Any company or organization that collects information about its customers or users ought to have a privacy policy. A privacy policy describes all of the ways that a company gathers, uses, and discloses user data. Some consider privacy policies legally binding documents, while others argue they are mainly for informational purposes.
Privacy policies contain much of the same information as terms and conditions, terms of service, or end-user license agreements, but they tend to be easier to digest and not full of legal jargon. Good privacy polices are straightforward, concise, and transparent.
To better help our readers understand and compare privacy policies, and to provide some guidance to companies trying to craft policies of their own, we’ve analyzed several from the world’s largest internet companies. For each company, we summarize three main points: what information is collected, how it is used, and who can access it. We also score each company based on three subjective factors:
- Privacy: does the privacy policy actually protect users’ privacy?
- Clarity: is the privacy policy clear and concise?
- Scope: does the privacy policy cover everything it should?
We realize that not all companies can be compared side-by-side. A social network will require a different privacy policy than an ecommerce company, for example. So we’ve categorized each company into one of five verticals: major platforms, social media, VoIP and messaging, ecommerce, and streaming entertainment.
We plan to start out with these companies and build from here. If you would like to see another company’s privacy policy analyzed, leave us a note in the comments.
Contents [hide]
Major platforms
Major platforms are the global powerhouses that are more or less inescapable for internet users. They make operating systems, search engines, email clients, and hardware devices among many other things.
Google is a massive company with its fingers in just about every internet-related vertical you can think of. While it’s privacy policy, which covers all Google services, is easy to read and very clear, it can be difficult to fathom how it plays into everything from the Play Store to Search, Gmail, Maps, Android, Youtube, and much more. Google’s prevalence means it probably knows more about you than any other company on Earth.
- Privacy: 2/5
- Clarity: 5/5
- Scope: 3/5
What information is collected?
- Personal details you provide: name, birthday, gender, country, email address, telephone number, credit card, profile photo
- Device: model, OS, unique device identifiers, mobile network, phone number
- Log info: search queries, call metadata (Google Voice), IP address, device event info (browser, settings, timestamps, referral URL, language, crashes), Google account cookies
- Location: IP address, GPS location, and device sensors
- Unique application numbers (used when installing, uninstalling, and updating Google apps)
- Local storage: browser web storage and application data caches
- Cookies: Used in Google Analytics and advertising services
- What you do: search queries, Google Map activity, websites visited, videos watched (Youtube), ads clicked
- User-created content: Gmail emails and contacts, calendar events, uploaded photos and videos, all Drive content
- Activity on sites you visit that partner with Google, which includes all websites that use Google Analytics and AdSense
How is the information used?
The information Google collects is used to “provide, maintain, and protect” Google services. This includes more relevant search results and tailored ads.
If you have a Google account, your name, profile picture, and actions you take (such as +1’s) may appear publicly depending on your visibility settings. If you +1 something, for example, your contacts in Google may see it displayed as a shared endorsement in search results.
Account details, device, and language settings are used to give a consistent appearance across all Google services.
Google will not use cookies to associate you with ads based on race, religion, sexual orientation or health.
Automated systems will analyze Gmail and Drive content to customize ads and search results.
All of this information can be shared between different Google services.
Who can access the information?
Google offers account holders the option to review, manage, and control what information it collects and how it is shared.
Google will share personal information with companies, organizations or individuals outside Google with your consent. Consent includes accepting app permissions and information requested by third parties when you log in with your Google account.
Your personal data may be given to Google’s affiliates to be processed. This information is kept confidential.
Your personal data may be given to third parties, including law enforcement, to comply with government requests. Google says, “Our legal team reviews each and every request, regardless of type, and we frequently push back when the requests appear to be overly broad or don’t follow the correct process.”
Info that has nothing which can identify you personally may be shared publicly, e.g. for Google Trends.
Domain administrators have their own privacy policies, so don’t assume that if your company email uses a Gmail domain, for instance, that you are protected by Google’s privacy policy.
Apple
Unlike Google, Apple is not primarily an advertising company, so it has less interest in mining your personal details for profit. Apple divides up the information it collects into two categories: personal and non-personal. That sounds simple enough, but the two become harder to distinguish the further you delve into the policy.
- Privacy: 3/5
- Clarity: 2/5
- Scope: 3/5
What information is collected?
- Personal detail you provide: name, mailing address, phone number, email address, contact preferences, and credit card information
- Personal details about people with whom you share content, send gift certificates, and invite to use Apple services including name, mailing address, email address, and phone number
- In some places and circumstances, Apple asks for a government issued ID
- Non personal information, which is not traceable back to you, includes occupation, language, zip code, area code, unique device identifier, referrer URL, location, and time zone
- Non personal activity info, including activities on the Apple website, iCloud, iTunes Store, App Store, MAC App Store, iBooks Stores and other products and services
- Search queries
- With your consent, how you use your device and applications
- Cookies and pixel tags monitor user behavior, which parts of Apple websites people have visited, measures the effectiveness of advertisements and web searches
- Cookies can obtain your IP address, which is used to serve targeted ads on Apple platforms
- Device information: IP addresses, browser type and language, Internet service provider (ISP), referring and exit websites and applications, operating system, date/time stamp, and clickstream data
- Real-time geographic location of your devices based on your GPS, IP address, Bluetooth, wifi hotspot, and nearby cell towers
How is the information used?
