Comparing the privacy policy of internet giants side-by-side

twitter-icon

Any company or organization that collects information about its customers or users ought to have a privacy policy. A privacy policy describes all of the ways that a company gathers, uses, and discloses user data. Some consider privacy policies legally binding documents, while others argue they are mainly for informational purposes.

Privacy policies contain much of the same information as terms and conditions, terms of service, or end-user license agreements, but they tend to be easier to digest and not full of legal jargon. Good privacy polices are straightforward, concise, and transparent.

To better help our readers understand and compare privacy policies, and to provide some guidance to companies trying to craft policies of their own, we’ve analyzed several from the world’s largest internet companies. For each company, we summarize three main points: what information is collected, how it is used, and who can access it. We also score each company based on three subjective factors:

We realize that not all companies can be compared side-by-side. A social network will require a different privacy policy than an ecommerce company, for example. So we’ve categorized each company into one of five verticals: major platforms, social media, VoIP and messaging, ecommerce, and streaming entertainment.

Privacy_Policies comparison

We plan to start out with these companies and build from here. If you would like to see another company’s privacy policy analyzed, leave us a note in the comments.

Major platforms

Major platforms are the global powerhouses that are more or less inescapable for internet users. They make operating systems, search engines, email clients, and hardware devices among many other things.

Google

Google is a massive company with its fingers in just about every internet-related vertical you can think of. While it’s privacy policy, which covers all Google services, is easy to read and very clear, it can be difficult to fathom how it plays into everything from the Play Store to Search, Gmail, Maps, Android, Youtube, and much more. Google’s prevalence means it probably knows more about you than any other company on Earth.

What information is collected?

How is the information used?

The information Google collects is used to “provide, maintain, and protect” Google services. This includes more relevant search results and tailored ads.

If you have a Google account, your name, profile picture, and actions you take (such as +1’s) may appear publicly depending on your visibility settings. If you +1 something, for example, your contacts in Google may see it displayed as a shared endorsement in search results.

Account details, device, and language settings are used to give a consistent appearance across all Google services.

Google will not use cookies to associate you with ads based on race, religion, sexual orientation or health.

Automated systems will analyze Gmail and Drive content to customize ads and search results.

All of this information can be shared between different Google services.

Who can access the information?

Google offers account holders the option to review, manage, and control what information it collects and how it is shared.

Google will share personal information with companies, organizations or individuals outside Google with your consent. Consent includes accepting app permissions and information requested by third parties when you log in with your Google account.

Your personal data may be given to Google’s affiliates to be processed. This information is kept confidential.

Your personal data may be given to third parties, including law enforcement, to comply with government requests. Google says, “Our legal team reviews each and every request, regardless of type, and we frequently push back when the requests appear to be overly broad or don’t follow the correct process.”

Info that has nothing which can identify you personally may be shared publicly, e.g. for Google Trends.

Domain administrators have their own privacy policies, so don’t assume that if your company email uses a Gmail domain, for instance, that you are protected by Google’s privacy policy.

Apple

Unlike Google, Apple is not primarily an advertising company, so it has less interest in mining your personal details for profit. Apple divides up the information it collects into two categories: personal and non-personal. That sounds simple enough, but the two become harder to distinguish the further you delve into the policy.

What information is collected?

How is the information used?

Personal information is used to update customers on product announcements, software updates, events, purchases, and changes to Apple’s terms, conditions, and policies.

Then there’s the non-personal information. This can be used or shared with third parties whenever Apple wants “for any purpose” but is not associated with any specific individual. This is mainly used to help target advertisements in the App Store and iTunes, for example.

To sum it up, Apple can use both your personal and non-personal information internally however it wants: to advertise, market, improve products and services, send updates, prevent abuse, etc.

Some personal information such as age might be used to help identify users and serve appropriate content.

If your personal info happens to be lumped together with your non-personal info, it can’t be used by any third parties until the two are separated.

Third parties can only use your non-personal information to build a sort of faceless profile. This is used to serve you ads and other targeted services, but they cannot identify you as individual because they don’t know your personal information. Instead, they identify you using tracking cookies and possibly an IP address.

Location data used by Apple and third parties is not associated and does not contain your personal information, save for a few exceptions such as Find My iPhone. The information is used to provide location-based products and services, which can include advertising. Note that Apple’s privacy policy doesn’t cover how third-party apps use your location data if you opt-in to their location services.

Device information is used for trend analysis, site administration, improving products and services, assessing geographic data, and marketing and advertising.

