I read a lot of privacy policies while reviewing authenticators, password managers, private messaging apps, proxy services, and VPNs. As you can imagine, these documents aren’t exactly thrilling reads, so I came up with a few shortcuts to get through them quickly and efficiently. These tips could save you time and may even save your data from falling into the wrong hands. Keep reading for my policy-reading cheat sheet, followed by a few things you should always do before downloading a new app or other software.
What Does a Good Privacy Policy Look Like?
Each company’s privacy policy is different. Some companies offer easy-to-read, very transparent privacy policies that clearly outline what kinds of data the company collects, how it uses the data, how it stores the data, and how long the company holds onto it.
Take a look at the screenshot below for an example of a well-formatted, informative privacy policy from Proton, the company behind Editors’ Choice winners Proton Pass and Proton VPN.
Proton’s pithy, well-formatted privacy policy. (Credit: Proton/PCMag)
Earlier this year, I highlighted some of the most invasive mobile apps. Whether companies log your keystrokes, gather data about you from other sources without your permission, or monitor everything you do while you browse the web, the practices are outlined in the company’s privacy policy. When you agree to the terms, your data has the potential to become their data.
Sometimes companies fill privacy policies with confusing legal jargon, likely in the hope that the average customer will close the tab after encountering the third instance of the word “heretofore.” It’s much easier to hide invasive data collection practices in these documents. The easiest way to uncover the truth is by searching privacy policies for phrases or words that are potential points of interest.
How to Spot Privacy Policy Red Flags
Below is a list of search terms I use when reading lengthy privacy policies. Not all privacy policies will contain these words or phrases, and this list is not exhaustive. If you read enough policy statements, you’ll come up with a list of your own in no time.
“Incorporated”
It’s a good idea to find out where a company is located. Different countries have different approaches to data protection. For example, a company incorporated in Panama City adheres to Panama’s Personal Data Protection Law (PPDPL), while a German company would follow the rules set by the European Union’s General Data Protection Regulation (GDPR). A company’s country of incorporation isn’t an instant red flag for me, but knowing the guidelines the company operates under is a good starting point. For example, countries in the European Union have to obey GDPR, as do companies that do business in EU countries. If you’re unfamiliar with a country’s privacy laws, do a quick search to see what privacy protections are in that jurisdiction. If you can’t find anything, that may be a warning sign.
“Customer Data”
Search for this phrase, and you’ll find out what types of data companies collect from you. Most policies mention that the company stores the name, email address, and phone number you provide when you sign up for the service. The data collection veers into invasive when the app or software automatically collects your keystrokes, your clipboard data, your photos, videos, notes, calendar, emails, SMS messages, or biometric data. That said, sometimes this information is necessary for an app to function. For example, if you’re downloading a photo editing app, the company needs to access your photo folder.
“Retention”
A good privacy policy will tell customers how long the company retains their data after the person cancels service or deletes their account. Most of the policies I’ve read state that the company will delete customer data after a reasonable time period, usually between six months and one year. If a company is holding onto your private data for more than two years after you deleted your account, that’s not good. If the company does not specify how long it retains your private information, that’s a red flag. Time to try a different app!
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
“Log Data”
Some proxy services or VPN companies keep customer activity logs. Since these companies have the ability to see all of your online activity—including websites you visit and webform text like bank account and credit card numbers—while you’re connecting to or through their service, there’s potential for invasive data collection. Most companies don’t log all of your actions, but some do. I recommend searching for the words “log data” and then scanning the following paragraphs to find out what kinds of data the company logs. If it’s traffic data or detailed device usage data, steer clear.
“Sell”
DNA testing company 23 and Me recently went bankrupt, and potential buyers are circling to acquire what’s left of it. If you’ve ever used one of their kits, that includes your genetic data. What happens to your private information if a company is dissolved or sold? What happens if another company acquires the app? Find out by searching for the words “sell” or “transfer” within the privacy policy. Most reputable companies will tell you what happens to your data if the company changes ownership. If a company doesn’t mention it in the privacy policy, check the terms of service document, too. If it isn’t there, steer clear. You don’t want your private information to be sold or given to another company or a data broker without your consent.
Recommended by Our Editors
“Third Party”
Search for the words “third party” or “advertisers” to make sure a company doesn’t share your information with anyone you don’t know. Some companies share customer data with third parties that handle payment processing or other in-app operations, which is normal and fine. However, it’s concerning when the primary company is sharing or selling your data for reasons unrelated to the app’s functionality. This is where the old adage “If a service is free, you’re the product” comes from.
Do This Before Downloading a New App
Be honest: When was the last time you read a privacy policy? If you do it every time you download an app, excellent work. If you don’t download many apps anyway, even better. You can’t inadvertently give away information if you don’t download apps in the first place.
Make sure to complete these three steps before downloading an app:
-
Check for a link to a privacy policy page. If you can’t find one, or if you don’t understand what you are reading, stay away. Do not download the app or grant it any permissions on your device.
-
Read the privacy policy and look closely at what kind of information the app collects. If, for example, a simple calculator app’s policy mentions it collects your health and location information, dump the app and find an alternative.
-
Find out if the app shares your data with third parties. While reading the privacy policy, ask yourself the following questions: Under what circumstances does the company comply with law enforcement requests? Will the company inform you when it sells or transfers your data? Does it give or sell your information to advertisers?
The app’s privacy policy should contain all of this information. If the answers you find raise red flags, don’t download the app.
Don’t Give Away Your Data
Want to find out how the apps on your phone handle your private data? Earlier this year, I wrote about how to check app privacy stats on Android phones and iPhones.
After locking down your phone, check out this list of essential privacy apps from my colleague Neil J. Rubenking. If you’re hoping to take online security to the next level, read our suggestions for easy things to do to improve your online privacy and security.
About Kim Key
Senior Security Analyst