Personal information is used to update customers on product announcements, software updates, events, purchases, and changes to Apple’s terms, conditions, and policies.
Then there’s the non-personal information. This can be used or shared with third parties whenever Apple wants “for any purpose” but is not associated with any specific individual. This is mainly used to help target advertisements in the App Store and iTunes, for example.
To sum it up, Apple can use both your personal and non-personal information internally however it wants: to advertise, market, improve products and services, send updates, prevent abuse, etc.
Some personal information such as age might be used to help identify users and serve appropriate content.
If your personal info happens to be lumped together with your non-personal info, it can’t be used by any third parties until the two are separated.
Third parties can only use your non-personal information to build a sort of faceless profile. This is used to serve you ads and other targeted services, but they cannot identify you as individual because they don’t know your personal information. Instead, they identify you using tracking cookies and possibly an IP address.
Location data used by Apple and third parties is not associated and does not contain your personal information, save for a few exceptions such as Find My iPhone. The information is used to provide location-based products and services, which can include advertising. Note that Apple’s privacy policy doesn’t cover how third-party apps use your location data if you opt-in to their location services.
Device information is used for trend analysis, site administration, improving products and services, assessing geographic data, and marketing and advertising.
Pixel tags are used to determine whether a customer opens an email.
Who can access the information?
Personal information can only be used by Apple and its “strategic partners”, which are obligated to protect your information. This includes mobile carriers, for activating new devices.
This information is only be shared by Apple to provide or improve products, services and advertising, but it is not shared with third parties for their marketing or advertising purposes.
Non-personal information is shared with third-parties for marketing, advertising, and other purposes. We recommend that users with Apple IDs enable “Limit Ad Tracking” on their accounts, which will prevent you from receiving targeted ads on all your Apple devices and accounts and on third-party apps.
Apple will hand over personal information about its customers to government agencies and law enforcement if “disclosure is necessary or appropriate”, to enforce terms and conditions, or to protect Apple and its users.
Microsoft
Microsoft‘s privacy policy is quite clear about what information it collects, but could use a bit of improvement on how it is shared. A notable omission is telemetry data from Windows, which caused a stir among privacy advocates after the release of Windows 10. Microsoft’s products and services include Windows, Bing, Cortana, Groove, Health services, Translator, MSN, Office, OneDrive, Xbox, Outlook, Silverlight, Skype, Store, Swiftkey, and more.
- Privacy: 1/5
- Clarity: 4/5
- Scope: 4/5
What information is collected?
- Information you provide: name, email, login credentials, age, gender, country, language, payment data, address, phone number
- Interaction data: features used, items purchased, web pages visited, voice and text queries to Bing and Cortana
- Device data: model, OS version, ISP, software installed, product keys, IP address, IMEI numbers, region and language settings
- Error reports and performance data: type or severity of a problem, hardware and software details, contents of files used when error occurred, data about other software installed on device
- Support data: any information about you and your device that you give to support staff
- Interests and favorites from apps: sports teams, stocks tracked, cities you check the weather in, etc
- Contacts and relationships: think Skype and Outlook
- Location data: GPS, nearby cell towers, wifi hotspots, IP address
- Content: documents, photos, music, or videos you upload to a Microsoft service such as OneDrive, as well as the content of your communications sent or received using Microsoft products such Outlook or Skype
How is the information used?
Microsoft categorizes the personal data it gathers into three basic purposes: business operations and providing products, sending communications, and advertising.
The first category includes personalizing customers’ products and recommending new ones. Software and hardware activation require some personal info. Product improvement uses search queries, error reports, and A/B testing. Usage data is used to prioritize these improvements. Audio recordings are analyzed to improve speech recognition. Personal info and usage data is also used to improve product security and prevent fraud. These include malware and phishing scans on content.
The second category, communications, includes email and other media to inform you about when subscriptions are ending, products need updating, invitations to participate in surveys, shopping cart reminders, update you about service and repair requests, or alert you to account inactivity. This also includes any promotional subscriptions you signed up for.
The final category, advertising, is perhaps the one of most concern because this is where Microsoft shares your information with third parties. They can be based on your location, search query, the content you are viewing, interests, favorites, usage data from both Microsoft sites and apps and those of its partners. To provide this “interest-based advertising” on third-party sites and apps, tracking cookies are used to associate your collected data with your IP address (and possibly other identifiers).
Microsoft does not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to target ads to you. You can opt out of receiving interest-based advertising from Microsoft by visiting the opt-out page. Microsoft does not deliver interest-based advertising to anyone under 13-years-old.
Data is stored for up to 13 months unless you agree to allow Micorosoft to retain it for longer.