Pixel tags are used to determine whether a customer opens an email.

Who can access the information?

Personal information can only be used by Apple and its “strategic partners”, which are obligated to protect your information. This includes mobile carriers, for activating new devices.

This information is only be shared by Apple to provide or improve products, services and advertising, but it is not shared with third parties for their marketing or advertising purposes.

Non-personal information is shared with third-parties for marketing, advertising, and other purposes. We recommend that users with Apple IDs enable “Limit Ad Tracking” on their accounts, which will prevent you from receiving targeted ads on all your Apple devices and accounts and on third-party apps.

Apple will hand over personal information about its customers to government agencies and law enforcement if “disclosure is necessary or appropriate”, to enforce terms and conditions, or to protect Apple and its users.

Microsoft

Microsoft‘s privacy policy is quite clear about what information it collects, but could use a bit of improvement on how it is shared. A notable omission is telemetry data from Windows, which caused a stir among privacy advocates after the release of Windows 10. Microsoft’s products and services include Windows, Bing, Cortana, Groove, Health services, Translator, MSN, Office, OneDrive, Xbox, Outlook, Silverlight, Skype, Store, Swiftkey, and more.

What information is collected?

How is the information used?

Microsoft categorizes the personal data it gathers into three basic purposes: business operations and providing products, sending communications, and advertising.

The first category includes personalizing customers’ products and recommending new ones. Software and hardware activation require some personal info. Product improvement uses search queries, error reports, and A/B testing. Usage data is used to prioritize these improvements. Audio recordings are analyzed to improve speech recognition. Personal info and usage data is also used to improve product security and prevent fraud. These include malware and phishing scans on content.

The second category, communications, includes email and other media to inform you about when subscriptions are ending, products need updating, invitations to participate in surveys, shopping cart reminders, update you about service and repair requests, or alert you to account inactivity. This also includes any promotional subscriptions you signed up for.

The final category, advertising, is perhaps the one of most concern because this is where Microsoft shares your information with third parties. They can be based on your location, search query, the content you are viewing, interests, favorites, usage data from both Microsoft sites and apps and those of its partners. To provide this “interest-based advertising” on third-party sites and apps, tracking cookies are used to associate your collected data with your IP address (and possibly other identifiers).

Microsoft does not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to target ads to you. You can opt out of receiving interest-based advertising from Microsoft by visiting the opt-out page. Microsoft does not deliver interest-based advertising to anyone under 13-years-old.

Data is stored for up to 13 months unless you agree to allow Micorosoft to retain it for longer.

Health-related advertising applies to the US only. Based on your interests and usage, Microsoft will advertise to you based on your “allergies, arthritis, cholesterol, cold and flu, diabetes, gastrointestinal health, headache / migraine, healthy eating, healthy heart, men’s health, oral health, osteoporosis, skin health, sleep, and vision / eye care.”

Who can access the information?

Microsoft web beacons and cookies do not just appear on Microsoft-owned apps and sites, but also those of its partners. Microsoft specifically mentions A9, AOL Advertising, AppNexus, Criteo, Facebook, MediaMath, nugg.adAG, Rocket Fuel, and Yahoo in its privacy policy, but the list is likely much longer than that.

All of those companies use cookies and web beacons to collect your information and in turn target you with ads when you visit Microsoft-owned apps and sites. Microsoft isn’t totally clear on this, but logic would assume that any information which third-parties bearing Microsoft cookies and web beacons collect on you is associated with your IP address. Microsoft, which also has your IP address, can then combine that data to fill out your advertising profile.

Microsoft says it will share information when required by law, but does not give any indication about how much it scrutinizes court orders, subpoenas, and warrants before complying.

Social Media

Facebook

Facebook has a plainly worded, thorough, and well-organized privacy policy. What concerns us most, however, is not just that Facebook collects information on users based on their own information and activities, but that it can collect information on a user from that user’s friends. This makes even the most careful and thorough Facebook user vulnerable to the actions of their less privacy-conscious friends. A friend who uploads their phone contacts or plays an online quiz could unwittingly be handing over information about you for example. This can be mitigated somewhat through settings, but those settings are not always apparent and can be buried within several disparate menus.

What information is collected?

How is the information used?

Facebook uses your personal data to provide services, communicate, advertise, and ensure security.

To provide and improve services, Facebook uses your personal info to personalize and recommend content. This might affect what appears in your news feed, for example. It’s also how Facebook is able to recommend who to tag in a photo or post. Location is used for check-ins and finding nearby events.

