No One Reads Privacy Policies. Here’s Why You Should

A Comprehensive Guide to Consumer Rights On the Internet

Anyone who uses a smartphone, tablet, or the internet is familiar with these two words: “Privacy Policy.”

But many people are surprisingly unaware of how privacy policies affect how their personal data can be gathered and used. And we’re all guilty of clicking “Accept” without actually reading the policy. Who can blame us? Those policies are long, complex, and present on every app and website we use, which means dozens if not hundreds of policies to read through. Who has time for that? And even if you do have the time, these policies are often impossible to understand, even for people with legal knowledge.

Here’s what we mean: The New York Times read and analyzed over 150 privacy policies for major websites. At the end of its analysis, it called them “an incomprehensible disaster.” And The Atlantic tried to analyze the policies from just the top 50 websites in the U.S. and found that reading them all would mean taking in 145,641 words — about the length of The Grapes of Wrath. It’s no wonder so few people actually read privacy policies, even though they absolutely should.

The fact is that, when you use the internet, sites and companies will collect data about you. And when it comes to protecting your privacy and controlling how data is collected and shared? Unfortunately, that’s really hard to do.

Has a company misused your data? Claim compensation.

Understanding the laws around privacy policies can be tough — the internet is global, and privacy is regulated by a varying patchwork of laws from different countries, or even different states. In the U.S., the patchwork of laws that exists doesn’t give you a lot of protection, so it’s on you to read and understand all those different privacy policies — and all the jargon and legalese that comes with them. What’s the average consumer to do?

This guide will teach you what federal laws do exist in the U.S. to protect the privacy of consumers online, where the laws fall short, and how to read and interpret a privacy policy so you know if your personal data is in good hands. And what should you do if a site violates its own privacy policy or doesn’t take care of your personal data? Read on to learn about that, too.

What Is a Privacy Policy?

A privacy policy is a legal agreement that explains what kind of personal information websites and apps are collecting from you, how they will use that information, and how they will protect that information. In the context of a privacy policy, “personal information” might include:

• Your name
• Your date of birth
• Your email address
• Your billing and shipping addresses
• Your phone number
• Your banking details
• Your social security number

There’s also information that’s commonly tracked by cookies when people use the internet. This might include:

• Search queries
• Purchases
• What devices you use
• Where you’re located
• How many times you’ve seen a particular ad, and when and where
• What links you’ve clicked

Keep in mind, though, that’s not an exhaustive list. Those are just some common pieces of personal information that are collected by certain sites, often without their users’ knowledge.

Various international laws require sites to clearly state their privacy policies where users can find and read them, but the U.S. has no such law (In fact, only 16 states even require government agencies to establish online privacy policies and procedures). Luckily for U.S. residents, many American websites follow more comprehensive laws from the EU and other parts of the world, and do display their privacy policies online.

However, every site can write its own privacy policy, so the content of each policy can vary. They also tend to be very long and complex.

For example, here’s just the table of contents for Slack’s privacy policy:

Source: https://slack.com/privacy-policy

In other words, it would be really difficult for every average user to read and understand the privacy policy of every app and website they use, and that’s a big part of the problem with privacy policies.

To start to understand how to protect yourself online, it helps to know what laws exist to protect your privacy in the U.S. Unfortunately, it’s a patchwork of laws, none of which are comprehensive.

Federal Privacy Laws in the U.S.

Compared to other industrialized parts of the world, the U.S. is lacking in privacy protection. In America, there’s no central, sweeping federal law, like the EU’s General Data Protection Regulation. But there are still American laws that protect your privacy and data, both at the federal and state levels.

When it comes to federal privacy laws in the U.S., they tend to be more specific than broad. That means there are a few important federal laws that handle certain aspects of privacy, but there are still pretty big holes left in federal privacy protection.

Here’s what federal privacy laws do cover.

U.S. Privacy Act of 1974

In the mid-1970s, the most cutting-edge technology of the time was computer databases. People, including lawmakers, were rightly concerned about the information kept in databases, and how the government could potentially misuse the personal information it was storing.

So Congress passed what was, at the time, an innovative and landmark privacy protection law: The U.S. Privacy Act of 1974. It covered U.S. citizens’ rights and a lot of restrictions when it came to personal data that was held by federal government agencies. Some important, key points of this legislation were:

• U.S. citizens have a right to access and copy any data held by a government agency. They also have a right to correct any errors in that data. 
• Government agencies should only collect data that’s “relevant and necessary” to what they need to accomplish.
• Only government employees who need to access citizens’ data to do their jobs are able to do so.
• Sharing of private information between different government agencies or with outside parties is limited, and only allowed under certain conditions.

Health Insurance Portability and Accountability Act (HIPAA) of 1996

HIPAA is another well-known, landmark piece of legislation that the U.S. passed in 1996. It regulates much of how the health insurance industry operates, but the two pieces that have the most impact on your privacy are the Security Rule and the Privacy Rule.

• The Security Rule: created a set of standards for keeping electronically stored health information safe and secure. 
• The Privacy Rule: created rules for what health information is considered private, who is allowed to access it, and how. It gives patients rights to control their own health information, including accessing it, authorizing access for others, and correcting any mistakes in their medical records.

