Facebook is fresh on our minds when we envision the implications of modern digital privacy regulation, even though well over 1.5 billion people continue to scroll its feed every day. “What’s interesting about the Cambridge Analytica situation — although it’s noteworthy for a lot of reasons, is it’s really just scratching the surface of some of the issues,” said David O’Brien, senior researcher at the Berkman Klein Center for Internet and Society at Harvard University. “You know, it’s the type of thing that people who study this have been shouting from rooftops now for more than a decade.”
Sifting through the number of digital privacy policies you encounter in a year — whether you realize it or not — roughly equates to 76 working days of reading. Not only could you spend over two months entrenched in legal jargon, you might also find you still don’t have a clear sense of what the service plans to do with your information once you’re done. Although Facebook updated its data policy to comply with the European Union’s General Data Protection Regulation (GDPR) last April, it’s still feeling the effects of reportedly “vague” former disclosures in the face of a multibillion-dollar privacy class action lawsuit.
Vague wording and updates aside, David O. Klein, managing partner at Klein Moynihan Turco LLP, says when you agree to these policies, you’re signaling you fully understand what information the company is taking, what it’s doing with your information, and that your consent can be used against you in the event you decide to challenge.
“Do I think anyone reads these agreements?,” asked Klein. “Generally, no, I don’t — but if someone checks the box and hits submit, that agreement is binding.”
The state of data privacy regulation
Europe upholds strict privacy and data laws with its GDPR, an opt-in regime. This means companies are bound to a user’s willingness to actively share information upon engaging with the service — these companies also can’t bury their intentions to share information under legalese and confusing privacy policies, either. In the U.S., California has made strides in putting users at the forefront of the privacy discussion with the California Consumer Privacy Act (CCPA) of 2018 — an opt-out regime that will go into effect January of 2020. The CCPA states you have the right to revoke consent to share information with third parties, find out what information a company has on you, and request to delete any incorrect data (and that company can’t discriminate against you for doing so). This only applies to companies in California or those collecting California state resident data.
While Klein doesn’t foresee the U.S. venturing too far into opt-in territory, he says California’s moves will trickle down to the rest of the country eventually, but without a federal law in place, individual states’ interpretations of strict enforcement would vary. Not only could this make things more complicated on the internet from a compliance standpoint, stricter regulation could also stifle these massive companies’ contributions to the economy, leading to negative repercussions that might affect consumers.
The Federal Trade Commission (FTC) serves as the resident watchdog in making sure American businesses live up to their privacy policies. Even though media giants Apple and Google are in full support of the idea, Congress, which enabled ISPs to collect and sell user information in 2017, still hasn’t reached an agreement on an overarching, federal digital privacy law. “I think that if we can get something similar to the GDPR in the U.S. that requires a company to agree to all these sorts of rules and obligations regarding their users’ data and there are serious penalties as a result, I think it can only be a good thing,” said Allyson Lynch, associate corporate counsel at Tata Consultancy Services.
Lynch says she negotiates data protection agreements on Tata Consultancy Services’ behalf as a data processor, meaning her company is asked to sign these agreements to ensure compliance with GDPR requirements. The E.U. isn’t necessarily seeing a unique version of the internet compared to the rest of the world, but it is tweaking the status quo: Companies with viewers, employees, customers, etc. based in the E.U. have until 2020 to prepare their systems to be GDPR-compliant, or else the fines for not having clear customer consent can go all the way up to 4% of annual global turnover.
O’Brien and a team of researchers at Harvard compared current big data extraction to that of longitudinal research studies: Only one of the two has strict regulations in place when it comes to safeguarding personal information. It’s not a one-to-one comparison, but O’Brien believes it can help establish the groundwork for how to think about regulation possibilities in the U.S.
“For the most part, this is the inmates running the asylum,” O’Brien said, referencing the U.S.’s self-regulatory approach to big data sharing. “And it’s not really by accident, either — the goal back then [in the 1990s — during initial internet popularity] was to create a vibrant internet — we wanted to be, as a country, a leader in technology.”
What to look for in digital agreements if you don’t have 76 days to read, as told by lawyers:
Considering it’s largely up to you to make sure you understand what these companies are doing with your data, we suggest reading every word to know exactly what you’re getting into. We also know that just isn’t possible all the time. These digital agreements are as unique as the products and services themselves, but there are some things you’re likely to encounter with nearly every contract. You can find this information by asking yourself these questions:
What’s the difference between a clickwrap and a browsewrap agreement?
