What you really agree to when you click ‘accept’
by By Jose Pagliery, CNN Money
Companies use these policies to alert you to how they track your location, read your emails, spy on your Web browsing – and sell some of that to advertisers.
It doesn’t help that these disclaimers are close to unintelligible.
The policy at Facebook (FB, Fortune 500) is 9,110 words long. LinkedIn (LNKD) comes in at 7,895 words. You’d need to be a sophomore in college to fully understand the disclaimers at Netflix (NFLX) and WhatsApp, according to a Flesch-Kincaid readability test.
With the help of several legal experts, CNN has reviewed policies at many top websites and apps. The conclusion: Most privacy policies are basically useless.
They’re too vague. Unclear language isn’t just annoying. It arms companies with more legal muscle. Having ambiguous language in privacy policies lessens a consumer’s ability to fight back if their personal information is ever mishandled.
“In many cases, companies don’t want to be specifically transparent about what they’re doing, so the policies are written in general terms with a lot of ‘cover yourself’ built in,” attorney Joel Reidenberg said.
The music-streaming service Pandora (P), for instance, says it collects “transactional information” on devices. CNN consulted five of the nation’s top privacy attorneys, and none knew what that meant. Is Pandora tracking your spending habits on shopping sites? Online banking? Pandora later explained that refers only to activities – such as listening to music – within the Pandora app.
That definition wasn’t clear to Reidenberg or N. Cameron Russell, law school professors at Fordham University who specialize in this very subject.
“I would interpret that like a nonlawyer would,” Russell said. “‘Transactional information’ is not a term of art that I’ve heard. That’s up for grabs.”
Terms are open-ended. When companies collect your information, they provide a list of what they take – typically without any real limits. For example, King (KING), the maker of the wildly popular smartphone game Candy Crush, says it collects personally identifiable information “such as your name, address, telephone number or email address.” But using the words “such as” means the list doesn’t necessarily end there.
Aleecia McDonald is the director of privacy at the Stanford Law School’s Center for Internet and Society. She notes that “such as” opens the gates for just about anything.
“It’s not an exhaustive list,” she said. “I read this as, ‘We take everything we can get.’ ”
Policies change all the time. Companies revise the rules so often that advocates have launched a service called TOSBack to track updates.
“Companies reserve the right to change them. The ones they have today won’t be the ones they have tomorrow,” said Khaliah Barnes, who directs the student privacy project at the Electronic Privacy Information Center.
Sometimes they don’t even exist. Mobile app developers are increasingly relying on even more nebulous “permissions” instead of privacy policies. These pop-ups list all the features an app can access on your phone. It’s worth paying attention to them, because they’re starting to get weird.
Meanwhile, the app can tap into other programs and access whatever computer you plug into your phone.
Umoni Studio told CNN it’s a team of two dedicated developers in Guangzhou, China who mean well. They admit the app collects all this data, but they promise they’ll only give advertisers “aggregated or anonymous information.”