Communication includes updates to terms of service, marketing and promotions, and inform you of new services. It’s also used for support purposes.

Everything Facebook knows about you is used to target advertisements and measure their effectiveness on Facebook. Off Facebook, advertisers are limited to “non-personal” information that excludes things like your email address and name, and instead uses cookies and your IP address to identify you. You can manage these settings here.

For security purposes, Facebook may use your personal information to verify your identity and prevent abuse.

Tracking cookies are used to authenticate your account when you use a Facebook action (Like, Share, or log in) on a third-party site. They can track your activity on other sites, such as what you purchased, and are then used to serve targeted ads on Facebook. They can determine whether you clicked or viewed an ad. Finally, Facebook uses cookies to store preferences and provide tailored content.

Who can access the information?

The scope of who can see what you share and post is determined by your Facebook settings. We recommend you review them if you have not already. Some of your profile information is public. This info can be accessed by search engines, APIs, and offline media like TVs. Who can see your posts and comments on another person’s profile is determined by that person’s settings. People can also see information that others post about you.

Whenever you authenticate or authorize a third-party app or website using your Facebook account, it asks for a list of permissions. They have access to all of that information until you remove that app from your account. You can also give those apps and sites access to your friends’ information, and they can conversely hand over information about you unless you change your settings to say otherwise.

Any web page with a Facebook Like or Share button, or that uses Facebook authentication or authorization for log in and registration purposes, is almost definitely putting cookies on your device. These cookies track your behavior and report it to Facebook, which is in turn used to serve targeted advertisements. Third parties can also uses these cookies on their own sites, and Facebook advertisers have some access to the data to measure the effectiveness of their ads.

When faced with legal requests from governments and law enforcement, Facebook will hand over your personal information if it believes in good faith that the law requires it to do so. This includes governments of countries outside the US.

Reddit

Reddit has a fairly straightforward privacy policy for its simple but popular service. Its data collection policies are reasonable; it doesn’t collect too much and doesn’t share too widely.

What information is collected?

How is the information used?

User profiles and interests are built and used to personalize the content and advertisements that appear on reddit. Reddit will also communicate with users about products, services, offers, promotions, and events and provide other news and information relevant to users.

The data collected is monitored to analyze trends, usage, and activities.

Reddit uses personal information to provide, maintain, and improve its services. It’s used to protect users and reddit from fraud, spam, and abuse. Technical notices, updates, security alerts, customer service, and invoices use your contact information to keep you informed.

Reddit deletes IP addresses after 100 days except for the one used to create your account.

Who can access the information?

Your username, posts, and comments are visible to the public. Even private or quarantined subreddits can become public later. Karma, trophies, moderator status, Reddit Gold status, and how long you have been a member are also public.

Ad partners and network may use cookies to collect information when you see ads on reddit, but Reddit does provide your actual Reddit account details to these advertising partners. “This means that Reddit does not share your individual account browsing habits with advertisers. Reddit cannot see advertisers’ cookies and advertisers will not see Reddit cookies.”

Reddit uses Google analytics to collect user information in aggregate.

Messages sent through Modmail can be forwarded to the moderator’s personal email account and are subject to their email provider’s privacy policies.

Third party vendors, consultants, and service providers can have access to your personal information for processing purposes.

Information is shared when a legal request for information is submitted by law enforcement and other government agencies. Reddit will try to give you prior notice if possible.

Twitter

Twitter is a very straightforward service and it handles relatively little private information. Most of the information you provide is openly shown on your profile, and any identifying private information you provide is not used by third parties. The wording of the privacy policy could be a bit more clear in how the collected information is used, however.

What information is collected?

How is the information used?

Your profile, handle, tweets, followers, who you follow, and lists are public info. Other information can also be public with your consent including your bio, location, website, date of birth, and profile photo.

Contact info is used to enable certain features such as login verification (2FA); Twitter via SMS; prevent spam, fraud, and abuse; send marketing or promotional materials; and send general service messages.

If you sync your address book, this is used to generate follow recommendations and make other suggestions.

Location info lets you Tweet with your location and is used to personalize the service with local content and serve relevant ads.

Cookies and link data are likewise used for personalization and advertising both on and off Twitter.

Data collected directly from Twitter and its services is deleted or de-identified after 180 days or less.

Third-party sites that use Twitter widgets such as Tweet buttons also send log data to Twitter. After 10 days, that data is deleted, de-identified, and/or aggregated with other people’s data. This info is collected even if you don’t have a Twitter account.

