We've all seen those little checkboxes on website account creation forms. But few people actually stop and read the privacy policies attached to them. These documents can tell us a lot about a website's data practices. But the website owners know this, and they try their hardest to conceal the true extent of their data collection. In this article, I will explore the signs of a bad privacy policy, and what makes a good one.

Companies make very long privacy policies to discourage users from reading the whole thing and therefore prevent them from discovering the shady data practices contained within. One major examle of this is Google's privacy policy. A very long privacy policy is an indicator of privacy violations hidden inside.

"We share data with trusted third parties..." "...for business purposes..." "We collect data to improve all our services..." "...which is used by our advertising partners..." These are all examples of the type of vague language used in privacy policies. It satisfies the legal requirements of the authors without actually telling you anything. If a privacy policy sounds like it was written by a lawyer, you are at risk of being sued—I mean, spied on. Privacy policies also use very technical language when talking about data collection without explaining any of it. This makes it sound normal and fine, when in reality [see image above⬆️] is being collected.

Companies that respect your privacy have nothing to justify in their privacy policies. If you see language like "we collect data to improve your experience", "provide more relevant advertising", or, as Meta puts it, "To research and innovate for social good" (despite the fact that Meta's services are bad for mental health and they know it), they're doing something wrong. If someone is being defensive, they have something shady to defend. Another red flag is any mention of the sharing of "anonymized" or "de-identified" data. Anonymization is a hoax, and the data can be easily traced back to you.

Sometimes, companies, thinking either that no one will read the policy or that their service is so useful that people will use it anyway, just say right out that they collect everything that exists about you. An example of this is Google, who in the middle of a very long privacy policy has a section telling the user that they collect device information, search history, browser history, IP address (and therefore location), name, phone number, and credit card information. They also have another section detailing further that they collect your demographics, biometric information, precise GPS location data, audio recordings of you, email contents, health information, and employment information. This is the easiest way to spot a bad privacy policy. If you see something like this, run away (figuratively).

"We don't collect any 'personal data'." This is the first line of Startpage's privacy policy. Documents like this one are the best privacy policies. They tell you exactly what happens with your data, exactly what is (or isn't) collected, and why without using any technical language or legal camouflage. They are short (Startpage's fills 4 screens at 100% zoom) and easy to read, and hide nothing. 

Many companies that are committed to privacy have extremely short actual privacy policies because they collect nothing. However, they use the extra space to tell the user about their data practices and safeguards in detail and give advice on how to protect your privacy in general. This is a good sign because it means the company is truly committed to user privacy.