What to look for in a Privacy Policy

Excited to download a new app or sign up for a website, most kids click right over the privacy policy. If they happen to glance at it, they will usually find a long policy talking about PI, IP, aggregated data, cookies and 3rd parties. Although these policies are not an easy read, they are important. Whether a kid reads it or not, they are agreeing to it.

A privacy policy does not guarantee privacy. A privacy policy outlines what data the company collects and how the company uses it. Taking the time to go through a policy is a great way to teach kids about data collection.

Data Privacy Month Tip #3 – Read a Privacy Policy

The first step in reading a privacy policy is finding it.  A link to most policies can be found at the bottom of the home page. If a website asks for information without providing a privacy policy, this is a huge red flag. Even mobile apps should have some reference to a privacy policy.  Mobile apps from iTunes are included in Apple’s privacy policy. Android apps should have one of their own.

 What information is collected

All websites collect some information. For example, websites collect an Internet Protocol (IP) address. An IP address is a computer’s unique address. Without an IP address, a website and a computer cannot communicate with each other. Besides what is needed to run the website, a company may collect other information. The privacy policy should list all the information collected including any personal information such as name, address, email, or phone number.

Kids should look for if the information the site collects correlates with its function. For example, Amazon asks for a lot of information but Amazon needs name, address and credit card number to process an order. Paper Toss, a free app, collects location data. Arguably, Paper Toss does not need  location data in order to toss virtual paper into a virtual garbage can. Kids should definitely watch out for apps and websites collecting excessive data. An examination of 101 popular smartphone “apps” by the Wall Street Journal  found that 47 apps transmitted the phone’s location.

How it is collected

Websites collect information in 2 ways: a person enters it or the website or app automatically collects. Kids may provide information by filling out a profile, answering surveys or participating in chat rooms. Companies can automatically collect information by using cookies.

Cookies are small pieces of code that allow websites to identify individual computers. Cookies are the reason a user does not have to login to Facebook every time or Amazon immediately says “Hello Kidsprivacy!” But, marketing companies can also place cookies on a computer and track online surfing.

Cookies become a problem when tracking data is combined with another database containing personal information. For example, if a social network profile is linked with marketers’ tracking data.  Connecting a person’s name with their surfing habits can create quite a robust profile.  If a company is combining information you may see language such as “(w)e may also link information stored on your computer in cookies with personal data about specific individuals stored on our servers.”

Kids should limit their exposure to cookies from ad networks. The Network Advertising Initiative has information about how to opt out of many networks. Kids can also delete cookies from their browsers. However, some websites and apps will not run without cookies.

Who has the information

Most privacy policies talk about sharing information with other entities. Some privacy policies talk about sharing information with affiliates and/or trusted third parties. Like “Friends of Friends” on Facebook, affiliates or trusted third parties can include a lot of companies. Unfortunately, people do not have a lot of options on how to eliminate this sharing other than not using the site or app.

Kids should identify what type of information is being shared among all these parties. Most often it is aggregated data. Aggregated data has all personally identifiable information removed and is organize in groups. For example, a company may share information about women ages 18-24 in the zip code 98056. Selling this information is how many free apps and websites make money.

How it complies with COPPA

The most likely language you will see regarding the Children’s Online Privacy Protection Act (COPPA) is “(w)e do not allow children under 13 to register for any service, and we do not knowingly collect any personally identifiable information from children under 13.” Even though it does not offer any protection, I always like to see that a company is at least aware of COPPA.

If a site does allow users under 13 they should have a section on COPPA. The Federal Trade Commission enforces COPPA and has a list of requirements for how companies must protect children’s personal information. The policy should address how they adhere to the rules and regulations of the Children’s Online Privacy Protection Act.

 How long the website stores data

Websites should not hold onto your data forever. Policies should contain language describing how long they retain information. Some sites will hold onto archived data for a period of time others do not delete data, but will make it anonymous by removing personal identifiers. A good privacy policy will also have some mechanism for users to contact the company about deleting data.

How data is protected

All data should be protected. Kids should be wary of any website that does not outline some form of data protection. Policies should talk about protecting data by “maintain industry-standard physical, electronic, and procedural safeguards to guard your personal information” or “transmitting personal information (credit cards) to other websites, protected through the use of encryption” or “take commercially reasonable precautions to protect the information from loss, misuse and unauthorized access, disclosure, alteration and destruction of data.”

How are changes made to privacy policy

The majority of privacy policies can be changed anytime. A good policy will outline how a member will be notified of changes. The company should attempt to notify a user via email, text or on their site.  Many policies simply assume your continued use is acceptance. If this is the case, kids need to periodically check for an updated privacy policy.

What other information exists

Besides reading a privacy policy, kids can also look for seals of approval.  The Verisign seal indicates that this is a legitimate site and safe from malware.  BBB accredited businesses have made a commitment to safeguard privacy.  The TRUSTe symbol identifies companies that adhere to TRUSTe’s online privacy principles.  TRUSTe also has a program that identifies sites that protect children’s privacy online.

Still unsure about a website or app, check out Common Sense Media. Here, kids can read reviews on the latest apps and websites. Do not skip the comment section. This has great information about what kids and parents are finding when they use an app or visit the website.

Final Word

Ultimately, kids should always remember, in the words of myYearbook’s privacy policy, “(n)otwithstanding any of the aforementioned, be aware that posting personal information on public areas of myYearbook.com (via Profile, Forums, Blogs, etc.) will make your information publicly available.  Do not post information in public areas that you want to keep private. Also, be aware that certain information you post or share with third parties like your friends or members of your network about yourself may be shared with other users and all such sharing of information is done at your own risk.”