Health-related advertising applies to the US only. Based on your interests and usage, Microsoft will advertise to you based on your “allergies, arthritis, cholesterol, cold and flu, diabetes, gastrointestinal health, headache / migraine, healthy eating, healthy heart, men’s health, oral health, osteoporosis, skin health, sleep, and vision / eye care.”
Who can access the information?
Microsoft web beacons and cookies do not just appear on Microsoft-owned apps and sites, but also those of its partners. Microsoft specifically mentions A9, AOL Advertising, AppNexus, Criteo, Facebook, MediaMath, nugg.adAG, Rocket Fuel, and Yahoo in its privacy policy, but the list is likely much longer than that.
All of those companies use cookies and web beacons to collect your information and in turn target you with ads when you visit Microsoft-owned apps and sites. Microsoft isn’t totally clear on this, but logic would assume that any information which third-parties bearing Microsoft cookies and web beacons collect on you is associated with your IP address. Microsoft, which also has your IP address, can then combine that data to fill out your advertising profile.
Microsoft says it will share information when required by law, but does not give any indication about how much it scrutinizes court orders, subpoenas, and warrants before complying.
Related: How to stop Windows 10 invading your privacy and choosing the best VPN for Windows 10.
Social Media
Facebook has a plainly worded, thorough, and well-organized privacy policy. What concerns us most, however, is not just that Facebook collects information on users based on their own information and activities, but that it can collect information on a user from that user’s friends. This makes even the most careful and thorough Facebook user vulnerable to the actions of their less privacy-conscious friends. A friend who uploads their phone contacts or plays an online quiz could unwittingly be handing over information about you for example. This can be mitigated somewhat through settings, but those settings are not always apparent and can be buried within several disparate menus.
- Privacy: 1/5
- Clarity: 5/5
- Scope: 5/5
What information is collected?
- Info you provide: Everything in your profile and whatever you use to sign up
- Posts you create and share
- Message sent on Facebook Messenger
- Files you upload including photos, their geotags and timestamps
- What you view, the frequency and duration of your activities on Facebook
- Info that other users provide about you: your friends, groups, who you share and chat with, and contact information they import from their devices
- Payment info: when you buy something on Facebook, make an in-app purchase, or donate, Facebook collects billing, shipping, credit card, and authorization details
- Device info: OS, hardware, settings, unique identifiers (IMEI numbers), file and software metadata, battery, signal strength, mobile operator, ISP, browser, language, time zone, phone number
- Your location based on GPS, cell towers, wifi networks, and IP address
- Information from third-party sites when you Like or Share something, and when you log in using your Facebook account
- Info from third-party partners, including jointly-offered services and advertisers
- Cookies track your activity on other sites
How is the information used?
Facebook uses your personal data to provide services, communicate, advertise, and ensure security.
To provide and improve services, Facebook uses your personal info to personalize and recommend content. This might affect what appears in your news feed, for example. It’s also how Facebook is able to recommend who to tag in a photo or post. Location is used for check-ins and finding nearby events.
Communication includes updates to terms of service, marketing and promotions, and inform you of new services. It’s also used for support purposes.
Everything Facebook knows about you is used to target advertisements and measure their effectiveness on Facebook. Off Facebook, advertisers are limited to “non-personal” information that excludes things like your email address and name, and instead uses cookies and your IP address to identify you. You can manage these settings here.
For security purposes, Facebook may use your personal information to verify your identity and prevent abuse.
Tracking cookies are used to authenticate your account when you use a Facebook action (Like, Share, or log in) on a third-party site. They can track your activity on other sites, such as what you purchased, and are then used to serve targeted ads on Facebook. They can determine whether you clicked or viewed an ad. Finally, Facebook uses cookies to store preferences and provide tailored content.
Who can access the information?
The scope of who can see what you share and post is determined by your Facebook settings. We recommend you review them if you have not already. Some of your profile information is public. This info can be accessed by search engines, APIs, and offline media like TVs. Who can see your posts and comments on another person’s profile is determined by that person’s settings. People can also see information that others post about you.
Whenever you authenticate or authorize a third-party app or website using your Facebook account, it asks for a list of permissions. They have access to all of that information until you remove that app from your account. You can also give those apps and sites access to your friends’ information, and they can conversely hand over information about you unless you change your settings to say otherwise.
Any web page with a Facebook Like or Share button, or that uses Facebook authentication or authorization for log in and registration purposes, is almost definitely putting cookies on your device. These cookies track your behavior and report it to Facebook, which is in turn used to serve targeted advertisements. Third parties can also uses these cookies on their own sites, and Facebook advertisers have some access to the data to measure the effectiveness of their ads.
When faced with legal requests from governments and law enforcement, Facebook will hand over your personal information if it believes in good faith that the law requires it to do so. This includes governments of countries outside the US.
Reddit has a fairly straightforward privacy policy for its simple but popular service. Its data collection policies are reasonable; it doesn’t collect too much and doesn’t share too widely.
- Privacy: 3/5
- Clarity: 4/5
- Scope: 5/5
What information is collected?
- Info you provide: username, password, account preferences, and optionally an email address.