Gramm-Leach-Bliley Act of 1999

Buried in the GLBA, which covers many aspects of banking and financial law, is an important piece of privacy regulation. Basically, the GLBA outlines how banks and financial institutions can collect and share personal information about their customers. The Act defines “nonpublic personal information” as “information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.”

The problem with the GLBA, though, is that it doesn’t put a lot of restrictions on how banks can share private financial information with “affiliated” companies — consumers aren’t given any legal privacy controls over how their information is shared between different organizations in their bank’s “corporate family,” for example.

Children’s Online Privacy Protection Act (COPPA) of 2000

In 2000, Congress passed one of the most modern privacy laws the U.S. had ever seen, made just for the internet age. Unfortunately, it only covers children under 13 years old. COPPA was passed in 2000, and it prohibits companies from collecting data from children who are 12 and under, unless there’s verifiable parental consent for doing so.

What About the Internet?

You might have noticed that COPPA is the only one of these federal laws that specifically regulates online data-sharing — and it doesn’t even apply to adults.

The unfortunate truth is that, in the U.S., technology is far, far ahead of the law. The internet is treated like a deregulated territory, and for the most part, companies are on their own to write whatever they want into their privacy policies. Unless they exist in one of the industries that’s federally regulated, they can be as careful with your privacy as they want to be — or not.

Some states are starting to make up for the lack of federal privacy laws that apply to online activity, writing and passing their own regulations. California has definitely taken the lead on this, but some other states are starting to follow. The National Conference of State Legislatures has a good roundup on internet privacy laws that currently exist on the state level, but as you can see below, the protections they offer are truly a patchwork and not at all comprehensive:

• Consumer Data Privacy Laws exist in California, Nevada, and Vermont.

• e-Reader Privacy Laws exist in Arizona, California, Delaware, and Missouri

• Privacy Policy Standards or other regulation related to online privacy policies exist in California, Connecticut, Delaware, Nevada, and Oregon.
• Protection of Personal Information held by ISPs exists in Maine, Minnesota, and Nevada.

One area where the entire U.S. is covered is Unfair and Deceptive Acts and Practices (UDAP) laws. All 50 states have adopted these kinds of laws, which in many cases make it illegal to post false information in online privacy policies. A handful of states (Nebraska, Oregon, and Pennsylvania) have passed laws that expressly forbid making false or misleading statements in an online privacy policy.

How Can Consumers Best Protect Their Personal Information Online?

The unfortunate short answer is that it’s not easy to protect yourself online where gaps in regulation leave your personal information in the hands of whoever is running the app or website that collects it. 

The best thing consumers can do is learn how to understand individual privacy policies, and how to look for red flags that might indicate their data isn’t safe with a site or app.

First, know of all the things a good privacy policy should include. At the bare minimum, those are:

• A description of all the types of data being collected, why, and how it will be used.
• How that information is collected, including the use of browser cookies.
• Clear identification of any third-parties that will have access to your data, and why.
• All privacy choices that are available to you, including what kinds of data collection you can opt out of and how.
• A clear description of how your data will be kept safe and secure.
• Contact information in case you have further questions or concerns about your privacy.

There are also some useful keywords you can look out for that might point to red flags in a privacy policy. Look for these words and phrases, as they often refer to some of the most important disclosures:

• Share
• Control
• Delete
• Choice
• Third parties
• Turn off
• Settings
• Advertise

When reading through a privacy policy (especially a very long one), there are some questions you should keep in mind. If the policy answers all of these questions and you’re satisfied with the way it addresses all these issues, it’s probably a decent policy to accept.

• What personal information is being gathered?
• How is it being collected?
• Why is it being collected?
• How will it be used?
• Who will be able to access it?
• What choices do you have about what information is gathered and how it’s used and shared?
• Can you review your own personal information? Can you correct it if it’s wrong?
• How is your personal information being kept secure?
• How long will the site or app honor its privacy policy?
• Who is holding the site or app accountable for honoring its privacy policy?

It can also be helpful to lean on existing tools, like Terms of Service; Didn’t Read, which gives privacy policies a rating based on how much protection and choice they offer users. Of course, no tool is perfect, and your best bet at protecting yourself is to read privacy policies yourself, rather than relying on someone else’s analysis.

What If a Site Violates Its Own Privacy Policy?

Because of the lack of laws that directly apply to online privacy in the U.S., it can be difficult to know how to seek recourse if a site or app doesn’t handle your data properly.

In most instances, the Federal Trade Commission (FTC) is the relevant oversight authority for privacy policy violations, and you can submit a complaint to the FTC by filling out an online form. What the FTC will do is use its complaints database to identify trends, determine enforcement priorities, and identify potential targets for investigations. What it won’t do is resolve or mediate your dispute with the organization that violated your privacy.

For that, you have even less recourse. But one possible avenue for consumers is arbitration, which can help resolve disputes between businesses and their customers, but is too often overlooked. 

FairShake Can Help You Start the Arbitration Process

In the absence of comprehensive federal regulations to protect your privacy, keeping your data safe is a fight you might have to take into your own hands. One way to do so is by filing an arbitration claim against the business that violated its privacy policy. Filing an arbitration claim can seem complex and intimidating, but that’s why FairShake is here to help. We’ve automated the start of the arbitration process, meaning we can help get you on the road toward justice. You tell us about your complaint, and we handle the paperwork and guide you through all the legal steps. Ready to get your fair shake? Visit FairShake to see how you can get the justice you deserve today.