When most of us encounter a privacy policy, it's usually a case of TL;DR (too long; didn't read). You're unlikely to go through it in detail, and even if you found something you didn't like or understand, there's little you can do if you want to interact with the organisation anyway.
But it's important to understand what data you're giving away in order to give informed consent. Here, we look at the issues with current privacy policies and explain what exactly you should look out for.
On this page:
- What is a privacy policy?
- The problem with privacy policies
- What to check in a privacy policy
- Clearer communication needed
- Are privacy policies still fit for purpose?
What is a privacy policy?
Privacy policies have become commonplace – a necessary response to an organisation's increased ability to collect personal information through the rise of digital interactions, and the increased value of consumer data as companies look to target people online.
So just when does a privacy policy apply and what is it for?
In Australia, government agencies, organisations with an annual turnover of more than $3 million and some small businesses such as health service providers must have a plain language statement that outlines how they handle personal information.
It must be available on the website, on paper or via a mobile screen.
Privacy policies should explain which personal details are collected, and how those details are collected, used, stored and even transmitted..
Ideally, privacy policies should build trust in people with the organisations they transact with and ensure the organisations are responsible in the way they handle sensitive information.
The problem with privacy policies
According to a 2020 Consumer Policy Research Centre (CPRC) survey, privacy policies in Australia don't help people make informed choices around the collection and use of their personal information, and they don't provide consumers with genuine choice or control.
The survey of 1000 consumers also found that most people don't read privacy policies, are compelled to accept terms they're not comfortable with and are uncomfortable with how their information is collected and shared.
Even among those who normally read the privacy policy attached to a website, 41% say they sometimes don't read it because it's too long, and 26% sometimes don't because it's too hard to read. So if you've found yourself confused by a privacy policy you can't comprehend or wade through, you're not alone.
Most people don't read privacy policies, are compelled to accept terms they're not comfortable with and are uncomfortable with how their information is collected and shared
Dr Normann Witzleb, adjunct associate professor in the faculty of law at Monash University, tells CHOICE that many organisations routinely collect or retain too much information.
"In some cases, it's because they operate a data-driven business model, generating profits from processing large amounts of personal data. In other cases, it's because their business processes do not see data protection as a priority," says Witzleb.
In cases where a privacy breach occurs, he recommends organisations should face penalties that are proportionate to the severity of the incident.
"There is also a need to properly fund the Office of the Australian Information Commissioner so that it can do its job," says Witzleb .
Most people use websites, apps and sign up to loyalty programs without reading the attached privacy policy.
What to check in a privacy policy
So you know what you should look out for, a privacy policy should include:
- the organisation's name and contact details
- the personal information collected and stored
- how and why it is collected
- how it will be used, disclosed and stored
- how to access and correct personal details
- how to lodge a complaint
- whether information is shared outside of the country, and if so, whereabouts and who is legally responsible if something goes wrong
- whether electronic copies of ID documents (such as a driver's licence) are made and if so how they are protected
- how long personal information is kept.
While this seems simple enough, privacy policies vary significantly in the amount of detail on these points and in the clarity of wording.
Should you skim read a privacy policy?
Short privacy policies aren't necessarily better – they may instead be vague and lacking in adequate detail. But if you're faced with a lengthy privacy policy, skim reading it is better than skipping it altogether.
Searching for some common terms will help you gain insight into how your details are handled and whether the information that's collected about you is appropriate to the organisation and your dealings with it.
Look for:
- 'personal information' to gauge how your information is defined and collected
- 'share with' used in conjunction with terms like 'affiliates', 'partners', 'related bodies', 'third parties', which means your data is likely going to other organisations
- 'identifying' or 'deidentifying', which refers to how personal details are removed from the data
- 'process', 'collect', 'store' and 'transfer' indicate how your data is handled
- 'offshore' or 'overseas' to tell you if your data is shared or stored externally
- 'complaints handling' to find out how the organisation deals with complaints about the use and handling of the data they collect from you.
When aiming to understand how an organisation uses your personal details, see if you can find the answer to these questions:
- What information are they collecting, why and how?
- How are they using this personal information and are they sharing it with anyone else?