- Content of your private messages to other users
- Content of your posts
- Payments are processed by third parties like PayPal or Stripe, so if you buy something on Reddit refer to their policies. Reddit only collects your name, email, address, and info about what you purchase
- Device info: IP address, user agent, browser, OS, referral URL, unique device ID, hardware settings
- Interaction data: pages visited, links clicked, upvotes, downvotes, search terms
- Cookie data
- Location data: with your consent, your location based on your GPS, Bluetooth, cell towers, wifi networks, and IP address
How is the information used?
User profiles and interests are built and used to personalize the content and advertisements that appear on reddit. Reddit will also communicate with users about products, services, offers, promotions, and events and provide other news and information relevant to users.
The data collected is monitored to analyze trends, usage, and activities.
Reddit uses personal information to provide, maintain, and improve its services. It’s used to protect users and reddit from fraud, spam, and abuse. Technical notices, updates, security alerts, customer service, and invoices use your contact information to keep you informed.
Reddit deletes IP addresses after 100 days except for the one used to create your account.
Who can access the information?
Your username, posts, and comments are visible to the public. Even private or quarantined subreddits can become public later. Karma, trophies, moderator status, Reddit Gold status, and how long you have been a member are also public.
Ad partners and network may use cookies to collect information when you see ads on reddit, but Reddit does provide your actual Reddit account details to these advertising partners. “This means that Reddit does not share your individual account browsing habits with advertisers. Reddit cannot see advertisers’ cookies and advertisers will not see Reddit cookies.”
Reddit uses Google analytics to collect user information in aggregate.
Messages sent through Modmail can be forwarded to the moderator’s personal email account and are subject to their email provider’s privacy policies.
Third party vendors, consultants, and service providers can have access to your personal information for processing purposes.
Information is shared when a legal request for information is submitted by law enforcement and other government agencies. Reddit will try to give you prior notice if possible.
Twitter is a very straightforward service and it handles relatively little private information. Most of the information you provide is openly shown on your profile, and any identifying private information you provide is not used by third parties. The wording of the privacy policy could be a bit more clear in how the collected information is used, however.
- Privacy: 3/5
- Clarity: 3/5
- Scope: 5/5
What information is collected?
- Account and contact info: name, username, password, email, phone number
- Additional info you provide: contacts, address book, emails sent to Twitter
- Public info: tweets, who you follow, who follows you, lists
- Profile info including bio, location, website, date of birth, photo
- Usage info: timestamps, language, country, time zone,
- Direct messages
- Location based on GPS, cell towers, wifi networks, Bluetooth, and IP address
- Links: what links you click on in Twitter, in emails from Twitter, on third-party services, client applications, and redirects
- Cookies: Tracking cookies collect behavioral data, but Twitter honors Do Not Track and will function if you disable them
- Log data: when you use the service, when you use your Twitter account to authenticate to a third-party site, and when you visit other sites that contain Twitter buttons or widgets, Twitter logs your IP address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device information (including device and application IDs), search terms, and cookie information
- Log data: IP address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device information (including device and application IDs), search terms, or cookie information
- Payment info: if you make a purchase through Twitter, it will store your credit or debit card details and address
How is the information used?
Your profile, handle, tweets, followers, who you follow, and lists are public info. Other information can also be public with your consent including your bio, location, website, date of birth, and profile photo.
Contact info is used to enable certain features such as login verification (2FA); Twitter via SMS; prevent spam, fraud, and abuse; send marketing or promotional materials; and send general service messages.
If you sync your address book, this is used to generate follow recommendations and make other suggestions.
Location info lets you Tweet with your location and is used to personalize the service with local content and serve relevant ads.
Cookies and link data are likewise used for personalization and advertising both on and off Twitter.
Data collected directly from Twitter and its services is deleted or de-identified after 180 days or less.
Third-party sites that use Twitter widgets such as Tweet buttons also send log data to Twitter. After 10 days, that data is deleted, de-identified, and/or aggregated with other people’s data. This info is collected even if you don’t have a Twitter account.
Who can access the information?
Public and non-personal information can be used by third parties including advertisers to help target ads. This information is not linked to you directly and instead identifies you using your IP address and/or cookies.
Third-party apps and websites will request information when authorized or authenticated with your Twitter account. This info is shared at your discretion.
Information is processed by service providers on Twitter’s behalf and is not to be used for other purposes such as advertising.
Information can be preserved or disclosed to comply with laws, regulations, legal processes and government requests.
LinkedIn knows a lot about your professional life and it leverages that data to make money. Beyond the standard non-identifying advertising scheme, LinkedIn also provides your personal information to recruiters and marketers. This leads to the problem that LinkedIn is notorious for: spam. The privacy policy is well-organized but leans a bit too heavily on legal jargon.
- Privacy: 2/5
- Clarity: 3/5
- Scope: 4/5
What information is collected?
