What’s in a Privacy Policy?


data policy

By Sascha Matuszak
Reporter, SCCE|HCCA

Just a couple days before the GDPR goes into effect, and like you, I have been inundated by new privacy policies and terms of service from any and all web services I subscribe to, even if I haven’t used them in years. Some of the updates are from companies I didn’t know existed, like the Endurance International Group, a web hosting and marketing firm, and others are from more familiar names—Twitter, Spotify, Google, and others.

Privacy policies come in all shapes and sizes. Endurance International Group has an informative, rigorous, and thorough privacy policy with links to pages where I can adjust the settings, contacts, and specifics; i.e., they will “retain [my] personal information for no more than seven years.” Envato, a marketplace for creatives, has an engaging, albeit slightly less informative privacy policy: “We retain your personal information for as long as is necessary to provide the services to you and others, and to comply with our legal obligations.” Discord, voice chat (for gamers), is very transparent about its data collection procedures, lays out the ways to change settings and submit data requests, and its policy runs barely a page long. All three policies begin with a version of “Your data is important to us” and “We value your trust,” and yet, all three go about demonstrating these two statements in different ways.

I’ve received several other emails, and each privacy policy is slightly different. Each, however, represents a new era in communication between service provider and consumer when it comes to personal data. Not all consumers will read through the new policies and go to their settings to customize their experiences, but now, if they want to, it’s easy. All of these policies are written in simple, clear language and designed for easy reading. I’m going to pull out policies from two companies that struck me in particular: Spotify and Facebook.

Transparency. Choice. Control.

The first thing to notice about the Spotify email is the clear, simple, warm message that starts this new era off:

At Spotify, we want to give you the best possible experience to ensure that you enjoy our service today, tomorrow, and in the future. It is also our goal to be as open and transparent as possible with our users about the personal data we collect to provide that service, how it is used, and with whom it is shared. We are contacting you today to let you know that we will be making some changes to our Privacy Policy, which will be effective from May 25th. These changes will reflect the increased transparency requirements of the EU General Data Protection Regulation (known as the ‘GDPR’). We have always strived to provide you with clear and simple information about the personal data we collect and use and how we protect your personal data in our Privacy Policy. . . . Over the next few weeks, we will also be rolling out new tools which include a new Privacy Center at Spotify.com and a new Privacy Settings page in your Account to help you more easily understand and manage your privacy choices, including a new ‘Download my Data’ button.

It’s Spotify’s version of the standard letter going out from basically every app and service under the sun, but I am immediately at ease. Then comes the blogpost, linked in the email; very quick and to the point, and let’s me know a few very important things right off the bat:

  • Our personal data and your rights – We have provided additional detail in the Privacy Policy to explain more clearly what personal data we collect about our users, how it is used and shared. We have also included additional information about what new and enhanced rights our users have in relation to their personal data.

  • The Privacy Center – We will be launching a new Privacy Center in the coming weeks at spotify.com. It will help individuals understand how their personal data is used by Spotify and what controls are available to Spotify users to manage their privacy settings.

  • Privacy Settings page – We will also be launching a new Privacy Settings page accessible to Spotify users in their Account in the coming weeks. This will provide Spotify users with new controls to manage your privacy settings and enable them to download their personal data via a new ‘Download my Data’ button.

  • New Privacy Contact Information – We have updated the Privacy Policy to include details of how to contact Spotify’s Data Protection Officer and the appropriate data protection authorities, who can be contacted directly by any individuals with data protection questions or concerns.

I love the fact that they mention their data protection officer (a GDPR requirement) and how to get in touch with them. Again, it’s standard in terms of what the GDPR requires, but I am already guided quickly over to the actual policy, which, is unsurprisingly also pretty easy to understand. They link the Privacy Center throughout. They want to funnel users to the one-stop click that can handle their privacy and security issues. I leave the policy believing that a lot of work was put into this by people who genuinely care about my rights.

I could be completely wrong, and this is just a beautifully crafted policy not indicative of anything more than competent staff, but I feel good about what I have read. I now trust Spotify.

Consent or Delete

Facebook’s new data policy is long, but that’s to be expected from one of the world’s largest social media networks. It’s relatively easy to read, and the layout feels accessible. Readability isn’t really the issue though; the issue is data and how vast and comprehensive Facebook’s data collection procedures truly are. They collect so much data via so many different points of contact, covering so many aspects of a person’s identity, that they can only refer to it in their policy via example: their data collection method description is peppered with “This can include . . .” and “such as . . .”

Facebook’s policy allows users to adjust some account settings, what is and what is not public, whether or not ads are relevant, and how much is shared with third party apps,  but users have no control over what data is collected. If you consent to this policy, your data belongs to Facebook. You can download it, delete your account even, but much of the data remains, including offline and online data and the profiles created thereof. It’s a bit daunting. My initial feeling is that I am signing away my entire personal data set to the same company that has violated data privacy and protection regulations time and time again.

Not only that, but I must give consent, or I will be unable to use any of Facebook’s services. At this point I say to myself, these guys know they own the social media sphere, and they’re using that to leverage me, to bully me into signing my data away. It’s an uncomfortable feeling and one that may not necessarily be in line with GDPR requirements.

But I get the feeling Facebook doesn’t care. They’re too big for me, and they might be too big even for the GDPR.