Who can access the information?

Public and non-personal information can be used by third parties including advertisers to help target ads. This information is not linked to you directly and instead identifies you using your IP address and/or cookies.

Third-party apps and websites will request information when authorized or authenticated with your Twitter account. This info is shared at your discretion.

Information is processed by service providers on Twitter’s behalf and is not to be used for other purposes such as advertising.

Information can be preserved or disclosed to comply with laws, regulations, legal processes and government requests.

LinkedIn

LinkedIn knows a lot about your professional life and it leverages that data to make money. Beyond the standard non-identifying advertising scheme, LinkedIn also provides your personal information to recruiters and marketers. This leads to the problem that LinkedIn is notorious for: spam. The privacy policy is well-organized but leans a bit too heavily on legal jargon.

What information is collected?

How is the information used?

The visibility of much of your profile information can be changed in your account settings, but this info can still be used to target you with ads so long as it does not directly identify you. Consider it public by default.

Web beacons, cookies, pixel tags, ad tags, and mobile identifiers are used to serve ads both on and off LinkedIn. These technologies provide a means for ad networks to identify you without using private information and conversely collect information about your activity on third party sites to send back to LinkedIn. Websites that contain LinkedIn buttons and other plugins can also collect information on your activity.

Both LinkedIn and websites that use its services such as Share buttons collect info when you click on ads, import address books, authenticate apps and websites with your account, join and participate in groups, answer polls, view content on Pulse or Slideshare, share articles.

Information is used to recommend members, news, groups, and presentations.

If you delete your account or change profile information, the old data is retained for up to 30 days. Information collected by third-party sites using widgets like the Share button that you did not interact with is removed after 7 days.

Who can access the information?

Contact information is shared with individuals you contact through LinkedIn.

First degree connections can see your full profile and contact info. Recruiters and professional subscribers can also see your full profile even if you do not approve their InMail or connect with them.

Third parties can look up profile information (subject to your privacy settings) using your email address or first and last name through the profile API. Apps and websites can access select information in your profile with your permission, such as when logging into an app using your LinkedIn account.

Third parties can target advertisements to you on the results page based on your answers in a poll. Third parties may follow up with you via InMail regarding your participation unless you have opted out of receiving InMail messages. LinkedIn can use third parties to deliver incentives to you to participate in surveys or polls. If the delivery of incentives requires your contact information, you may be asked to provide personal information to the third party fulfilling the incentive offer, which will be used only for the purpose of delivering incentives and verifying your contact information.

Users can use the search function to find a profile based on its details including skills, experience, industry, and profession.

Recruiters, marketers, and salespeople can target you using your name, headline, current company, current title, and location among other things. This can be restricted by configuring your Instagram only really collects and shares the information you directly provide. The privacy policy is clear and concise with specific examples provided when appropriate. We would have liked to know more about how Facebook’s ownership of Instagram affects its own privacy policy, though.

What information is collected?

How is the information used?

Account info and cookies can be used to help you access information and stay logged in without having to re-enter your credentials.

All of your info can be used to personalize content and advertisements within Instagram.

Analytics and device info, among other data, is primarily used to provide, improve, test, and develop Instagram features. Instagram monitors key metrics such as number of visitors, traffic, and demographics.

Hashtags and geotags are used to promote contests, special offers, and other events.

Who can access the information?

Facebook owns Instagram, and the latter’s privacy policy states that pretty much everything it collects can be shared with affiliates, including Facebook.

Cookie data is shared between third-party sites and used to serve ads both on and off Instagram.

User content you post is public by default unless you change your settings. It’s searchable by other users and third-parties who use the Instagram API.

Service providers may process your information on behalf of Instagram.

Instagram will comply with legal requests such as warrants, subpoenas, and court orders when the law requires, including in jurisdictions outside the US.

VoIP and messaging

WhatsApp

WhatsApp uses end-to-end encryption that even it cannot break* and third-party advertisers are not permitted to gather information nor display their ads in the app. It doesn’t even require a real name or email address–just a phone number. This makes it an excellent choice for the privacy-conscious, but remember that it is owned by Facebook, so things could change down the road.

What information is collected?

How is the information collected?

WhatsApp does not read the content of your messages.

Much of the information is used to provide, improve, repair, develop and customize the service.

WhatsApp does not have ads in its app. Cookies are used for diagnostics and providing its web-based app.

Contact info is used to inform users about updates and changes.

