Things to look for in a privacy policy

Ghostery Icon
Jordanna Kalkhof November 5, 2019

Share This Post

Try Ghostery

Let’s be honest… most of us have read very few, if any, privacy policies. Even though sites and services are required to provide this information, we as consumers usually fall into one of three categories for reasons not to read them: Ignorance is bliss – I don’t know how my data and privacy is handled and it’s probably better that way. I just don’t care – This isn’t something I’m concerned about and it’s not worth my time. Or lastly, It’s too complicated – I care and would like to know more but the language is complicated, confusing, and I don’t know what I’m looking at.

Privacy preferences vary from person to person, and while the first two reasons are acceptable, the last is something that should be addressed. Legal jargon can certainly be confusing and hard to follow, making privacy policies difficult to read. However, if you care about your personal data and the way it is handled by companies and online services, don’t let this stop you. Whether you’re reading the whole policy or just skimming for details, here are a few topics to be on the lookout for:

(We’ll be using the Grubhub Privacy Policy as an example here)


How Your Information is Collected

This includes information that you voluntarily provide by using the site/service, such as your name, email address, birthday, etc. It may also include additional information that is collected in the background, such as location, device information, etc.

  • Example – Section 1: “The information we collect includes Personal Information that can uniquely identify you (whether alone or in combination with other data or information), such as your name, postal address, telephone number, email address, date of birth, or similar data. Personal Information also includes certain sensitive information related to your finances or, for business accounts, related to the finances of your employer, such as a credit card number or other payment account number (including the three [3] or four [4] digit validation code for your credit card)… We may also collect non-personal information from you, including information about your use of our Sites,.. Information collected automatically when you visit or use our Sites. We and our third party service providers may collect certain types of usage information when you visit our Sites, read our emails, or otherwise engage with us… We and our third party partners use tracking technologies, including cookies, web beacons, embedded scripts, location-identifying technologies, file information, and similar technology, to automatically collect usage and device information, such as:
      • Information about your device and its software, including your IP address, browser type, Internet service provider, device type/model/manufacturer, operating system, date and time stamp, and a unique ID that allows us to identify your browser, mobile device, or your account (including, for example, a persistent device identifier or an Ad ID), and other similar information. We may also work with third party partners to employ technologies, including the application of statistical modeling tools, that permit us to recognize and contact you across multiple devices.”

How Your Information is Shared

Look for how the information collected from you will be shared. This includes the company’s affiliates and other third parties they have relationships with. The notable thing here is the extent of the branch that’s being formed between these relationships; also, as your information is passed between these companies, privacy policies and the way your data is handled may change.

  • Example – Section 3: There is a long list of ways that Grubhub may disclose your information. One of which is with third-party “targeted advertising and marketing” services. Another point states it may disclose information “to restaurants and brands from which you have placed orders through the Sites as well as their affiliates and third party service providers. These restaurants, brands, and their affiliates, may use your information as permitted by their own privacy policies, which could include sending you marketing communications and other promotional content.”

How Your Information is Used

All of this information is collected for a specific purpose. Some are necessary for the business to function, while others are nonessential and become an annoyance to the consumers. This may also include selling your data to third parties to make a profit.

  • Example – Section 2: Similar to how your information is shared, there is a long list of ways the information collected is used. Many of these are what you’d expect needs to be done to process requests and purchases. However, it also includes how your information may be used for marketing purposes such as “to inform you of products, programs, services, and promotions that we believe may be of interest to you, including, without limitation, adding you to our mailing lists and sending you emails or push-notifications from time to time, and permitting you to participate in sweepstakes, contests, and similar promotions (collectively, “Promotions”).”

How You’re Being Tracked for Information

Some sites use more tracking technologies than others. If you use the Ghostery Browser Extension, you’ve seen how some sites may only have a few trackers, while others have, 20+. This is how much of the information being collected by sites is gathered to target you with ads and build personal profiles.

  • Example – Section 4: “We participate in interest-based advertising and use third party advertising companies to serve you targeted advertisements based on your online browsing history and your interests. We permit third party online advertising networks, social media companies, and other third party services to collect information about your use of our Sites over time so that they may play or display ads on our Sites, on other websites, apps, or services you may use, and on other devices you may use. Typically, though not always, the information used for interest-based advertising is collected through cookies or similar tracking technologies. We may share a common account identifier (such as an email address or user ID) or hashed data with our third party advertising partners to help identify you across devices. We and our third party partners use this information to make the advertisements you see online more relevant to your interests, as well as to provide advertising-related services such as reporting, attribution, analytics, and market research.”

How the Retention & Deletion of Your Information is Handled

Data retention refers to how long the site can store the information they have collected from you. This is not always included in the privacy policy or may be vague. (In this case, what is considered “reasonably necessary”?) You may also find information here about how data deletion is handled and the rights you have if you want your information removed.

  • Example – Section 10: “We and our third party service providers will retain Personal Information for at least the period reasonably necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. If we delete some or all of your Personal Information, we may continue to retain and use aggregate or anonymous data previously collected and/or aggregate or anonymize your Personal Information.”


The next time you’re making an online purchase, signing up for a service, downloading an app, or whatever it may be, give the privacy policy a skim for these five things. You may find you’re uncomfortable with the data practices of some of your favorite or most frequently used sites and services.

Subscribe to our newsletter