Although we may not be conscious of it, nearly every action we take online involves sharing some amount of information with a website or its advertisers. Because of this sharing of information, most sites on the Internet have a lengthy document somewhere on the site, frequently written in legalese that they call a “Privacy Policy.” Despite their name, the focus of most privacy policies is to describe how a website is using your information. While they vary greatly, these policies all generally have three core provisions: what data is collected, what does the site do with the data, and who can the site share the data with.
What Data is Collected?
Because of the way the Internet was designed, every time you visit a website, some information about you is shared with the website. Much of this information is not what most people would consider very personal and includes things like what web browser you use or the operating system on your computer. However, even without you providing any more information, websites can also frequently tell your approximate geographic location or the specific search terms that you used to arrive at the site. Additionally, some websites and more commonly their advertisers can also tell some information about your browsing history including some of the sites you may have visited and your interaction with advertisement.
Along with data that is collected behind the scenes, we also actively share a great deal of information with websites by sharing pictures, posting status updates, or even just running a quick search on a particular term.
Privacy policies typically spell out the general nature of the data a site is collecting; however, they do not always use plain English to do so. Because of this, it is a safe assumption that anytime you provide any information to a website, or even just click on a link on a website, the website is saving that interaction somewhere.
What Do Sites Do with the Data They Collect?
Like any business, most websites use the data they collect to try to improve the customer experience and to provide customer support. Additionally, many privacy policies will also reserve the right to respond to requests from law enforcement either with or without the requirement of a warrant. Some sites’ privacy policies also reserve the right to use the information you provide the site or advertiser to provide context-sensitive advertising based on the information they have collected from you. It is also common to see sites reserve the right in their privacy policy to share the information that you shared either in aggregate or depersonalized form.
Who Does the Site Share Your Data With?
Although we may prefer that websites do not share our data with anyone, the realities of the Internet necessitate some sharing of data. For instance, a completely different entity than the site owner may own and manage the physical server that a website runs on. Both the site owner and the owner of the server may legitimately need access to information that you share with the site in order to function properly or to respond to any customer support inquiries you may have. This is why most privacy policies reserve the right to share your information with the company’s employees and vendors. Similarly, most privacy policies reserve the right to share your information with the site owner’s successors, namely anyone who purchases the company. However, some sites take this a bit further and grant the company the right to share your information with their “Partners”, which could be anyone, and their advertisers. If you are particularly concerned about who will potentially see the data you share with a website, it makes sense to spend a few minutes and review the privacy policy to see who the site reserves the right to share its data with.
Other Important Terms
Along with these core provisions, many privacy policies also dictate how long a company will store your personal information for, and what, if any, right you have to remove it. Privacy policies also commonly contain provisions that allow the site owner to change the policy and what, if any, steps the site owner will take to notify the users that the privacy policy has changed.
How Are Privacy Policies Enforced
The Federal Trade Commission has assumed the role of holding sites accountable for the representations they make in their online privacy policies. The chief mechanism by which they do so is through Section 5 of the Federal Trade Commission Act, which bars deceptive trade practices. Companies of all sizes and notoriety have been targets of enforcement action by the FTC and the civil penalties imposed have been significant in some egregious cases. Despite this, the FTC only brings a limited number of privacy-related enforcement actions a year and is limited in what they can do to foreign companies.
Where Do I Go From Here?
Because there are approximately a billion websites located all throughout the world, consumers cannot depend on the FTC to monitor and enforce each websites’ adherence to their privacy policy. Additionally, the privacy policy of a particular website may grant the site the right to use your data in ways that you disprove. While it is not realistic to read the privacy policy of every site you encounter, consumers and businesses should take the time to read the policies of sites where they will be sharing any information that they consider sensitive and want to restrict the disclosure of the information.
Along with paying attention to privacy policies, consumers and businesses should also be mindful of different websites’ and their owners’ general reputations for protecting privacy. Some technology companies take privacy far more seriously than their competitors do. Depending on the sensitivity of your information, it may be worth eschewing the free service for a paid service with a strong reputation of protecting their users’ privacy.