- Account and contact info: name, username, password, email address, phone number, postal code
- Profile info: job titles, employers, skills, experience, education, honors, awards, affiliations, memberships, followers, and other info you provide
- At your discretion, LinkedIn will sync with your address book or contacts list and your calendar
- Device info: IP address, device identifiers, referrer URL, operating system, ISP or mobile carrier
- Location data from your GPS, Bluetooth, cell towers, wifi networks, and IP address
- Inferred information from your profile: age, industry, seniority, compensation, and gender
- Content you read on SlideShare and Pulse, which are owned by LinkedIn
- Usage info: Ads you click on, articles you read, who you follow, groups participation, and links you click
- Cookie data
How is the information used?
The visibility of much of your profile information can be changed in your account settings, but this info can still be used to target you with ads so long as it does not directly identify you. Consider it public by default.
Web beacons, cookies, pixel tags, ad tags, and mobile identifiers are used to serve ads both on and off LinkedIn. These technologies provide a means for ad networks to identify you without using private information and conversely collect information about your activity on third party sites to send back to LinkedIn. Websites that contain LinkedIn buttons and other plugins can also collect information on your activity.
Both LinkedIn and websites that use its services such as Share buttons collect info when you click on ads, import address books, authenticate apps and websites with your account, join and participate in groups, answer polls, view content on Pulse or Slideshare, share articles.
Information is used to recommend members, news, groups, and presentations.
If you delete your account or change profile information, the old data is retained for up to 30 days. Information collected by third-party sites using widgets like the Share button that you did not interact with is removed after 7 days.
Who can access the information?
Contact information is shared with individuals you contact through LinkedIn.
First degree connections can see your full profile and contact info. Recruiters and professional subscribers can also see your full profile even if you do not approve their InMail or connect with them.
Third parties can look up profile information (subject to your privacy settings) using your email address or first and last name through the profile API. Apps and websites can access select information in your profile with your permission, such as when logging into an app using your LinkedIn account.
Third parties can target advertisements to you on the results page based on your answers in a poll. Third parties may follow up with you via InMail regarding your participation unless you have opted out of receiving InMail messages. LinkedIn can use third parties to deliver incentives to you to participate in surveys or polls. If the delivery of incentives requires your contact information, you may be asked to provide personal information to the third party fulfilling the incentive offer, which will be used only for the purpose of delivering incentives and verifying your contact information.
Users can use the search function to find a profile based on its details including skills, experience, industry, and profession.
Recruiters, marketers, and salespeople can target you using your name, headline, current company, current title, and location among other things. This can be restricted by configuring your visibility settings.
Data is processed by some third parties on behalf of LinkedIn and shared with affiliates such as Pulse and SlideShare.
Personal information is disclosed when permitted by law, including subpoenas and court orders.
With the exception of tracking cookies, Instagram only really collects and shares the information you directly provide. The privacy policy is clear and concise with specific examples provided when appropriate. We would have liked to know more about how Facebook’s ownership of Instagram affects its own privacy policy, though.
- Privacy: 4/5
- Clarity: 4/5
- Scope: 5/5
What information is collected?
- Account info: username, password, email
- Profile info: name, profile picture, phone number
- User content: photos, videos, and comments that you post
- Communications sent to and from Instagram: account verification, notices, updates, etc
- Friends: if you sync or upload contacts from your address book or other social networks
- Analytics info: web pages you visit, add-ons, and other traffic and usage trends
- Device info: IP address, browser, referrer URL, links, what you click on in Instagram, device identifiers
- Cookie and pixel tag data
- Metadata: hashtags, geotags, timestamps, content format
How is the information used?
Account info and cookies can be used to help you access information and stay logged in without having to re-enter your credentials.
All of your info can be used to personalize content and advertisements within Instagram.
Analytics and device info, among other data, is primarily used to provide, improve, test, and develop Instagram features. Instagram monitors key metrics such as number of visitors, traffic, and demographics.
Hashtags and geotags are used to promote contests, special offers, and other events.
Who can access the information?
Facebook owns Instagram, and the latter’s privacy policy states that pretty much everything it collects can be shared with affiliates, including Facebook.
Cookie data is shared between third-party sites and used to serve ads both on and off Instagram.
User content you post is public by default unless you change your settings. It’s searchable by other users and third-parties who use the Instagram API.
Service providers may process your information on behalf of Instagram.
Instagram will comply with legal requests such as warrants, subpoenas, and court orders when the law requires, including in jurisdictions outside the US.
VoIP and messaging
WhatsApp uses end-to-end encryption that even it cannot break* and third-party advertisers are not permitted to gather information nor display their ads in the app. It doesn’t even require a real name or email address–just a phone number. This makes it an excellent choice for the privacy-conscious, but remember that it is owned by Facebook, so things could change down the road.
- Privacy: 5/5
- Clarity: 4/5
- Scope: 4/5
What information is collected?
- Info you provide: phone number, address book, profile name, profile picture, and status message
- Messages are only stored on WhatsApp’s servers until they are delivered, after which they are deleted. While they are on WhatsApp’s servers, they remain encrypted so that WhatsApp cannot read them.
- Contacts: favorites lists, groups, broadcast lists
- Customer support communications
- Usage info: diagnostics, crash reports, performance logs
- Device info: hardware model, operating system, IP address, mobile network, device identifiers
- Location (if enabled)
- Status info: whether you are online, when you last used WhatsApp, and when you updated your status message
- Info others provide about you: if you are in another WhatsApp user’s address book, they might provide your info to WhatsApp
How is the information collected?
WhatsApp does not read the content of your messages.
Much of the information is used to provide, improve, repair, develop and customize the service.
WhatsApp does not have ads in its app. Cookies are used for diagnostics and providing its web-based app.
Contact info is used to inform users about updates and changes.
Third-party businesses are allowed to use WhatsApp for marketing and promotional communication, but the user has full control over who can and can’t send them messages.
Who can access the information?
Your phone number, profile name and photo, online status and status message, last seen status, and receipts can be seen by anyone who uses the service by default, though some of this can be switched off in the settings.
Third-party providers might process your information on behalf of WhatsApp and according to its instructions and terms.
If you use a third-party service that’s integrated with WhatsApp, those services will receive information about what you share with them. This includes backup providers like iCloud and Google Drive.
Skype
See above: Microsoft
Snapchat
Snapchat is very public in nature, but even so its privacy policy leaves much to be desired. Some of the information collected is vaguely worded as “metadata” or “details”. Third parties can use cookies on Snap’s services, which in turn means that data is covered under a different company’s privacy policy.
- Privacy: 2/5
- Clarity: 2/5
- Scope: 4/5
What information is collected?
- Account info: username, password, email, phone number, birth date
- Profile info: picture, name
- Transactional info: if you buy something through Snapchat, it will store your payment info including credit card details and address
- User content: snaps, chats, and other contents
- Info you provide to customer service
- Usage info: filters viewed and used, channels watched on Discover, search queries
- Communication with other users: names, timestamps, number of messages, whether you open messages, and if you take a screenshot
- Content info: whether the recipient opens the content you send and the content metadata
- Device info: hardware model, OS, device identifiers, app identifiers, advertising identifier, browser, language, wireless network, mobile carrier
- Location: GPS, wifi networks, cell towers, device sensors, and IP address
- Phonebook: with your consent, Snapchat will collect contact info from your address book/contacts list
- Log info: access times, pages viewed, IP address, referrer URL
How is the information used?
Snaps are automatically deleted after they’ve been opened by all recipients or they expire. Other info is kept for an indeterminate amount of time. Snapchat reminds users that other users can use outside methods to capture and retain data they gather from Snapchat on their own behalf, for which Snap is not responsible.
Snapchat uses the information it collects to provide, improve, and develop its service. That includes personalizing content, friend recommendations, and advertisements.
Snapchat will use your email and other contact information to send you information about updates, changes, promotions, services, and promotional offers.
Cookies, web beacons, and advertising IDs are used on and off of Snapchat to collect data, customize your experience, and serve targeted advertisements.
Precise location data is used to tag your memories and personalize advertisements if you consent to its collection.
Some information is used to verify your identity, prevent fraud and spam, enhance safety, and enforce Snap’s terms of service.
Who can access the information?
Other Snapchat users can access you profile info, your friends, friends of friends, info you’ve shared from your contacts, and the content you share.
Aggregated, non-personally identifiable, or de-identified information is shared with third-party advertisers. These advertisers will instead identify you through a cookie, advertising ID, web beacon, or similar technology.
Your profile and information you share to Live, Local, and other crowd-sourced services is public.
Your information might be processed by a third party for processing on behalf of Snapchat.
Snapchat will comply with legal requests for information such as subpoenas and court orders.
Other companies may use cookies, web beacons, and other tracking technologies on Snapchat that collect information about you.
Ecommerce
Amazon
Amazon‘s privacy policy almost feels like an afterthought. It doesn’t even mention Kindle, Echo, or Prime Video. It lists the information it collects when you use Amazon.com, but doesn’t delve much into how that information is used or how long it is retained.
- Privacy: 2/5
- Clarity: 3/5
- Scope: 1/5
What information is collected?
- Account info: name, address, phone number, credit card, people to whom purchases have been shipped, password, email, social security number, driver’s license number
- User content: Wish lists, gift registries, discussion board posts, ratings, reviews, order notifications, product availability alerts
- User activity: When and what you search, view, buy, post, participate in questionnaires and contests, recommendations
- Device info: IP address, browser, time zone, browser plugins, OS, referral URL, timestamps, cookie data, unique identifiers
- Info from third parties: addresses, purchase info, page view information, Alexa searches, credit history info from credit bureaus
- Location: only on Amazon’s mobile apps
- Email communications
How is the information used?
Information you provide including account info, user, content, and user activity is used respond to requests, customize shopping, improve the stores, and communication.
Location and device info are used to customize advertisements, search results, and other content.
Credit history is used prevent and detect fraud and to offer certain credit or financial services
Pixel tags are used to determine whether you opened an email from Amazon.
Cookie data is used to remember preferences such as one-click ordering and recommendations. They are also used to serve targeted advertisements on third-party sites.