On the other hand, the language: “by reading/using our site, you agree to…,” (or a browsewrap agreement), doesn’t enable for direct consent and won’t hold up in court as well as a more active motion (a clickwrap agreement), like physically clicking, hitting a submit button or signing up for a service.
A clickwrap agreement, courtesy of Facebook
What information does the company collect (and how)?
Keyword(s): personally identifiable information, (sensitive) information, location, device(s), ISPs
Always check to see what each business or service considers to be personally identifiable information and/or sensitive information, if a distinction is made between the two, and how direct the company is in describing this information. MailChimp, for example, is pretty thorough in refining its description of the information it pulls on you, specifying things like demographics, device information, and behavioral data.
Where is my information going, and what will it be used for?
Keyword(s): advertising, third-parties, personalization
It’s important to distinguish the information the company claims to be using for its own site versus what it’s giving to others. Facebook says it analyzes your interactions — the posts, videos, and other content you view and for how long you interact with the platform — which ultimately help it tailor your feed to things you’re interested in (including ads). This sounds fair, but you might not fully understand the mechanics. What you’ll often see in these terms is an accurate, yet semi-diluted version of what’s really going on with your data. “Sure, you can say, ‘we collected these pieces of information about you and shared them with other people, and maybe that’s somehow meaningful, but what’s happening is something more analytic, behind-the-scenes that’s harder to explain,” O’Brien said.
Machine learning and AI incorporation are also part of the complex data harvesting that occurs after you click “agree.” Some data you’re aware of giving over – likes, preferences, interactions – and some you might not be, like how often you linger on content you don’t interact with, and how your cursor moves. Just look at how these researchers found certain apps (GoPuff and Appsee) communicated in recording users’ screens for more accurate data without explicit consent.
“Apps don’t really need to listen to our conversations through a microphone, they already collect information through so many other sources, like what you’re searching on Google and Amazon,” said Martina Lindorfer, who helped author the study on whether our phones spy on us through the microphone. “There’s also a lot of data mining and processing going on in the background — they can learn a lot about you just by using all that data they collect from different services or apps.”
Zeynep Tufekci, associate professor at the UNC School of Information and Library Science, who declined to contribute to this piece, shared in a New York Times op-ed (reported by Vox) that the implications of this type of data extraction and usage transcend privacy violations. She found these algorithms (specifically YouTube’s) not only targeted viewers’ specific interests to increase viewership (read: amount of ads seen), but also “radicalized” content, subsequently creating an environment bustling with extremism and discrimination in the process.
Download reports, if available
After downloading a report from Facebook, we found a quite massive list of advertisers who had added our “contacts” to their lists based on information we shared with “them” or one of their “data partners.” We didn’t realize so many car dealerships had our information.
This is just a fraction of the “data partners” and “advertisers” that were given access to our tester’s Facebook information.
To what extent is the company allowed to use my information?
Keyword(s): license, perpetual
Look for a clause involving licensing, or what the company explicitly says it’s allowed to do with your data and content. When you share a photo on Facebook, for example, you’re giving the company the full right to store and share it with others.
You’re also acknowledging that when you delete your account, it’s possible not everything will go away. And in some cases, they might want to keep your data forever. “You want to make sure if it says “perpetual” you’re okay with it [the use of your data] being for the rest of your life,” Lynch said.
Would I be able to sue?
Keyword(s): arbitration, litigation, lawsuit
Spend some time looking at the dispute resolution language to see how comfortable you are with what the company requires. If the contract (terms and conditions) states arbitration as the method of conflict resolution, know this means you won’t be able to bring a potential issue into a courtroom. “Arbitration is something a lot of these companies like to push onto their customers, because it’s easier for them — it’s cheaper for them, and they’re usually able to get a more favorable ruling from the arbitrator than they would a judge and a jury,” Lynch said.
Spotify’s arbitration agreement within terms and conditions
Cookies — a buzzword you hear often but may or may not know what it means. They’re essentially bite-size pieces of information created by a site and stored on your browser that can keep track of your sessions. They can help these sites remember and identify/authenticate you — they can also take note of your preferences via your browsing history (and, of course, help target ads). The lifespan depends on whether its a “session” (deleted when you close your browser) or “persistent” cookie. But if you’re unsure of how many cookies you have lingering on the web, your browser should give you the option to delete any outstanding cookies (here are Chrome’s guidelines).
The bottom line
Our other reviews on privacy
Curious about your data? Check out our reviews on how best to play it close to the vest.