going on.
Typos and Tricky Language
One of the most telling signs that you should look out for with a service is if the privacy policy contains poor use of language. This includes outright errors in spelling and grammar as well as purposely obtuse phrasing.
As a semi-legal document, a privacy policy should be clear. If there are a lot of errors, that means that little care was used in putting it together, and you should be worried. Either the company does not care about you, or it doesn’t care enough to put a decent document together. In either case, there’s a chance that you might be dealing with a fly-by-night outfit, and you should back out.
There are also opposite, ridiculously convoluted privacy policies that are just filled to the brim with legalese. You see tactics like this all the time in rental agreements, employment contracts, and plenty of other day-to-day legal documents, and they exist only to confuse you. If a piece of software or a service that you’re purchasing is trying to overwhelm you with legalese, then they’re probably trying to get the better of you. Don’t let them.
Suspicious Corporate Structure
Another thing to look out for is a weird corporate structure. Although in this day and age, it’s normal for corporations to own other corporations, which in turn own yet more corporations like some kind of Russian nesting dolls, there are some signs that things have taken a turn for the truly weird.
One example is when one of the companies in these chains of ownership is based in a jurisdiction known for secrecy. Examples include the Cayman Islands, the Seychelles, and Gibraltar. If you need secrecy so much that you’re based there, what are you hiding? For example, many VPNs will headquarter in such locales in a bid to avoid warrants for their customers’ data, but there are plenty of companies that don’t have the same need for secrecy also moving out there. It should raise your eyebrows when you see exotic locales like this in company information.
Other signals are when data is handed off to other companies under the umbrella. One example is Avast, which sold user data through a subsidiary named Jumpshot (It was closed soon after the story broke.). While it’s legal to transfer data to subsidiaries, when it’s explicitly mentioned, you might want to do some digging on the company in question to make sure that none of those subsidiaries are in the data-selling game.
Confusing Security and Privacy
Another issue that we’ve come across more than once is that some companies will equate privacy and security: When you look up how the company handles your data, they’ll overwhelm you with jargon and impressive encryption terms like AES or Blowfish. However, this has nothing to do with privacy.
In short, the difference is that security is how well a company protects your data from outside threats, while privacy is all about how a company handles inside threats, or how it treats your data. A service can have the best, most state-of-the-art security on offer, but if they’re selling your data to marketers, it’s still bad news for you.
In short, no matter how much a company talks about how well its infrastructure stands up to simulated attacks or how good its encryption is, you need to focus on how well it treats your data internally. It’s like a magic trick: Always look where the illusionist doesn’t want you to look.
What a Good Privacy Policy Looks Like
However, maybe the best example of all would be a privacy policy that we think is good. For that, we can think of two likely candidates: First off is VPN service Mullvad’s privacy policy, which reads clearly and has a great breakdown of what it collects and why, while another contender is TeamGantt, a project management tool that goes a step further and uses tables to illustrate what is collected and for what purpose.
In the end, though, the best tool that you have at your disposal is your common sense: If a site looks like a cowboy outfit and it wasn’t recommended to you by somebody you trust, don’t sign up for it. Discretion is the better part of valor, after all.