Third-party businesses are allowed to use WhatsApp for marketing and promotional communication, but the user has full control over who can and can’t send them messages.

Who can access the information?

Your phone number, profile name and photo, online status and status message, last seen status, and receipts can be seen by anyone who uses the service by default, though some of this can be switched off in the settings.

Third-party providers might process your information on behalf of WhatsApp and according to its instructions and terms.

If you use a third-party service that’s integrated with WhatsApp, those services will receive information about what you share with them. This includes backup providers like iCloud and Google Drive.

Skype

Snapchat

Snapchat is very public in nature, but even so its privacy policy leaves much to be desired. Some of the information collected is vaguely worded as “metadata” or “details”. Third parties can use cookies on Snap’s services, which in turn means that data is covered under a different company’s privacy policy.

What information is collected?

How is the information used?

Snaps are automatically deleted after they’ve been opened by all recipients or they expire. Other info is kept for an indeterminate amount of time. Snapchat reminds users that other users can use outside methods to capture and retain data they gather from Snapchat on their own behalf, for which Snap is not responsible.

Snapchat uses the information it collects to provide, improve, and develop its service. That includes personalizing content, friend recommendations, and advertisements.

Snapchat will use your email and other contact information to send you information about updates, changes, promotions, services, and promotional offers.

Cookies, web beacons, and advertising IDs are used on and off of Snapchat to collect data, customize your experience, and serve targeted advertisements.

Precise location data is used to tag your memories and personalize advertisements if you consent to its collection.

Some information is used to verify your identity, prevent fraud and spam, enhance safety, and enforce Snap’s terms of service.

Who can access the information?

Other Snapchat users can access you profile info, your friends, friends of friends, info you’ve shared from your contacts, and the content you share.

Aggregated, non-personally identifiable, or de-identified information is shared with third-party advertisers. These advertisers will instead identify you through a cookie, advertising ID, web beacon, or similar technology.

Your profile and information you share to Live, Local, and other crowd-sourced services is public.

Your information might be processed by a third party for processing on behalf of Snapchat.

Snapchat will comply with legal requests for information such as subpoenas and court orders.

Other companies may use cookies, web beacons, and other tracking technologies on Snapchat that collect information about you.

Ecommerce

Amazon

Amazon‘s privacy policy almost feels like an afterthought. It doesn’t even mention Kindle, Echo, or Prime Video. It lists the information it collects when you use Amazon.com, but doesn’t delve much into how that information is used or how long it is retained.

What information is collected?

How is the information used?

Information you provide including account info, user, content, and user activity is used respond to requests, customize shopping, improve the stores, and communication.

Location and device info are used to customize advertisements, search results, and other content.

Credit history is used prevent and detect fraud and to offer certain credit or financial services

Pixel tags are used to determine whether you opened an email from Amazon.

Cookie data is used to remember preferences such as one-click ordering and recommendations. They are also used to serve targeted advertisements on third-party sites.

Who can access the information?

If you make a purchase from an affiliate store not controlled by Amazon, the store will share customer information necessary to complete the transaction.

Third party service providers receive and process your information on behalf of Amazon. These include shipping companies, data analysis, credit card processors, and customer service.

Amazon will share account information with law enforcement when appropriate to comply with the law and protect itself and customers.

Cookies collect behavioral data on third party sites that is logged by Amazon. Conversely, Amazon uses cookies as identifiers to serve ads on third party sites.

Ebay

Ebay isn’t totally clear about what info it hands over to third parties and which are held privately by Ebay. Note that Ebay’s privacy policy is separate from its cookie policy. Perhaps most concerning is the Ebay will scan your social media activity and info if you signed up with a social media account. Other than that, it’s pretty much what you’d expect.

What information is collected?

How is the information used?

Account info is used to access and use Ebay and contact you about your account, service updates, disputes, and polls.

Transaction and third-party credit info (likely from credit bureaus) are used to send you credit offers, collect fees, and provide customer service. Relevant payment information is given to PayPal.

User activity, content, and profile info is used to customize site content including recommendations and keep track of your basket, collections, purchase history, scores, bids, and internal messages.

Location data is used to customize ads, search results, and other content.

All information collected can be used to target you with ads according to your account preferences. Account information can be used to offer discounts and promotions.

Social media information is stored for at least two years or until you withdraw consent. This info is used in advertising and content personalization.

Ebay will use any information as it sees fit to comply with the law, investigate fraud and abuse, and protect its service and customers.

