What's in Your Privacy Policy?

Posted on by Christopher Burgess

The days of asking "Why do I need an entire policy about privacy?" are long gone. Users regularly evaluate the trade-off between how their information is being used and the cost to personal privacy. Every company needs to be upfront about how user data is being used, shared, and stored.

What Does a Privacy Policy Look Like?

A quick survey of well-known companies and their respective privacy policies display a fondness for clear, precise language:

Google: The Google privacy policy is broken into 12 segments, ranging from how it uses the information it collects, to how that information pertains to specific product practices. Google uses the word "share" 17 times within the policy, and dedicates a section to how users can control how their information is used.

Facebook: Facebook's ever-evolving privacy policy discusses how it and "others" may use and share your personal information. The November 2014 iteration of the Facebook privacy policy presents content in four separate areas of interest. The first area includes information the company receives about you (registration, information you share on your profile, your posts, your devices, log-in/out, timelines visited, and the others' posts that are about you). The second area of interest falls under the heading of "public information" (information you make public, e.g., profile, applications, program interfaces). To its credit, Facebook explicitly identifies the information that will always be publicly available: name, profile and cover photos, networks, gender, username, and user id. The third section explains how Facebook uses the information it receives. Much of this section pertains to how Facebook provides you with information and services that you can use, and how and with whom the company shares your data (the word "share" appears 12 times within the Facebook policy). The last section details how to deactivate and delete your Facebook account.

New York Times: The New York Times privacy policy discusses how your information may be shared with advertisers and anyone else seeking marketing information or products. It does provide a clear directive on how you can "opt-out" of such practices. Interestingly, there is also a section dedicated to sharing information on social networks, specifically Facebook, and how Facebook's privacy policy will apply. You'll find the word "share" used 18 times within the policy.

What About My Privacy Policy?

The Online Privacy Alliance has a robust set of guidelines to assist companies in creating their policy. While these are not all-inclusive, the guidelines include:

  • What's being collected, how that information is used, third-party access to the information, the organization's commitment to securing the data, and what steps are taken to protect users' data.
  • What choices the individual has with respect to how their information is handled, where and how a user may opt-out of sharing their information, where and how user data (including cyberlog data) is being collected and used.
  • How the information is collected, stored, and disseminated; what path a user may take to have a company correct incorrect information; and how the entity verifies that what it says is happening with the data is, in fact, happening.

Every company should have a privacy policy in place prior to accepting the first kernel of data from a customer or client. Conversely, every client should demand to see and review the policy of every entity with which they engage. The quickest way to determine how your information will be used or shared is to simply search for "use" and "share" within the policy. It is crucial that this simple step is not overlooked.

Christopher Burgess

, Prevendra Inc.


legislation privacy

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs