Which brings me to the topic of privacy policies, and how – struggling with antiquated data protection legislation from a bygone era – we are not actually protected.
Do we read them before joining a service?
The first and most obvious problem for the great majority of consumers is that, no matter what we might consent to, we do not, as a rule, read those T&Cs. If you have read carefully every set of T&Cs for each of the online services which you use, then you must be almost unique, or not have your own computer.
So the assumption that we agree to those T&Cs when we start using a service is simply not valid. Legislation must take that into account, and we need to be provided with something that we can give meaningful consent to. Even if you are that remarkable person who has waded through all these T&Cs, because privacy policies are separate documents, the chances are that you did not wade through those as well.
Legislation protecting our privacy must therefore come up with something better. I think that a summary table should be all that we need to see before giving meaningfully informed consent: something listing what we agree to be disclosed, and to whom. If a service is unable to express that clearly and succinctly, then they are not actually protecting our data, but spreading it all over the place.
Although current privacy policies are usually quite clearly written, and less riddled with legal boilerplate than T&Cs, they are long: Apple’s runs to 3170 words, Google’s to 2832, and Spotify’s new policy to 5279. That is after you have read the T&Cs, which in Spotify’s case amount to another 5104 words. It is completely unreasonable to expect any potential user of one of these services to read, fully understand, and consent to such long and complex documents online, in trying to decide whether or not to use the service.
Are those privacy policies clear and explicit?
“When showing you tailored ads, we will not associate an identifier from cookies or similar technologies with sensitive categories, such as those based on race, religion, sexual orientation or health.” (Google. Although this list gives an indication, it does not define ‘sensitive categories’, merely illustrates some.)
“Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.” (Google, again resorting to ‘such as’ and in doing so failing to draw a clear line.)
“We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know.” (Google, admitting to data aggregation without detailing what is aggregated.)
“When you use or interact with the Service, we may use a variety of technologies that collect information about how the Service is accessed and used. This information may include:” (Spotify, preceding a long but clearly not exclusive list of personal data.)
“Depending on the type of device that you use to interact with the Service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).” (Spotify, who could be collecting data about the speed and location of the vehicle in which you are travelling, for example.)
“Please note that even if you opt out using the mechanisms above, you may still receive advertisements when using the Spotify Service.” (Spotify.)
Do they cover key topics?
Next, there are several very important areas which may be omitted altogether from these long privacy policies.
Data relating to children, for example, is explicitly treated differently by Apple:
“We understand the importance of taking extra precautions to protect the privacy and safety of children using Apple products and services. Accordingly, we do not knowingly collect, use or disclose personal information from children under 13, or equivalent minimum age in the relevant jurisdiction, without verifiable parental consent. If we learn that we have collected the personal information of a child under 13, or equivalent minimum age depending on jurisdiction, without first receiving verifiable parental consent we will take steps to delete the information as soon as possible.”
“If at any time a parent needs to access, correct, or delete data associated with their Family Sharing account or child’s Apple ID, they may contact us through our Privacy Contact Form.”
Google does not mention whether it handles data from children any differently.
Spotify contains the following remarkable text:
“The Spotify Service is not directed to children under the age of 13. (In some countries, stricter age limits may apply. See our Terms and Conditions of Use.) We do not knowingly collect personal information from children under 13 or under the applicable age limit (the “Age Limit”). If you are under the Age Limit, do not use the Service and do not provide any personal information to us. If you are a parent of a child under the Age Limit and become aware that your child has provided personal information to Spotify, please contact us at email@example.com and you may request exercise of your applicable access, rectification, cancellation, and/or objection rights. If you are a California resident under the age of 18 and you wish to remove publicly available content, please contact us at firstname.lastname@example.org.”
Another important issue which is normally a legal requisite is access to your own personal information, and how you can correct any errors in it. Again Apple provides explicit information, but Google is more vague and states
“Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort.” Spotify is similarly vague: “You can view and amend much of the information we keep about you through your account and profile pages.”
Policies differ as to whether they detail any retention period, another important issue even in our antiquated legislation. Apple is explicit, Google is not, and this seems to have been omitted altogether by Spotify.
As all three corporations have headquarters in the USA, and generally prefer US jurisdiction, I would have expected that they made reference to US ‘Safe Harbor’ frameworks provided by the US Department of Commerce. Apple details this, Google does not, simply stating that it processes personal information worldwide, and Spotify reveals that it may process data in countries where lower levels of protection may be provided to personal data.
Of the three privacy policies which I have examined above, I have no confidence in those of Google or Spotify. I hope that their own words have demonstrated their real approach to protecting our privacy. Apple’s is long-winded, and still requires a succinct and clear summary, but it comes closest to what I would expect, and what should be provided under, for example, the guidance of the UK Information Commissioner’s Office.
Any future EU legislation needs to address this properly, to ensure that we are protected.