With the exception of social media info, all information that Ebay collects can be stored indefinitely, sometimes even if you close your account.

Cookies, web beacons, unique identifiers and similar technologies collect behavioral info about the pages you view, the links you click and other actions you take on Ebay websites, advertisements, and emails. Cookies can be used to target you with ads both on Ebay and third-party sites. Conversely, persistent cookies can collect behavioral info from other sites and deliver it to Ebay.

Who can access the information?

Upon your request, Ebay will close your account and remove your personal information from view as soon as possible.

Ebay, Inc members can use your information to provide and improve content and services, personalize advertisements and marketing, and prevent fraud and abuse.

When transacting with another user, they may request your name, account ID, email address, contact details, shipping and billing address, or other information. They are not allowed to use this information for any purpose other than fulfilling the transaction, according to the rules.

Third parties can view your information to provide payment processing, advertising, fraud detection, bill collection, affiliate and reward programming, and co-branded credit card services.

Your information may be handed over to credit reporting agencies in the event of late or missed payments or defaults.

Streaming entertainment

Youtube

Netflix

While we’ve often been at odds with Netflix for discriminating against users based on their IP address, the company as a whole isn’t promiscuous with its customers’ data. This is largely because it doesn’t run ads on its platform. Some of the language of the privacy policy seems a bit too vague, however; in particular it doesn’t detail what customer information goes into its advertising scheme, how that information is de-identified or aggregated, or how it uses cookies.

What information is collected?

How is the information used?

Your IP address is used to determine your location, provide localized content, determine your ISP, and make recommendations.

All information is used for analytics and improving the service.

Cookies are used for identification and authentication of members, features and functionality, and targeted advertising.

Contact information is used to communicate with customers about Netflix including updates, news, offers, promotions, surveys, and customer service. These can come in the form of emails, push notifications, text messages, and online messages.

Who can access the information?

Netflix mentions that it works with service providers to provide marketing and advertising, but these providers perform services on Netflix’s behalf and do not act independently.

Netflix will use your information when necessary to protect itself and customers and to comply with the law.

Netflix shares your information with third parties as needed for data processing, customer support, making improvements, process payments, and offer joint promotions.

Hulu

Hulu doesn’t go into much detail about how each type of information collected is specifically used. Instead, it gives vague “Use in general” bullet points, and it’s up to you to figure out what information is used for which purpose.

What information is collected?

How is the information used?

Account and payment info are used to provide the service, contact you including for promotional offers, and to prevent abuse.

Other info can be used for customizing content, targeting you with ads, analyzing how well those ads and recommendations perform, and compiling aggregate data for “internal and external business purposes.”

Cookies are used to serve targeted ads on third-party sites and collect behavioral data on how you use third-party sites.

Who can access the information?

Social networks that you have connected to Hulu can share your activity, including shows you watch and like.

Third-party advertisers will receive de-identified info about you including your use of the Hulu, websites you visited, advertisements you viewed, and other activities online.

Content licensors, ratings agencies, and advertisers on Hulu can use your viewing information to measure the performance of videos using third-party measurement software.

Service providers and business partner may use your information on Hulu’s behalf for processing, management, marketing, and support.

Hulu will disclose your information to law enforcement to protect itself and its customers, prevent abuse, and when required to do so by law.

How to make a better privacy policy

The FTC recommends companies publicly disclose and alert users of changes in their privacy policy whenever “significant” changes are made. Because significance is arbitrary, many experts advise that companies simply send out a notice every time they update the privacy policy, just to be as transparent as possible.

Be specific. Don’t use vague or jargon-laden language. Say in plain language what information the company collects, how each of those pieces of information is used, and who each one is shared with.

Don’t use a “set-it-and-forget-it” approach to privacy. Instead of asking for permission to use all of a user’s information all at once, allow users to opt-in to information-sharing features as needed. Facebook, for example, asks the user the first time it requires any new permission, such as access to the camera, GPS, and storage. Depending on your service, it can also be wise to expire these permissions and ask again after a certain amount of time.

Concise does not mean short. Concision is good; it means your privacy policy will be easy to read and is well organized. A privacy policy that’s too short, however, might not adequately address all of the information collected, how its used, and who it’s shared with. Be thorough.

Remember to include details about how long data is retained. Do you delete data after a month? A year? Or do you store it indefinitely?

Glossary

Disclosure: all of the information in this article is based on the author’s interpretation of each company’s respective privacy policy. The author is not a lawyer and nothing in this article should be taken as legal advice.