Privacy policy

What is a privacy policy?

A privacy policy is a document from a company or organization that describes how they collect and store personal information, what they do with it, and what your rights are with regard to your personal information.

Where can I find a company’s privacy policy?

You can usually find a link to a company’s privacy policy on their website, often at the bottom of the site’s homepage. If a website or app requires you to create an account, there should also be a link to the privacy policy within the account setup flow, and you should be required to acknowledge (by checking a box) that you’ve read and agreed to the privacy policy. If the policy is hard to find, or if you don’t have to explicitly indicate agreement to the policy, those are bad signs for the company’s approach to data privacy.

Many companies operate under laws or regulations (such as the European Union’s GDPR) that require them to publish privacy policies. Even if a company isn’t operating under these laws, they will often choose to publish privacy policies anyway, either as a genuine effort to inform their users or simply as a way to look transparent and trustworthy.

What do privacy policies look like?

Privacy policies are legal documents, so they’re often quite long, and written in a dense, formal, jargon-heavy style. This makes them hard for most people to understand, and makes it likely that most people won’t even read them.

However, privacy policies don’t have to be that way. They can be written and organized in a way that’s clear and accessible to people who aren’t lawyers or privacy specialists. When policies are written in this approachable way, it’s generally a good sign that the policy represents an honest effort to inform users, rather than simply a checking-the-box exercise to comply with laws and regulations.

What’s in a privacy policy?

At minimum, a privacy policy should specify:

• What personal information is collected, and how. This includes both information that you share voluntarily (such as your email address), and information that the company’s websites and mobile apps passively collect (via tracking). This part of the policy should also specify what tracking technologies the site uses, such as cookies or fingerprinting.
• What purposes that information is used for. Some information is required for the company to provide services to you (for example, a shopping site needs your address to ship items to you). But plenty of companies collect your information for no benefit to you, only to themselves.
• Who else your information is shared with, and for what purposes (for example, if the company is selling your information to another, third-party company). The companies buying your information usually aren’t named—instead, they’re referred to as “partners.”
• How long your information is kept. The longer your information is stored, the greater the chances that it will be misused somehow. Ideally, companies would keep your information only as long as it’s needed, and then delete it.
• What rights you have over how your information is collected, used, and shared. You may be able to request that the company delete your data, or refrain from sharing it with third parties. The policy should specify both how you can make a request with respect to your information, and how long you can expect such a request to take to process.