According to one study, 97% of users agree to privacy policies. 76% of those do not read the policies at all, while those who do read them spend an average of just 73 seconds doing so. A major reason for this is mental exhaustion; due to the sheer number and length of policies users are bombarded with, they just don't have the capacity to parse the information required.

Thankfully, there is a simple way to combat this. Understanding what privacy policies are, how they are structured, and what to look for allows you to parse them far faster. This can be further improved with the aid of third-party tools. This guide will cover:

  1. What is a privacy policy, and why does it matter?
  2. How do companies structure privacy policies?
  3. What to look for in a privacy policy
  4. Tools to speed up privacy policy analysis
  5. BitLaunch's privacy statement — an example

What a privacy policy is and why it matters

A privacy policy is a legal document explaining how an organization will collect, use, and manage your personal data. Companies are forced to have a privacy policy if they collect user data and want to operate in most countries. Many businesses are reluctant to provide this transparency and, as a result, their policies are long and intentionally obtuse. This is frustrating from a user perspective, as privacy policies are key to understanding what you're giving up in order to use a service.

Invasive privacy practices can include:

  • Collecting and storing your name, address, browsing habits across various sites, health information, biometric information, social security number, phone number, location, and more.
  • Using this information to sell you products via advertising or to tune content algorithms to keep you on the site as long as possible.
  • Sharing this data with third parties, including but not limited to advertisers, health insurance providers, data brokers, AI companies, and law enforcement.

As well as the obvious concerns surrounding data sharing and access, invasive privacy practices are a sign that a company does not respect its customers. If they are so free with sharing your data, do you trust them to properly protect it from attackers?

How do companies structure privacy policies?

The first thing you should understand is that most privacy policies follow a similar pattern:

  1. About this policy/Scope
  2. Information collection/What data is collected
  3. How the data is used
  4. Third-party sharing/disclosure
  5. User rights and controls
  6. Data retention
  7. Data security
  8. Children's privacy
  9. Legal basis for processing
  10. Policy updates
  11. Contact information

Familiarizing yourself with this structure will allow you to find the information relevant to you more quickly.

What to look for in a privacy policy

As privacy policies can often be 7000+ words, the best approach is to look for answers to a few important questions. We recommend you try to answer the following:

  1. Are there any obvious red flags?
  2. What data is the company collecting about me?
  3. How long are they retaining it for?
  4. What are they using the data for?
  5. Who are they sharing my data with?

Look for this information in the privacy policy itself. We do not recommend taking what a company says elsewhere on its website at face value, as it is often misleading or lacking in detail.

1 - Obvious red flags

Most people do not have the time to read the privacy policies of every service they use in-depth, and companies exacerbate this by making their policies needlessly long. If you only have the time to skim-read a policy, it's important to be aware of a few key terms:

  • Personalized or interest-based advertising: This usually means the company will be sharing your data with advertising networks or partners to show you targeted ads. Often, businesses will avoid using the word advertising, so also look out for words like showing content based on your interests and personalized marketing.
  • Such as, included but not limited to, may, for example: This type of vague language is intended to make you feel like a company's practices are less invasive than they are. It usually means the company will collect *at least that much data, potentially more, without notifying you.
  • Trusted partners, affiliates, vendors, third parties, data processors: More vague language. The company is sharing your information with others and does not want to immediately specify who they are. Ask yourself why.
  • Contradictory statements: Privacy policies often start with reassuring language such as "we don't sell your personal data" and then later outline how they may share your data with partners for advertising and marketing purposes. Functionally, this is selling data or very close to it. Cross-check claims like this to ensure a company is not trying to trick you.
  • Long data retention periods: Ask yourself whether the amount of time a business says it will keep your data is justified to run its service. Watch for phrasing such as "We retain data for as long as we deem necessary/indefinitely". This could mean the company keeps your data forever.
  • Legitimate interests: If a company says they "process your data based on our legitimate interests", it can mean they are trying to exploit a loophole in the EU's GDPR. The EU has four lawful bases for processing personal data, and legitimate interest is the most flexible. It can theoretically be used to mean a company can use your data in any way you might expect, including third-party commercial interests and marketing.
  • External data providers: Look out for mentions of the company receiving information about you from "external data providers" or "third party sources", particularly in reference to "enriching profile data" or similar. This typically means they are buying information from data brokers to build a more complete picture of who you are and your history.
  • Highly sensitive information: There are very few instances in which it is justified for a company to collect information such as biometrics/facial recognition, voiceprints, and precise geolocation.

2 - What data is the company collecting about me, and how?

Usually, businesses will have a "Data we collect about you" or "Information we collect" section, which outlines the data they gather about you. This is often split into further categories such as "data you provide to us", "information collected automatically", and "information from other sources". Which of these categories the collection falls under is important, since a company collecting your name from a form is less intrusive than linking your handle to your name via non-public sources.

That said, do not write off data collection just because you provided it. Some companies force you to provide completely unnecessary information to use their service and then sell it for profit.

You should therefore look at each piece of information and make a judgment on whether you deem it reasonable and proportionate for that service. Google Maps collecting your precise location is necessary, but a social media platform? Not so much.

3 - How long is the business retaining my data, and is it reasonable?

This one sounds simple, but it can often be difficult to determine. Organizations may use vague terms such as "as long as necessary" or "for some time after you've closed your account". A good rule of thumb is that if a business does not seem confident about how long they're keeping your data, they're probably keeping it for too long.

The second difficulty comes in knowing how long is too long when it comes to data retention. One year may be a reasonable amount of time to keep some data, but not others. In other cases, retention is justified by use cases such as "improving the product and its stability," which sounds specific but in reality could cover a wide range of use cases.

