Privacy policies are asking you to take an informed decision, so choose services that explain their privacy policy.
As stated here, the GDPR specifically prohibits the use of long, convoluted terms and condition statements, particularly statements that contain legalese. Any request for consent, declaration of terms, or statement of privacy must be presented clearly and concisely, and without any ambiguity of meaning.
The classical CIA information security protection goals, i.e. confidentiality (C), integrity (I) and availability (A), have been extended here for privacy protection through 3 concepts and under each one I am putting related questions of the checklist of the amazing site Terms of Service Didn't read.
Unlinkability
As separating data and processes:
- How long do they keep your private data and what do they use it for?
- What happens to your data when they get acquired or when they shut down the service?
- Can you export your data (where applicable)?
Transparency
As adequate level of clarity in the relevant data processing:
- Does the service use first-party and/or third-party cookies?
- Can they change the terms at any time?
- How do they work with third parties (contractors they use)?
- How do they work with government requests?
- How do they handle decisions about suspension of your account when they feel you breached the terms?
- Do they (try to) prohibit you from going to court against them?
One check I would add is: Do they share their business model, how they make money?
For me, the most complicated issue to tackle is the following but at least GDPR covers the most obvious cases:
Right related to automated decision making including profiling
Changing habits like blocking trackers contributes not only to avoiding a dystopian future of big data affecting my ability to get a job, a social Security scheme, or a loan but reduces also my chances of internet addiction.
After all, I don't want trillion dollar companies to make money from my behavior.
Intervenability
As the possibility for parties to be involved in the relevant process:
- Do they claim copyright (or what sort of license) over your content (where applicable)?
- Do you have a right to leave the service?
Case study
Spark is an example of a service that has also an explanation of its privacy policy, so let's read how it looked on the 4th of December 2020:
Buiness model
First of all it makes clear which is the business model:
Spark’s business model is simple: It’s free for individual users, yet it makes money by offering Premium plans for teams and organizations.
Purpose
They talk about purpose limitation
We don’t use your data for any other purposes. [...] We won’t ask for more data than is needed to provide you with the service.
And they summarize the purpose by saying:
Some of the purposes for processing the data provided by you include:
Providing you with the services
Fraud prevention
Improving our services
Notifying you of any changes in our services
Honesty and transparency
For example, they say "Your email is safe and we do not use it for profiling or targeting."
Data retention
They clarify that "We always delete your data once it’s no longer necessary" and the retention period is specified at the section "HOW LONG PERSONAL DATA IS STORED FOR" of the policy.
Security
Interestingly for a privacy policy, they have a section called "SECURITY MEASURES USED BY US".
Note the Security is not Privacy, it is a precondition for Privacy otherwise what the data you provide to the service are also exposed to unethical hackers.
Clear instructions on how to get access to your data or request its deletion
"You can either exercise your rights by deleting your account and all information associated with it from your device or by emailing us at dpo@readdle.com." and "Spark is GDPR and CCPA compliant, and you have the right to get access to your data or require its deletion. We are committed to dealing with all privаcy requests promptly and transparently."
Location
The service is located in Germany, a country that cares about Privacy.
Review
So overall, the service gives a good impression as most services have eitheir no information, or have information that you need to pay a lawyer to understand it.
I haven't used this service but as you can see in my previous post, we need to read the privacy policy of services and not accept them blindly and our attention span is already limited so invest in services that help you on that by structuring or explaining their privacy policy.
Top comments (2)
Interesting read. However, this fails to mention the "small" detail that they steal your mail password, and use it to trawl through your mails to find addresses of your contacts.
But yeah, they are good, because at least they are "upfront" about it (that is, if you bother to read their (non-)privacy statement)
I mention this privacy policy as an example that you don't need a lawyer to read it. Can you point me where on their privacy policy they say that they steal my mail password to find addresses of my contacts?
By the way, I have no attachment to Spark.
Another privacy policy that is readable is of mullvad VPN.