5 min read
If you want a quick primer on policy and practice before reading privacy policies, two useful resources are Fordham CLIP study (pdf) on privacy and cloud computing. TOS;DR or Terms of Service; Didn't Read gives a great overview of the structure of privacy policies used by tech companies. The opening section of the Fordham study covers the three main federal laws guiding privacy: FERPA, COPPA, and the Protection of Pupil Rights Amendment, or PPRA.and the opening section (titled "Statutory Framework") of the
There are countless other sources of information out there, but these two provide concise, accessible, and accurate information.
Because the terms of service are so incredibly text heavy, a triage requires liberal use of your browser's search feature (usually accessed by hitting "control-f"; in Firefox and Chrome this option is under the "Edit" menu). When I'm triaging policies, I navigate to the privacy policies and terms of service and start with the following elements:
- How are terms changed? - opt in to new changes? User review/feedback of new changes? Can they change terms at their discretion, with no notice if needed? Search terms: change, changes to, notice, notification
- Business transfers - is user information something that can be transferred in case of bankruptcy or sale, adn what rights do you have to opt out? Search terms: Business transfer, acquire, transfer, bankrupt
- How do they define "Personal Information" and/or "Children's Personal Information"? Search terms: personal information, childrens personal information
- Use of 3rd party services/partners/affiliates, and the policies of these partners. Search terms: service, partner, affiliate, share
- As a user, do you give up rights to your data? Does the site claim any rights to reuse? Can you license your work how you want? Search terms: intellectual property, user submission, user content, copyright
- How do they describe cookies and tracking? Important information to look for includes how they store Location, Device information, Device ID, and/or Operating system. Search terms: Device ID, Device user, Location, Mobile, cookie, beacon, gif, identifier
- Data portability/exports - can you get your information out in a usable format? Don't be surprised if you get nothing back here. If they have anything, information about data portability is usually included in proximity to account cancellation. Search terms: download, export, portable, portability
- Deletion/Account cancellation - how easy is it to leave their service, and have your information deleted? Search terms: cancel, delete, viewable, visible
General discovery: FERPA and COPPA search. For this, use Google's site search feature:
FERPA site:sitename.com. So, searching Edmodo for FERPA looks like this: ferpa site:edmodo.com. Searching a full site often brings up documents that explain policies, and it's essential to compare these talking point docs to the actual policies. Disconnects can exist between a company's intent, and their actual policies; when these disconnects occur, we need to remember that the policy - not the intent - is the legal document.
Once the policy has been triaged in an initial review, we can look for contradictory clauses in the terms - this is usually the starting point for a more detailed analysis, but it can also be part of a good triage.
As I said earlier, when reviewing terms of service, there is no substitute for reading and re-reading the terms. They are legal documents, and while they define how people can use a service, it's important to remember that the terms were created by the professionally argumentative class: lawyers. The task of the rest of us non-lawyers is to analyze how these terms impact us, and whether any risks or impacts seem fair, necessary, or acceptable.
UPDATE: Stephen Mutkoski flagged that the use of the word "may" is also useful to track. My suggestion here: substitute "will" for "may" and see how it reads. If a vendor says that they *may* do something, it means that they have the right to do it, so we need to assume that they will.