Clearer communication needed
The privacy regulator, the Office of the Australian Information Commissioner (OAIC), says that privacy policies and notices need to communicate information handling practices clearly and simply, but also comprehensively and with enough specificity to be meaningful.
"They should be a transparency measure, not a take-it-or-leave-it rule of entry," a spokesperson says.
In practice, most policies give people little or no option but to accept it in order to access the product or service.
OAIC suggests that to address the power and information imbalance between individuals and organisations, people should be able to choose between providers and organisations based on their information-handling practices.
They should be a transparency measure, not a take-it-or-leave-it rule of entry
OAIC spokesperson
"Where alternative choices, products or services exist, privacy self-management mechanisms can influence the market to increase privacy protection in accordance with consumer demand," an OAIC spokesperson says.
If you want to make an official complaint about an organisation's privacy policy, go to the organisation's website and register the issue. And if possible, opt for another business.
If the concerns are more serious because you believe the policy doesn't comply with legal requirements, you can contact the OAIC.
CHOICE Tip: The Terms of Service, Didn't Read website (abbreviated as Tos;DR) is a nonprofit, open-data project set up to help people decipher the fine print of privacy policies and terms and conditions. It grades the policies of major sites like Amazon, Facebook and YouTube on cookies, tracking and personal data use.
Best practice privacy policy
A best practice privacy policy should:
- be downloadable so it can be saved and reviewed at a later date
- use plain language and be neither overly long nor too brief
- be structured in a way that's easy to follow
- define the important terms and set out clearly what information is collected and how it's stored and processed (including any offshore transfers)
- outline your rights and where to direct any queries or complaints.
CHOICE consumer data advocate Kate Bower says that too often privacy policies are written in impenetrable legal jargon that deliberately obscures bad data practices.
"The worst privacy policies do little to inform and empower consumers and instead seek to offer legal protections for businesses who exploit and profit from consumer data," says Bower.
A best practice privacy policy is written in simple and easily understood language that outlines what data is collected and for what purpose, and explains the context and principles underlying data collection. Given that organisations can have substantially more information about you than just the details you've provided, they need to be upfront about it. In addition to the information you provide, organisations can gather and buy data about you from partners and data brokers.
"As the myriad uses for data grow, so do the requirements for disclosure in privacy policies making them long, dense and difficult for the average person to read and understand. And most have limited protection for consumers," says Bower.
Consent fatigue
Witzleb points to the role of technology to empower consumers. In particular, the default settings in apps and websites should be to collect minimal personal data.
"The burden should not be on consumers to opt out of practices that they do not agree with," he says.
"Having to click your way through complex privacy menus for each website to protect your data is unreasonable and leads to 'consent fatigue', where consumers just give up on trying to protect their personal data," he adds.
Are privacy policies still fit for purpose?
There's one thing many people may not realise about privacy policies and data collection – the OAIC advises that consent is not always needed to collect an individual's personal information, although this may be examined soon.
The Attorney-General's Department is conducting a review of the Privacy Act looking at its scope and enforcements. It will consider consent, definitions of personal information and when and where this can be collected, among other things, although it won't extend to credit reporting.
There is a lot more that a business can do to ensure they're putting people first, including only collecting and using the data necessary to provide you with the service or product
Kate Bower, CHOICE consumer data advocate
Where appropriate, the OAIC would like to see strengthened notice and consent requirements in the Privacy Act that make it easier for individuals to understand how their information will be handled.
"Based on our regulatory experience, we recommend that the complexities of data practices are now such that reforms to notice and consent should be complemented with an overarching fair and reasonable requirement, and additional organisational accountability obligations that will redress the imbalance in knowledge and power between individuals and organisations," says an OAIC spokesperson.
CHOICE would like to see less of the burden on individuals to be informed about data practices and more focus on businesses acting responsibly.
We also support tough penalties for businesses that breach users' privacy and misuse and exploit customer data.
"A clear and simple privacy policy is the first step for businesses taking responsibility for how they collect and use our information. But there is a lot more that a business can do to ensure they're putting people first, including only collecting and using the data necessary to provide you with the service or product, which is what most of us would reasonably expect," says Bower.
Stock images: Getty, unless otherwise stated.