There are no specific guidelines on how long organizations can store data under legislation such as GDPR. Rather, the rule is that data must be stored for the shortest time possible, with factors such as the reasons for retaining the data, legal obligations, processing time, etc., taken into account.

In an ideal world, a company will promise to keep your data for only as long as is strictly necessary to provide its service and delete it afterward. In the real world, you'll need to make a judgment as to whether you're comfortable with the retention period specified for the purpose specified.

4 - What is my data being used for?

This is perhaps the most important factor for many users. The main question to ask is whether the organization is using the information solely to provide the service or to profit from you. Most companies won't directly admit that they're selling your info, but they'll say things such as "your data may be shared with third parties for interest-based advertising".

In their "How we share your data" section, the business should list third-parties it shares or sells your information to, and usually the what that "partner", "affiliate", or "service provider" uses it for. You should ideally look into the privacy policies of these partners, as they could be passing the information on to their partners, and so on. Realistically, though, most people don't have time to do this. As a general rule, the fewer people your data is being shared with, the better.

It can be helpful to use your browser's search function (Ctrl + F) to find key terms such as "share", "sell", "partners", as they may be spread out. Don't be fooled if a provider states that it does not sell personal information, but later says that it shares your information with business partners for vague purposes. This can mean that they don't benefit monetarily from sharing your data, but get some other benefit.

Also, be aware that when a company states that it shares "anonymized" data — it does not mean it can't be linked back to you. Companies often remove direct identifiers (name, IP address, full address), but not elements such as ZIP code, device, browsing patterns, and fingerprints. One MIT study found that it could re-identify 87% of Americans using just three so-called "anonymized" data points. If the privacy policy is not clear on how the company anonymizes data and which specific data points it shares, it may be worth contacting them for clarity.

5 - Your rights to control your data

Control over your data is an important right that is easy to overlook. Most privacy policies will have a section that explains whether or not you can access, correct, and delete your data, as well as opt out of certain data uses.

These rights may be jurisdiction-dependent. For example, the EU's GDPR and California's CCPA require operating companies to let users view/delete their data and opt out of data sale.

The easier the company makes it to delete your data, the better. Non-privacy respecting companies will often try to frustrate the user and slow down the process by requiring you to manually email them or fill out an excessive number of forms. A good privacy policy will be clear about what the user can delete and will offer convenient ways to do so, such as from an account control panel.

Tools to speed up privacy policy analysis

There are several tools that can help you find the key points of privacy policies faster. They scan privacy policies (typically using AI) and provide a summary or rating. Note that these should be used to complement your own judgement and analysis, rather than replace it, as they may be incorrect or out of date.

Privacy Not Included

This website, created by Firefox creators Mozilla, reviews various products and services for their privacy. These reviews are human-created and therefore likely to be accurate (though they may not always be up to date). They answer all of the key factors we outlined above and usually have direct contact with the service to clarify any unclear points.

The downside of this approach is that Privacy Not Included cannot research every product; there are just too many for humans to manually review. It instead focuses on the most popular products and apps with consumers in North America and Europe. We therefore recommend checking Privacy Not Included first, then moving on to manual analysis and other tools if the service is not covered.

Privacy TLDR

Privacy TLDR uses AI to break down the privacy policies of various popular websites and streaming services. It offers a concise and intuitive breakdown of a site's data sharing, opt-out options, data collection, and collection purposes. Users can also quickly access various policies for manual review and will soon be able to chat with an AI to ask questions about the policy.

As with any AI tool, there is the question of accuracy. LLMs can often hallucinate, take marketing copy at face value, or run out of memory and therefore not process entire documents. We found privacy TLDR to be accurate in the few services we manually compared, but we cannot make guarantees for every service. What is clear, however, is that privacy TLDR is likely better than nothing if you just don't have time to read policies.

Privacy Check

Privacy Check is an extension developed by the University of Texas that scans a privacy policy and uses a traffic light system to try to indicate whether various categories of data are safe. Note that this is far from foolproof. Elements are often marked as "at risk" when they are not mentioned — but this may be because they are not collected at all. For example, if a company says "we do not collect any data on our users", it does not need to explicitly mention payment information or data sharing. It is also often inaccurate. For example, it claims that BitLaunch asks for credit card numbers and home addresses when the privacy statement clearly says, "we accept payments exclusively in cryptocurrency[...]we don't need to process your credit card information or pass anything onto a third party."

That said, Privacy Check can still be useful for more traditional policies and as a way to get to the elements you care about faster. Pressing the icons for each data type sends you a summary and quote from the policy.

BitLaunch's privacy statement — an example

We'll quickly break down BitLaunch's privacy statement as an example of a privacy-respecting service. It is written in plain English and avoids legalese, using clear language such as:

"We don't run a single tracker or keep cookies."
"We only store the data that is absolutely neccessary to keep our service running. We only keep this information for exactly as long as we need it, and we don't share it with anybody else. The data that BitLaunch does store is not personally identifiable, as defined by the EU's landmark GDPR legislation."

Note that the article is able to state what data is collected, what purposes it is used for, and who it is shared with in one paragraph. This is because data collection is so minimal. It also uses qualifiers: what information is deemed personally identifiable is determined by privacy legislation, rather than BitLaunch itself.

The statement is also clear that users can delete their data and indicates that the process is simple.

"BitLaunch also lets its customers destroy their server and/or account at any point. We make this as accessible as possible via a simple switch in your control panel."

Finally — and this is not strictly necessary — it outlines what other steps the company takes to protect users' privacy. For example, allowing connections from Tor IP addresses (which many companies block), only requiring an email address and password for sign up, a proof-of-work login system, and various security mechanisms.

Tired of VPS providers that don't respect your privacy? Sign up for BitLaunch and talk to our support for some free credit.