Published on May 21, 2020 by the FairShake Team
But many people are surprisingly unaware of how privacy policies affect how their personal data can be gathered and used. And we’re all guilty of clicking “Accept” without actually reading the policy. Who can blame us? Those policies are long, complex, and present on every app and website we use, which means dozens if not hundreds of policies to read through. Who has time for that? And even if you do have the time, these policies are often impossible to understand, even for people with legal knowledge.
Here’s what we mean: The New York Times read and analyzed over 150 privacy policies for major websites. At the end of its analysis, it called them “an incomprehensible disaster.” And The Atlantic tried to analyze the policies from just the top 50 websites in the U.S. and found that reading them all would mean taking in 145,641 words — about the length of The Grapes of Wrath. It’s no wonder so few people actually read privacy policies, even though they absolutely should.
Has a company misused your data? Claim compensation.
Understanding the laws around privacy policies can be tough — the internet is global, and privacy is regulated by a varying patchwork of laws from different countries, or even different states. In the U.S., the patchwork of laws that exists doesn’t give you a lot of protection, so it’s on you to read and understand all those different privacy policies — and all the jargon and legalese that comes with them. What’s the average consumer to do?
This guide will teach you what federal laws do exist in the U.S. to protect the privacy of consumers online, where the laws fall short, and how to read and interpret a privacy policy so you know if your personal data is in good hands. And what should you do if a site violates its own privacy policy or doesn’t take care of your personal data? Read on to learn about that, too.
A privacy policy is a legal agreement that explains what kind of personal information websites and apps are collecting from you, how they will use that information, and how they will protect that information. In the context of a privacy policy, “personal information” might include:
There’s also information that’s commonly tracked by cookies when people use the internet. This might include:
Keep in mind, though, that’s not an exhaustive list. Those are just some common pieces of personal information that are collected by certain sites, often without their users’ knowledge.
Various international laws require sites to clearly state their privacy policies where users can find and read them, but the U.S. has no such law (In fact, only 16 states even require government agencies to establish online privacy policies and procedures). Luckily for U.S. residents, many American websites follow more comprehensive laws from the EU and other parts of the world, and do display their privacy policies online.
However, every site can write its own privacy policy, so the content of each policy can vary. They also tend to be very long and complex.
For example, here’s just the table of contents for Slack’s privacy policy:
Source: https://slack.com/privacy-policy
In other words, it would be really difficult for every average user to read and understand the privacy policy of every app and website they use, and that’s a big part of the problem with privacy policies.
To start to understand how to protect yourself online, it helps to know what laws exist to protect your privacy in the U.S. Unfortunately, it’s a patchwork of laws, none of which are comprehensive.
Compared to other industrialized parts of the world, the U.S. is lacking in privacy protection. In America, there’s no central, sweeping federal law, like the EU’s General Data Protection Regulation. But there are still American laws that protect your privacy and data, both at the federal and state levels.
When it comes to federal privacy laws in the U.S., they tend to be more specific than broad. That means there are a few important federal laws that handle certain aspects of privacy, but there are still pretty big holes left in federal privacy protection.
Here’s what federal privacy laws do cover.
In the mid-1970s, the most cutting-edge technology of the time was computer databases. People, including lawmakers, were rightly concerned about the information kept in databases, and how the government could potentially misuse the personal information it was storing.
So Congress passed what was, at the time, an innovative and landmark privacy protection law: The U.S. Privacy Act of 1974. It covered U.S. citizens’ rights and a lot of restrictions when it came to personal data that was held by federal government agencies. Some important, key points of this legislation were:
HIPAA is another well-known, landmark piece of legislation that the U.S. passed in 1996. It regulates much of how the health insurance industry operates, but the two pieces that have the most impact on your privacy are the Security Rule and the Privacy Rule.
Buried in the GLBA, which covers many aspects of banking and financial law, is an important piece of privacy regulation. Basically, the GLBA outlines how banks and financial institutions can collect and share personal information about their customers. The Act defines “nonpublic personal information” as “information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.”
The problem with the GLBA, though, is that it doesn’t put a lot of restrictions on how banks can share private financial information with “affiliated” companies — consumers aren’t given any legal privacy controls over how their information is shared between different organizations in their bank’s “corporate family,” for example.
In 2000, Congress passed one of the most modern privacy laws the U.S. had ever seen, made just for the internet age. Unfortunately, it only covers children under 13 years old. COPPA was passed in 2000, and it prohibits companies from collecting data from children who are 12 and under, unless there’s verifiable parental consent for doing so.
You might have noticed that COPPA is the only one of these federal laws that specifically regulates online data-sharing — and it doesn’t even apply to adults.
The unfortunate truth is that, in the U.S., technology is far, far ahead of the law. The internet is treated like a deregulated territory, and for the most part, companies are on their own to write whatever they want into their privacy policies. Unless they exist in one of the industries that’s federally regulated, they can be as careful with your privacy as they want to be — or not.
Some states are starting to make up for the lack of federal privacy laws that apply to online activity, writing and passing their own regulations. California has definitely taken the lead on this, but some other states are starting to follow. The National Conference of State Legislatures has a good roundup on internet privacy laws that currently exist on the state level, but as you can see below, the protections they offer are truly a patchwork and not at all comprehensive:
One area where the entire U.S. is covered is Unfair and Deceptive Acts and Practices (UDAP) laws. All 50 states have adopted these kinds of laws, which in many cases make it illegal to post false information in online privacy policies. A handful of states (Nebraska, Oregon, and Pennsylvania) have passed laws that expressly forbid making false or misleading statements in an online privacy policy.
The unfortunate short answer is that it’s not easy to protect yourself online where gaps in regulation leave your personal information in the hands of whoever is running the app or website that collects it.
The best thing consumers can do is learn how to understand individual privacy policies, and how to look for red flags that might indicate their data isn’t safe with a site or app.
First, know of all the things a good privacy policy should include. At the bare minimum, those are:
There are also some useful keywords you can look out for that might point to red flags in a privacy policy. Look for these words and phrases, as they often refer to some of the most important disclosures:
When reading through a privacy policy (especially a very long one), there are some questions you should keep in mind. If the policy answers all of these questions and you’re satisfied with the way it addresses all these issues, it’s probably a decent policy to accept.
It can also be helpful to lean on existing tools, like Terms of Service; Didn’t Read, which gives privacy policies a rating based on how much protection and choice they offer users. Of course, no tool is perfect, and your best bet at protecting yourself is to read privacy policies yourself, rather than relying on someone else’s analysis.
Because of the lack of laws that directly apply to online privacy in the U.S., it can be difficult to know how to seek recourse if a site or app doesn’t handle your data properly.
In most instances, the Federal Trade Commission (FTC) is the relevant oversight authority for privacy policy violations, and you can submit a complaint to the FTC by filling out an online form. What the FTC will do is use its complaints database to identify trends, determine enforcement priorities, and identify potential targets for investigations. What it won’t do is resolve or mediate your dispute with the organization that violated your privacy.
For that, you have even less recourse. But one possible avenue for consumers is arbitration, which can help resolve disputes between businesses and their customers, but is too often overlooked.
In the absence of comprehensive federal regulations to protect your privacy, keeping your data safe is a fight you might have to take into your own hands. One way to do so is by filing an arbitration claim against the business that violated its privacy policy. Filing an arbitration claim can seem complex and intimidating, but that’s why FairShake is here to help. We’ve automated the start of the arbitration process, meaning we can help get you on the road toward justice. You tell us about your complaint, and we handle the paperwork and guide you through all the legal steps. Ready to get your fair shake? Visit FairShake to see how you can get the justice you deserve today.