Triaging Privacy Policies and Terms of Service

5 min read

Reading Privacy Policies and Terms of Service can be a mind numbing task, but the process of reviewing how an organization describes basic relationships with people can tell you a lot about how the company works, and the company culture. In this post, I will use "privacy policy" and "terms of service" interchangeably. When I use either term, I mean, "the combined policies that describe the rules for using a site, and how the owner of the site can treat you."

If you want a quick primer on policy and practice before reading privacy policies, two useful resources are and the opening section (titled "Statutory Framework") of the Fordham CLIP study (pdf) on privacy and cloud computing. TOS;DR or Terms of Service; Didn't Read gives a great overview of the structure of privacy policies used by tech companies. The opening section of the Fordham study covers the three main federal laws guiding privacy: FERPA, COPPA, and the Protection of Pupil Rights Amendment, or PPRA.

There are countless other sources of information out there, but these two provide concise, accessible, and accurate information.

There is no way to evaluate a privacy policy well without taking a deep dive, and reading the whole thing. However, prior to doing that, you can get a sense of how things will go by looking for some traits that are common among privacy policies. In the video, I'll use these basic starting points to do a quick triage of Edmodo's privacy policy and terms of service.

Because the terms of service are so incredibly text heavy, a triage requires liberal use of your browser's search feature (usually accessed by hitting "control-f"; in Firefox and Chrome this option is under the "Edit" menu). When I'm triaging policies, I navigate to the privacy policies and terms of service and start with the following elements:

  • How are terms changed? - opt in to new changes? User review/feedback of new changes? Can they change terms at their discretion, with no notice if needed? Search terms: change, changes to, notice, notification
  • Business transfers - is user information something that can be transferred in case of bankruptcy or sale, adn what rights do you have to opt out? Search terms: Business transfer, acquire, transfer, bankrupt
  • How do they define "Personal Information" and/or "Children's Personal Information"? Search terms: personal information, childrens personal information
  • Use of 3rd party services/partners/affiliates, and the policies of these partners. Search terms: service, partner, affiliate, share
  • As a user, do you give up rights to your data? Does the site claim any rights to reuse? Can you license your work how you want? Search terms: intellectual property, user submission, user content, copyright
  • How is data used? Because this is the core of what privacy policies attempt to define or, arguably, what they attemot to obscure - you will need to cross reference different sections of the privacy policy and terms of service. Don't be surprised to find contradictory sections here, and when you do, assume that the least advantageous clause will win the day. Search terms: usage, aggregate, identifiable
  • How do they describe cookies and tracking? Important information to look for includes how they store Location, Device information, Device ID, and/or Operating system. Search terms: Device ID, Device user, Location, Mobile, cookie, beacon, gif, identifier
  • Data portability/exports - can you get your information out in a usable format? Don't be surprised if you get nothing back here. If they have anything, information about data portability is usually included in proximity to account cancellation. Search terms: download, export, portable, portability
  • Deletion/Account cancellation - how easy is it to leave their service, and have your information deleted? Search terms: cancel, delete, viewable, visible
  • General discovery: FERPA and COPPA search. For this, use Google's site search feature: FERPA So, searching Edmodo for FERPA looks like this: ferpa Searching a full site often brings up documents that explain policies, and it's essential to compare these talking point docs to the actual policies. Disconnects can exist between a company's intent, and their actual policies; when these disconnects occur, we need to remember that the policy - not the intent - is the legal document.

Once the policy has been triaged in an initial review, we can look for contradictory clauses in the terms - this is usually the starting point for a more detailed analysis, but it can also be part of a good triage.

As I said earlier, when reviewing terms of service, there is no substitute for reading and re-reading the terms. They are legal documents, and while they define how people can use a service, it's important to remember that the terms were created by the professionally argumentative class: lawyers. The task of the rest of us non-lawyers is to analyze how these terms impact us, and whether any risks or impacts seem fair, necessary, or acceptable.

UPDATE: Stephen Mutkoski flagged that the use of the word "may" is also useful to track. My suggestion here: substitute "will" for "may" and see how it reads. If a vendor says that they *may* do something, it means that they have the right to do it, so we need to assume that they will.

For example, Edmodo's privacy policy states, "Our partners, affiliates, and service providers may also transmit cookies to your computer..." - if we substitute *will*, the statement is more accurate about the potential of what could, over time, happen: "Our partners, affiliates, and service providers will also transmit cookies to your computer..." END UPDATE