Privacy

How to read a privacy policy

Emma McGowan 17 Jun 2021

Before handing over your personal information, reading through certain parts of privacy policies is a small — but important — way to take back some of your digital identity

It’s unlikely that you’ve read the privacy policy of every single app or website or online service that you use. In fact, it would be surprising if you’d read even one — most people haven’t. But as we all become increasingly aware of how much data is collected across the internet, knowing how to read a privacy policy is essential.

But privacy policies are long. And often full of weird language. And how do you even know what to look for? The first step, according to Avast Chief Privacy Officer Shane McNamee, is to not let it intimidate you. 

“Do what you can — even if it’s a little,” McNamee tells Avast. “You don’t have to do everything perfectly and you don’t have to have an advanced law degree to interpret a privacy policy. A lot of legalese is bollocks; it was developed over hundreds of years in order to get lawyers better paid.”

McNamee, a barrister himself, suggests focusing on the areas that are most important to you, rather than trying to read the entire policy. For example, is your biggest concern sharing with third party advertisers? Or are you more interested in learning what personal information the service collects? Maybe you just want to check on app permissions. Determine what’s most important to you before you even tackle the document and you’ll find you have a much easier time of it.  

To that end, McNamee says to look for headings, which a good privacy policy will have to direct users. 

“A good privacy policy should be layered,” he says. “It shouldn’t be one wall of undifferentiated text. If there are no navigational aids, that’s a red flag.” 

Once you’re cruising around the section that’s most important to you, McNamee says to keep an eye out for “overly generic text.” While a certain amount of every privacy policy will be more or less cut and paste in order to meet specific legal requirements, any policy that seems like it’s not talking specifically about the product in question should be scrutinized. 

If you want to take this part one step further, McNamee suggests doing a little bit of studying of the privacy laws that apply in your area. And, really, we mean just a little.

“You don’t have to read the law itself cover to cover,” McNamee says. “A lot of the time these laws are more simple than you might expect — and the parts you need to know are contained in certain sections.”

For example, people living in Europe are covered by the General Data Protection Regulation (GDPR). If you try to tackle the whole law, it might look intimidating. But, McNamee says, most of what you need to know is in just a few articles: 5, 6, 12, 13, and 14. Familiarizing yourself with those articles will make reading privacy policies for European citizens — and for companies that are based in Europe — significantly easier. 

“It might seem like a lot, but it’s actually easier to read bits of the GDPR once than it is to read every single privacy policy in detail,” McNamee says. “You’ll see bits that are copy/pasted from legislation. They’ll use exact language and won’t bother to explain.”

On the flip side, some companies have created shorter privacy policies in the name of simplifying — but they leave out really important stuff. McNamee says that you should be wary of a privacy policy that uses “vague statements,” as they potentially give companies wiggle room that’s to their benefit, but not yours. 

Ultimately, very few of us have the time or patience to read every single privacy policy of every single service. But why not at least take a peek at the parts that matter to you before handing over your personal information and data? It’s one small — but important — way to take back some of your digital identity. 


Further reading:
An update on data privacy and protection legislation
How to reclaim your online privacy