Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals

FlippedBITS: Do Privacy Policies Mean Anything?

Sometimes you want to go where everybody knows your name, IP address, shopping habits, browsing history, birthday, mother’s maiden name, and other personally identifiable information. Other times you don’t use the Internet.

Most of us take it for granted that the Web sites we visit collect massive amounts of data about us behind the scenes. If you aren’t aware of this — or if you are, but wish you could keep more of that information private — I can refer you to a little book I wrote on that topic: “Take Control of Your Online Privacy.”

It’s helpful to have greater awareness of who’s collecting what data about you and why. You can do things like changing browser settings, adding plug-ins, and adjusting your preferences on various sites to discover when they track your actions and to reduce (though not eliminate) the endless flow of private information you send out as you use the Web. I talk about all this in my book.

But what about privacy policies? Nearly every commercial Web site has one, and you often have to agree to such a policy (implicitly or explicitly) when signing up for an account. Privacy policies spell out what data the company collects (particularly personally identifiable information), how it’s used, what protections are in place to safeguard it, and so on. Some people mistakenly think that these policies offer some guarantee of privacy or even legal protection. I’d like to disabuse you of that belief in this installment of FlippedBITS.

Policies vs. Facts — The existence of a privacy policy, along with a prominent link to it on a site’s home page, is sort of like the words “Nutrition Facts” on a food label. The facts could be that a site offers no privacy, or that a food is full of nasty stuff that provides no nutritional benefit. Sites may display a privacy policy because they’re required to by law, or because they think it makes their users feel better.

Sorry to say, but — not to put too fine a point on it — privacy policies by themselves don’t mean diddly-squat.

That’s not to say privacy policies are meaningless, and as I’ll explain in just a moment, I recommend reading them attentively. But don’t mistake a policy for a guarantee.

A policy is just that — a statement about the practices a person or company follows as a general principle. I mean, I have a policy of being honest, but that doesn’t mean I never lie. My library has a policy of charging patrons for overdue books, but sometimes they let it slide. A store has a policy of beating competitors’ prices, but draws the line when someone brings in an ad for a buy-one-get-two-free promotion.

When a company’s lawyers draft a privacy policy, there’s no guarantee that all the other employees are even aware of it, much less that they universally agree to it. And even if they do, that doesn’t prevent lapses, mistakes, attacks by outside hackers, or other issues.

In short, even the best privacy policy, crafted lovingly by People Who Really Care™, and agreed to under oath by every employee, doesn’t actually protect your privacy. The most it can do — and even this is a stretch — is provide you some recourse if the policy should be violated. If you can prove that this happens, maybe someone will be fired or maybe you’ll get financial compensation or whatever. But in the United States, even where the law says a company must have a privacy policy, it doesn’t necessarily mean that the privacy policy is legally binding. And if it were, it would still be like any other law: it would penalize, but not prevent, misbehavior.

What’s In the Fine Print — I’ve made my point, I hope, that you shouldn’t put too much trust in privacy policies. But you should read them!

Privacy policies are often full of boring and inscrutable legalese, although a surprising number of them are written in something many of us would identify as closely resembling English. They typically include the following:

  • What types of information the site collects, under what circumstances, and for what uses. (This may include both general information, such as which browser you’re using, and information that more specifically identifies you as an individual.)

  • Whether and how the information is shared with other entities, such as advertisers.

  • How the site uses cookies.

  • What security measures the site uses to protect your data.

  • How to opt out of data collection.

You should take the time to read these policies — at least for the sites you visit most frequently — for several reasons:

First, although a privacy policy isn’t a guarantee, it does speak to the company’s intentions. A policy that goes out of its way to stress the limited ways a company collects data and the care it takes with it suggests that they take privacy seriously, at least; an absent or loosely worded policy suggests the opposite.

Second, you could discover something disturbing enough to make you stop using the site. Some privacy policies are quite up front about the fact that the sites collect personal data about you and sell it to third parties. Others do little or nothing to safeguard the personal data they collect. If you’re uncomfortable about that, you can take your business elsewhere.

Third, privacy policies should address how sites deal with the data that you provide voluntarily — blog posts, photos, movies, and other content you create or upload. Sites have repurposed users’ content for marketing purposes, or even claimed some form of ownership, copyright, or license over user-contributed content. A privacy policy could alert you to the fact that the site may use your uploaded photos to sell ads or merchandise without compensating you, for example.

Here’s an even better example. Microsoft suspected a former employee of leaking information to a blogger about Windows 8 before it was released. The company looked through the blogger’s Hotmail account, found evidence of the leaked information, and had the employee arrested. As it turns out, Microsoft’s privacy policy for Hotmail explicitly permitted the company to access users’ email in order to protect its rights or property, among other reasons. (In response to the kerfuffle over this incident, Microsoft has altered its
such that suspected thefts of intellectual property are referred to law enforcement rather than Microsoft itself examining email contents.) Gmail and some other Web-based email services allow themselves similar rights — it’s all right there in the privacy policies. Knowing about this sort of thing in advance might lead you to make different choices about how you communicate.

Finally, a privacy policy ought to tell you what options exist if you want a site to stop collecting your data or to remove data it’s already collected. That can guide your choices of privacy settings, or inform your future usage of the site.

Privacy Plus — A privacy policy alone may not be much to hang your hat on, but in combination with other things you can learn about a company or Web site, it can tell you quite a bit. For example, all things being equal, if a site’s revenues come mainly or entirely from ads, the probability of your personal information being misused is higher than on a site supported by subscriptions or by other means.

If you need some guidance when interpreting a site’s privacy policy and practices, try entering its URL at Privacyscore. (There’s no Submit button; if the site appears in a pop-up menu after you enter it, click its name to get its score; if not, the site isn’t in Privacyscore’s database.) Privacyscore offers a score of a site’s privacy that takes into account several factors, such as statements made (or not) in the privacy policy and how many third-party trackers are in use on the site.

I tried a few sites (type two characters into the search field to get a long list of sites to browse) and found some interesting results:

  • Twitter, the Electronic Frontier Foundation, and Wikipedia got perfect scores — 100 out of 100 — which is not to say that they have perfect privacy.

  • Apple, Google, Facebook, and Microsoft all scored in the mid-90s, putting them in the highest (“comfort”) tier.

  • and Bing, each with a score of 85, fell into the middle (“caution”) tier.

  • Yahoo, with a score of only 74, was in the lowest (“concern”) privacy tier, along with WordPress (at 75).

  • Wired got a mere 39 — the lowest of any of the sites I checked.

You’ll have to decide for yourself whether you can live with any site’s privacy policy, with or without the use of software or services that block unwanted data collection. But learning more about what you’re up against can help you to make wiser decisions. For much more on this topic — not just about Web sites and privacy policies also but numerous other ways in which your personal data may be at risk online and what you can do about it — I refer you again to my book “Take Control of Your Online Privacy.”

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.