Who can access the information?
If you make a purchase from an affiliate store not controlled by Amazon, the store will share customer information necessary to complete the transaction.
Third party service providers receive and process your information on behalf of Amazon. These include shipping companies, data analysis, credit card processors, and customer service.
Amazon will share account information with law enforcement when appropriate to comply with the law and protect itself and customers.
Cookies collect behavioral data on third party sites that is logged by Amazon. Conversely, Amazon uses cookies as identifiers to serve ads on third party sites.
Ebay
Ebay isn’t totally clear about what info it hands over to third parties and which are held privately by Ebay. Note that Ebay’s privacy policy is separate from its cookie policy. Perhaps most concerning is the Ebay will scan your social media activity and info if you signed up with a social media account. Other than that, it’s pretty much what you’d expect.
- Privacy: 2/5
- Clarity: 3/5
- Scope: 5/5
What information is collected?
- Account info: name, addresses, telephone number or email address
- Profile info: age, gender, interests, and favorites
- Transaction info: credit card details, bank account numbers, and other payment info
- User activity: what you buy, bid on, sell,
- User content: basket items, watch lists, collections you make or follow, community discussions, chats, dispute resolution, and customer service communication
- Shipping info: tracking numbers, tracking updates, tax ID, and other identification numbers when items need to go through customs
- Device info: Device ID or unique identifier, device type, advertising ID, and unique device token, referral URL, IP address, browsing history, web log info
- Location based on your IP address or mobile phone location settings (GPS, mobile network, wifi, etc)
- Data collected from cookies
- Info from third parties: demographic information that is publicly available, additional contact information, credit check information and information from credit bureaus
- Social media: If you sign up for an Ebay account with a social network account like Facebook or Google, Ebay collects info about content you view and like, the ads you see and click on, videos you watch, and profile info
How is the information used?
Account info is used to access and use Ebay and contact you about your account, service updates, disputes, and polls.
Transaction and third-party credit info (likely from credit bureaus) are used to send you credit offers, collect fees, and provide customer service. Relevant payment information is given to PayPal.
User activity, content, and profile info is used to customize site content including recommendations and keep track of your basket, collections, purchase history, scores, bids, and internal messages.
Location data is used to customize ads, search results, and other content.
All information collected can be used to target you with ads according to your account preferences. Account information can be used to offer discounts and promotions.
Social media information is stored for at least two years or until you withdraw consent. This info is used in advertising and content personalization.
Ebay will use any information as it sees fit to comply with the law, investigate fraud and abuse, and protect its service and customers.
With the exception of social media info, all information that Ebay collects can be stored indefinitely, sometimes even if you close your account.
Cookies, web beacons, unique identifiers and similar technologies collect behavioral info about the pages you view, the links you click and other actions you take on Ebay websites, advertisements, and emails. Cookies can be used to target you with ads both on Ebay and third-party sites. Conversely, persistent cookies can collect behavioral info from other sites and deliver it to Ebay.
Who can access the information?
Upon your request, Ebay will close your account and remove your personal information from view as soon as possible.
Ebay, Inc members can use your information to provide and improve content and services, personalize advertisements and marketing, and prevent fraud and abuse.
When transacting with another user, they may request your name, account ID, email address, contact details, shipping and billing address, or other information. They are not allowed to use this information for any purpose other than fulfilling the transaction, according to the rules.
Third parties can view your information to provide payment processing, advertising, fraud detection, bill collection, affiliate and reward programming, and co-branded credit card services.
Your information may be handed over to credit reporting agencies in the event of late or missed payments or defaults.
Streaming entertainment
Youtube
See: Google
Netflix
While we’ve often been at odds with Netflix for discriminating against users based on their IP address, the company as a whole isn’t promiscuous with its customers’ data. This is largely because it doesn’t run ads on its platform. Some of the language of the privacy policy seems a bit too vague, however; in particular it doesn’t detail what customer information goes into its advertising scheme, how that information is de-identified or aggregated, or how it uses cookies.
- Privacy: 4/5
- Clarity: 2/5
- Scope: 5/5
What information is collected?
- Account info: name, email address, address or postal code, payment method and telephone number
- User content: reviews, ratings, taste preferences, account settings, and preferences
- User activity: title selections, watch history, and search queries
- Customer service interactions
- Device info: unique identifiers, type, configuration, connection info, IP address, referral URL, browser, connection info
- Cookie data
- Info from third-parties: demographic data, interest-based data, and internet browsing behavior
How is the information used?
Your IP address is used to determine your location, provide localized content, determine your ISP, and make recommendations.
All information is used for analytics and improving the service.
Cookies are used for identification and authentication of members, features and functionality, and targeted advertising.
Contact information is used to communicate with customers about Netflix including updates, news, offers, promotions, surveys, and customer service. These can come in the form of emails, push notifications, text messages, and online messages.
Who can access the information?
Netflix mentions that it works with service providers to provide marketing and advertising, but these providers perform services on Netflix’s behalf and do not act independently.
Netflix will use your information when necessary to protect itself and customers and to comply with the law.
