No sooner had a second batch of stolen data from the Ashley Madison site hit the media, than Spotify fluffed its new privacy policy, resulting in its CEO publishing an apology and trying to clarify what they actually intend to do.

Which brings me to the topic of privacy policies, and how – struggling with antiquated data protection legislation from a bygone era – we are not actually protected.

Each and every online service which we use requires us to accept its terms and conditions of service (T&Cs), to which is usually linked a separate privacy policy. In this article I consider those of just three service providers: Apple, Google, and Spotify (as they so kindly volunteered their policy for such scrutiny).

Do we read them before joining a service?

The first and most obvious problem for the great majority of consumers is that, no matter what we might consent to, we do not, as a rule, read those T&Cs. If you have read carefully every set of T&Cs for each of the online services which you use, then you must be almost unique, or not have your own computer.

So the assumption that we agree to those T&Cs when we start using a service is simply not valid. Legislation must take that into account, and we need to be provided with something that we can give meaningful consent to. Even if you are that remarkable person who has waded through all these T&Cs, because privacy policies are separate documents, the chances are that you did not wade through those as well.

Legislation protecting our privacy must therefore come up with something better. I think that a summary table should be all that we need to see before giving meaningfully informed consent: something listing what we agree to be disclosed, and to whom. If a service is unable to express that clearly and succinctly, then they are not actually protecting our data, but spreading it all over the place.

Although current privacy policies are usually quite clearly written, and less riddled with legal boilerplate than T&Cs, they are long: Apple’s runs to 3170 words, Google’s to 2832, and Spotify’s new policy to 5279. That is after you have read the T&Cs, which in Spotify’s case amount to another 5104 words. It is completely unreasonable to expect any potential user of one of these services to read, fully understand, and consent to such long and complex documents online, in trying to decide whether or not to use the service.

Are those privacy policies clear and explicit?

The next problem is that, if you do actually take the trouble to read the T&Cs and privacy policy, whilst clear, they often do not specify exactly what information is collected, what it is used for, and who uses it. Instead most are carefully written to cover asses rather than specifics. Throughout the three privacy policies, the phrases this includes and may include see abundant use, but those policies seldom define what is excluded; generally they are worded so as not to be fully explicit. Some examples:

“When showing you tailored ads, we will not associate an identifier from cookies or similar technologies with sensitive categories, such as those based on race, religion, sexual orientation or health.” (Google. Although this list gives an indication, it does not define ‘sensitive categories’, merely illustrates some.)

“Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.” (Google, again resorting to ‘such as’ and in doing so failing to draw a clear line.)

“We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know.” (Google, admitting to data aggregation without detailing what is aggregated.)

“We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances applies: […] For external processing We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.” (Google, first appearing not to share personal information, and then admitting to sharing it with unspecified others.)
“Our Privacy Policy does not apply to services offered by other companies or individuals, including products or sites that may be displayed to you in search results, sites that may include Google services, or other sites linked from our services.” (Google, who previously claimed that ‘other trusted businesses or persons’ would act ‘in compliance with our Privacy Policy’.)

“By using or interacting with the Service, you are consenting to: […] the use of cookies and other technologies;” (Spotify, being as vague as possible.)

“When you use or interact with the Service, we may use a variety of technologies that collect information about how the Service is accessed and used. This information may include:” (Spotify, preceding a long but clearly not exclusive list of personal data.)

“With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy.” (Spotify, again failing to provide any explicit detail, and requiring the user to seek consent of others!)

“Depending on the type of device that you use to interact with the Service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).” (Spotify, who could be collecting data about the speed and location of the vehicle in which you are travelling, for example.)

“BY ACCEPTING THE PRIVACY POLICY, YOU EXPRESSLY AUTHORISE SPOTIFY TO USE AND SHARE WITH OTHER COMPANIES IN THE SPOTIFY GROUP, AS WELL AS CERTAIN TRUSTED BUSINESS PARTNERS AND SERVICE PROVIDERS, WHICH MAY BE LOCATED OUTSIDE OF THE COUNTRY OF YOUR RESIDENCE (INCLUDING COUNTRIES WHICH DO NOT PROVIDE THE SAME LEVEL OF PROTECTION FOR THE PROCESSING OF PERSONAL DATA AS THE COUNTRY OF YOUR RESIDENCE), THE INFORMATION PROVIDED BY YOU TO SPOTIFY, EVEN IF SUCH INFORMATION IS COVERED BY LOCAL BANKING SECRECY LAWS.” (Spotify, in a staggering admission.)

“Please note that even if you opt out using the mechanisms above, you may still receive advertisements when using the Spotify Service.” (Spotify.)

Do they cover key topics?

Next, there are several very important areas which may be omitted altogether from these long privacy policies.

Data relating to children, for example, is explicitly treated differently by Apple:
“We understand the importance of taking extra precautions to protect the privacy and safety of children using Apple products and services. Accordingly, we do not knowingly collect, use or disclose personal information from children under 13, or equivalent minimum age in the relevant jurisdiction, without verifiable parental consent. If we learn that we have collected the personal information of a child under 13, or equivalent minimum age depending on jurisdiction, without first receiving verifiable parental consent we will take steps to delete the information as soon as possible.”
“If at any time a parent needs to access, correct, or delete data associated with their Family Sharing account or child’s Apple ID, they may contact us through our Privacy Contact Form.”

Google does not mention whether it handles data from children any differently.

Spotify contains the following remarkable text:
“The Spotify Service is not directed to children under the age of 13. (In some countries, stricter age limits may apply. See our Terms and Conditions of Use.) We do not knowingly collect personal information from children under 13 or under the applicable age limit (the “Age Limit”). If you are under the Age Limit, do not use the Service and do not provide any personal information to us. If you are a parent of a child under the Age Limit and become aware that your child has provided personal information to Spotify, please contact us at privacy@spotify.com and you may request exercise of your applicable access, rectification, cancellation, and/or objection rights. If you are a California resident under the age of 18 and you wish to remove publicly available content, please contact us at eraser@spotify.com.”

Another important issue which is normally a legal requisite is access to your own personal information, and how you can correct any errors in it. Again Apple provides explicit information, but Google is more vague and states
“Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort.” Spotify is similarly vague: “You can view and amend much of the information we keep about you through your account and profile pages.”

Policies differ as to whether they detail any retention period, another important issue even in our antiquated legislation. Apple is explicit, Google is not, and this seems to have been omitted altogether by Spotify.

As all three corporations have headquarters in the USA, and generally prefer US jurisdiction, I would have expected that they made reference to US ‘Safe Harbor’ frameworks provided by the US Department of Commerce. Apple details this, Google does not, simply stating that it processes personal information worldwide, and Spotify reveals that it may process data in countries where lower levels of protection may be provided to personal data.

Summary

Of the three privacy policies which I have examined above, I have no confidence in those of Google or Spotify. I hope that their own words have demonstrated their real approach to protecting our privacy. Apple’s is long-winded, and still requires a succinct and clear summary, but it comes closest to what I would expect, and what should be provided under, for example, the guidance of the UK Information Commissioner’s Office.

Any future EU legislation needs to address this properly, to ensure that we are protected.