TO ACCEPT OR NOT TO ACCEPT? THAT IS THE (PRIVACY) QUESTION

TO ACCEPT OR NOT TO ACCEPT?
THAT IS THE (PRIVACY) QUESTION
Welcome to Privacy Policies 101! This post will be your playful guide to decode the legalese and demystify these lengthy documents. Through this, you can learn how to embrace online privacy, empower yourself to read between the lines and surf the web like a privacy pro!
August 24th, 2023
Has this ever happened to you?

<!–

HAS THIS EVER HAPPENED TO YOU?

–>














What Exactly is a Privacy Policy?
In effect, a privacy policy is a legal document that defines the relationship between a user of any website, application, or program, its developer and any third parties. It determines how and why your data is collected and shared, and the responsibility, obligations and legal duties a company has to secure it. More importantly, it informs you on how you can protect your personal information yourself and the control that you can exercise over that data. It’s important to be aware of how Uber or Snapchat collects, stores, handles, processes, transfers and retains our data, since they know what we look like and exactly where we’re moving about (yes, Uber definitely knows that you went to visit your ex-boyfriend even before you told your best friend). Since we’re more than happy to disclose our deepest darkest secrets to companies, thinking that this will enhance our user experience or optimize my profile, we are actively putting ourselves against the risk of cyber threats, attacks, breaches and, the worst of them all, spam mails.

Based on studies, you’re more willing to give companies your personal data on how much you trust that company, as you may feel that your data is in safer hands in companies that you can rely on.[1] This trust-based relationship is heavily based on and reflected in a company’s privacy policy. So, in the interest of maintaining a transparent relationship with and ensuring trust within their user base, companies maintain privacy policies that can be publicly accessible on their websites/applications.

What do Privacy Policies Usually Contain?
Like stripes on a zebra, all privacy policies are different. They depend on a lot of factors, such as the country you live in, the kind of data the company deals with, what they collect your data for, how they plan on using it, and many other things. A strong privacy policy would usually contain the following things:

  • What data are they collecting on me?

    It describes the types and categories of personal and non-personal data that a company from you, which typically includes your name, contact details, payment information and real-time location. However, if we’re not cautious enough about what companies are putting in their privacy policies, we may be allowing companies to maintain records on our purchasing habits, political affiliations, sexual orientation, religious beliefs, and medical history. No, they’re not obsessed with you, put your main character syndrome aside. All this data is just extremely valuable and companies love to share it around.

  • How can I consent to this collection and am I supposed to be notified?

    Your data can only be collected by obtaining your express, valid and free consent. A privacy policy mentions how exactly you can express that consent, how companies can obtain it and its validity, duration and application. Further, you can only give your consent once you have been served a notice by the company that they want to collect, process, transfer, etc. your data. A policy provides exactly how you’re supposed to be notified, what exactly you should be informed of, and how you can object to the notice and withhold your consent.

  • What purpose are they collecting my data for in the first place?

    A privacy policy explains why the company collects your personal information, what specific purposes and value your data has for the company, whether such collection is legal or legitimate, and exactly how it intends to use it. It’s important to go through this because a lot of applications can extract a lot of your data that they don’t need for their functioning, but to sell it forward to other companies.

    Source : https://www.spotify.com/in-en/legal/privacy-policy/

  • Where and with whom is my data being shared?

    It specifies whether the company shares any of your personal or non-personal information with third parties. This can include any service providers, affiliates, subsidiary/parent companies, marketers/advertisers, or even government bodies. Don’t worry, they won’t tell your parents that you’re planning to get a tattoo this summer, but they’re happy to share this forward to third parties who just might. It also states when, how and why they’ll be sharing and transferring your data outside the company, the process of sharing that data, who would be receiving it, the countries/regions across the world in which they are located. Also, sometimes companies might encrypt or anonymize your data to make it more secure in case of any breach or leak and a privacy policy mentions how companies will protect your security.

    Source : https://www.zomato.com/policies/privacy/

  • What are my rights?

    Yes, you have rights, not all companies are evil. Privacy Policies give you a say on when, how and for what can companies use and process your data. It includes the right to access, correct, or delete the information a company has on you, the right to withhold consent, the right to object to unlawful or illegitimate processing, the right to raise grievances, etc. It also provides the procedure and timelines in place for how these rights can be enforced and exercised.

