Privacy Policy Analysis

Websites Collect Data About Users, But Policies Are Unclear About Important Practices

We analyzed the privacy policies of the top 50 most visited websites and found that they collect a significant amount of information about users, such as contact, demographic, and clickstream data. However, the majority were unclear about the length of retention once the data is collected, or the amount of access and control users have over all the different types of data collected about them. Additionally, very few of them made clear statements about the fate of user data in the event of a merger or bankruptcy, or if they enhance the data by purchasing information about users from outside sources to build more detailed profiles.

Policies Contain Conflicting Statements About Sharing

A majority of the top 50 websites stated that they do not share users' personal information with third parties, yet most of them do allow third party tracking and share users' data with affiliates. The average consumer might assume an affiliate or tracker to be a third party, as they have no relationship with them, but given the actual usage of these terms in privacy policies, that assumption would be mistaken.

Responses From the Companies

We sent our analysis of each website's privacy policy to their respective Privacy Officers and asked them for corrections, comments, or clarifications. We received responses from seven companies, representing 12 of our top 50 websites. Most of them stated that our interpretation of their policy was generally correct (Adobe gave us complete approval), though they also pointed out that some of our findings were dependent on context, and that there practices were more "nuanced" than a simple yes/no system of assessment. This response raises difficult problems for the notice and choice regime favored by businesses and the FTC. This regime is predicated on user choice, informed by privacy policies. If there are nuanced situations that create conditional yes or no answers to these basic questions about a site’s data collection and sharing practices, then it is unclear how an average user could ever understand these practices if the nuances are not explained in the privacy policy. Choice, therefore, cannot be informed.