Netflix shares your information with third parties as needed for data processing, customer support, making improvements, process payments, and offer joint promotions.
Hulu
Hulu doesn’t go into much detail about how each type of information collected is specifically used. Instead, it gives vague “Use in general” bullet points, and it’s up to you to figure out what information is used for which purpose.
- Privacy: 2/5
- Clarity: 2/5
- Scope: 5/5
What information is collected?
- Account info: name, email address, birth date, gender
- Payment info: credit card number, address, zip code
- User activity: watch history, page views, ad data
- Device info: IP address, browser, OS, location, referral URL, network state, unique identifiers
- Cookie data including Flash cookies, HTML5 local storage, web beacons, and pixel tags
- Social media: If you create an account and log in to Hulu using a third-party service like Facebook, Hulu will collect your ID, username, any information you make public on that service, and any information you authorized to share with Hulu including billing info, email, birthday, friends list, and Likes
- Data from third-parties: Hulu can collect info about you from public databases and business partners including interests, demographic, purchasing behavior, websites visited, and ads viewed
How is the information used?
Account and payment info are used to provide the service, contact you including for promotional offers, and to prevent abuse.
Other info can be used for customizing content, targeting you with ads, analyzing how well those ads and recommendations perform, and compiling aggregate data for “internal and external business purposes.”
Cookies are used to serve targeted ads on third-party sites and collect behavioral data on how you use third-party sites.
Who can access the information?
Social networks that you have connected to Hulu can share your activity, including shows you watch and like.
Third-party advertisers will receive de-identified info about you including your use of the Hulu, websites you visited, advertisements you viewed, and other activities online.
Content licensors, ratings agencies, and advertisers on Hulu can use your viewing information to measure the performance of videos using third-party measurement software.
Service providers and business partner may use your information on Hulu’s behalf for processing, management, marketing, and support.
Hulu will disclose your information to law enforcement to protect itself and its customers, prevent abuse, and when required to do so by law.
How to make a better privacy policy
The FTC recommends companies publicly disclose and alert users of changes in their privacy policy whenever “significant” changes are made. Because significance is arbitrary, many experts advise that companies simply send out a notice every time they update the privacy policy, just to be as transparent as possible.
Be specific. Don’t use vague or jargon-laden language. Say in plain language what information the company collects, how each of those pieces of information is used, and who each one is shared with.
Don’t use a “set-it-and-forget-it” approach to privacy. Instead of asking for permission to use all of a user’s information all at once, allow users to opt-in to information-sharing features as needed. Facebook, for example, asks the user the first time it requires any new permission, such as access to the camera, GPS, and storage. Depending on your service, it can also be wise to expire these permissions and ask again after a certain amount of time.
Concise does not mean short. Concision is good; it means your privacy policy will be easy to read and is well organized. A privacy policy that’s too short, however, might not adequately address all of the information collected, how its used, and who it’s shared with. Be thorough.
Remember to include details about how long data is retained. Do you delete data after a month? A year? Or do you store it indefinitely?
Glossary
- Web beacon – (pixel tag) Web beacons, including pixel tags, are (usually) invisible objects embedded into emails and web pages. They are used to “phone home” to inform the company that put them there that the user has opened said web page or email.
- Cookie – Cookies are pieces of data sent by websites to be stored on users’ browsers. They have two main purposes: to remember and to record. They remember things like whether you logged in to a site or where you left off in a video. They record the links you click on, the ads you view, and the pages you visit. There are many types of cookies, but the ones privacy-conscious users should be most worried about are called “persistent” or “tracking” cookies. These monitor your activity even after you leave the site where you first got the cookie.
- Third party – A third party refers to any entity that’s not either you or the company that owns the website or app. These can include advertisers, service providers who do work on behalf of the company, and law enforcement among others.
- Referral URL – When you click on a link on website A to get to website B, website A is the referrer. A referral URL is the web page address of the referrer. Referrer URLs are often recorded for analytics purposes and sometimes drive revenue for the referrer.
- De-identify – De-identification occurs when the company holding your data removes the personally-identifying information such as your name, email address, and payment info. This usually occurs before the rest of the data is handed to a third party. While de-identified data might not contain info about you as a person, it can still contain information specific to your device, such as your IP address, advertising ID, or other unique identifiers.
- Aggregate data – Aggregate data is a compilation of data from multiple users that isn’t specific to any one user. It’s typically used for analytical purposes to study trends and metrics.
- IP address – Every device that’s connected to the internet has an IP address. IP addresses can be used to identify specific users and approximate their location. Read more about IP addresses here.
- Unique identifiers – Unique identifiers are usually alphanumeric strings of characters that can be used to identify specific devices. They can be more effective than IP addresses at targeting specific people. Examples of unique identifiers include browser fingerprints, advertising IDs, IMEI numbers, MAC addresses, device identifiers, and app identifiers.
Disclosure: all of the information in this article is based on the author’s interpretation of each company’s respective privacy policy. The author is not a lawyer and nothing in this article should be taken as legal advice.