    Source : https://www.spotify.com/in-en/legal/privacy-policy/

  • Is the company exercising any reasonable security practices to protect my data?

    Privacy Policies also address the steps a company takes to protect your personal information from any threats or risks your data faces, such as unauthorized access, loss, or misuse. This can include details about whether data is to be encrypted, how is it to be safely stored, who can access this data, and the procedure in case of a security breach.

  • What even are cookies and are they tracking my movements online?

    Let’s face it, words like ‘cookies’ are just like ‘gluten’ and ‘metaverse’, none of us really know what they mean. In the simplest way, a cookie is a little piece of data/information about your online movements and habits that web browsers maintain and remember. If a website/application is using cookies to track your online activity, then the privacy policy explains the purpose of such tracking and what your options are for managing or disabling cookies.

    Source : https://help.netflix.com/legal/privacy

  • How long will they retain my data and can I get it deleted?

    Many companies retain your personal data on their servers even after using it for their purposes. As this may cause a serious risk to your privacy, companies create policies on how long they plan on keeping your data and for what purposes. Similarly, it also mentions how they automatically delete your data from their records after using it.

  • If I belong to a vulnerable or minority group, are there any special provisions for me?

    Some people on the internet are at a higher risk of facing cyberattacks, online harassment, scams, etc. than others, such as minors, women, etc. If you belong to any of these groups, then the policy specifies how it’ll differently apply to you and what extra measures the company is taking to protect you. For example, when Club Penguin asked you for your parent/guardian’s permission before you signed up and you completely lied about it.

    Source : https://www.apple.com/legal/privacy/en-ww/

Why should I go through a privacy policy?

You’re right, many times privacy policies are too lengthy, technical and filled with words that sound too complicated. But, they are absolutely essential in informing you of how highly companies regard your privacy and personal data. You need to understand a company’s values, ethics, responsible practices and its commitment to transparency and accountability on data practices, before merrily sharing your data with it. All of this is covered in a privacy policy as it clearly sets the tone of why and how companies want to mine your data.

Reading privacy policies allows you to determine if you’re comfortable with the intended uses of your data and exercise control over your personal information by deciding whether to consent to data collection and processing practices. Think about this: would you ever get into a contract with Joe Biden to speak one sentence coherently and comprehensibly? Would you ever get into a contract with matchmaker Seema Aunty to represent you as your divorce lawyer? Would you ever get into a contract with Queen Elizabeth II to safe-keep your family’s heirlooms? Since you answered no to all three, you understand how important it is to trust someone before you get into a contract with them. Similarly, as privacy policies are in effect a contract, you must go through the entire policy to clearly understand your end of the bargain and what exactly companies want from you. 

You must be aware of the access and control you’re giving away to companies over your intimate and personal information. More often than not, privacy policies also require users to waive their rights, such as your right to raise a claim against the company or sue them for illegitimate processing. For this reason exactly, it’s essential that you read the policies as they contain what type of collection, processing and transfer/sale you can or cannot object to, and to what extent you are waiving your rights.

Further, understanding the breadth of how wide a privacy policy expands is an important tool for you to reclaim your power, control and autonomy over your own personal data. Reaching this consensus also allows you to exercise your agency to deny a company the access or right to certain categories of data you believe are too intrusive, personal or illegitimate. You have a right to control information about yourself that no one else should know, like your sexuality or your menstrual status. Or if you’re a Salman Khan fan. By going through a privacy policy, you can gain insights and an understanding into what data is being collected in order to make informed decisions about sharing your personal information.

Lastly, privacy policies grant its users a set of rights they can enforce, which are, to name a few:

  • Right to Withhold Consent
  • Right to Object to Illegitimate or Unlawful Processing
  • Right to Correction
  • Right to be Forgotten
  • Right to Anonymity
  • Right to Encryption
  • Right to Raise Grievances and Seek Redressal

You can only put these rights into action by users once their application, extent, procedure and duration can be understood through the language of the privacy policy.

Why are companies so open about their privacy policies on their websites/applications?
In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 mandates every company that collects, receives, stores or handles any sensitive personal data to publish their privacy policy on their website/application. Under Rule 4, the privacy policy must contain:

  • Clear and easily accessible statements of its practices and policies;
  • Type of personal or sensitive personal data or information collected;
  • Purpose of collection and usage of such information;
  • Disclosure of information including sensitive personal data or information;
  • Reasonable security practices and procedures adopted.

These Rules were notified under Section 43 A of the Information Technology Act, 2000. This Section was repealed by the Digital Personal Data Protection Act of 2023 (‘DPDPA’). This legislation is the first expansive and comprehensive law on data protection and user privacy in India. However, it does not create any mandate on what privacy policies should contain. Hopefully, there will be more guidance when the Rules are notified.

This law is based on several basic and foundational principles of data privacy: such as providing users with a notice of processing their data; obtaining their free, informed, and revocable consent before processing; and granting them several enforceable rights. In addition to this, it provides for who can collect and process your data, how it is to be done, and the exemptions for both. The DPDPA fosters transparency and accountability measures in this process by imposing duties and obligations on companies to collect and process your data in a rightful manner and to ensure that the data they are processing is complete, accurate, and updated. Now, as per the law, companies also play a role in protecting your rights, such as your

  • Right to Access Information about Personal Data;
  • Right to Correction and Erasure of Personal Data;
  • Right to Grievance Redressal; and
  • Right to Nominate.

Despite the fact that this law does not impose an express legal duty on companies to publish their privacy policies, the principles that it touches upon are equally important. They ensure that there is absolute transparency for users, that their consent cannot be fiddled with, and that they are empowered and have more bargaining power in how their data is collected and processed. Through these principles, the law creates a loose framework as to what a privacy policy should contain and acts as a guiding direction for companies.

Along with complying with the DPDPA’s principles and ensuring transparency and trust amongst its users, there are other clear benefits for companies to disclose their privacy policies. Like any well-worded and cleverly written contract, privacy policies also allow companies to escape liability in certain cases. These policies provide protection to companies in case your data is transferred to a third party, from where it is leaked or breached. Loopholes can be created in a privacy policy to help companies defend themselves against legal claims related to data breaches or misuse of personal information. Through this, a privacy policy can help indemnify companies where the only party who suffers the consequences of a data breach or leak are sadly the users (yet again).

Are there any issues with existing privacy policies?

The idea behind a privacy policy is to inform, educate and empower users like us in an understandable and accessible manner. However, most privacy policies are loaded with heavy technical jargon, terminology and legalese that may be absolutely incomprehensible to a layperson. As per studies, 76% of users still feel that they have no understanding of how companies use their data[2]. A big reason for this is that an average privacy policy comprises 2,900[3] words, which sadly none of these companies compress and present in a digestible manner or through a TikTok dance. Further, in 2008, two professors estimated that it would take the average person 76 full workdays to read all of the privacy policies they encounter in a year, with a national opportunity cost of $781 billion.[4]

Even worse, privacy policies can be hollow without any water-tight protection or transparency conditions granted to users.

More often than not, privacy policies can be misleading, or straightforward dishonest, untruthful and concealing. Within the same study, it was discovered that 48 out of 50 companies allowed third parties to source data off of their website, whereas only 9 of these 48 had expressly mentioned this in their privacy policy[5]. And allowing third parties to extract your data from a company’s app/website is pretty material information a user must be informed of. Concealing the full scope of the use of our data, like this, keeps us in the dark with no leverage or bargaining power over our own information.

Several privacy experts worldwide believe that the way privacy policies are drafted is suited more to protect and indemnify companies, rather than informing users (*pretends to be shocked*), as they don’t adopt a consumer-centric approach. The language used in these policies is deliberately kept vague and elastic in order for the companies to avoid liability and risk. In fact, the New York Times even conducted a study on how inaccessible privacy policies are to a layperson, with no technical or legal background. On the basis of the Lexile test, which determines how readable or complex any text is, the majority of the privacy policies studied could only be understood by a person holding a professional degree.[6] Tell that to my 10-year-old cousin who spends 4 hours a day on Fortnite.

Privacy policies are not drafted for a common user, but for a person with sufficient legal and technical knowledge and training to be able to understand what words like “non-personally identifiable attributes” or “performance and functionality cookies” even mean.

Since these policies are not drafted in a manner that is understandable by an average user, it can only mean that they are not meant to serve the average user. In order to understand how we are affected by a privacy policy, we must first think about how we process information online and how interact with cyberspace.

Related Posts