Most people don't have the patience to read privacy policies. But privacy is important, and we shouldn't just trust that products are treating our data right. PrivacySpy uses a consistent rubric to grade privacy policies on a ten-point scale.
Most privacy policies are convoluted—sometimes even intentionally so. They can be difficult to read, and even more difficult to comprehend. Rarely do they provide actionable insight into protecting one's data.
Making matters worse, companies are often only held accountable for their privacy practices when a data breach occurs or when they experience fallout from mishandling user data (think Facebook's Cambridge Analytica scandal, for example).
If companies were held accountable for their privacy policies—not just for creating policies, but also for creating good ones—our data would be safer. Because privacy matters.
PrivacySpy makes privacy policies more convenient and accessible for those who simply don't have the time—or patience—to read full privacy policies themselves. Privacy policies should be more than just a box to check; they are fundamental to ensuring data transparency and allowing users to make informed choices. Here's how PrivacySpy is trying to make this our reality:
Ratings — We rate our policies using a consistent and vetted rubric. You can understand the key features and drawbacks of any rated policy at a glance.
PrivacySpy uses a number of terms to describe how companies handle personal information. To ensure consistency, we've defined the key ones below. Note that our rubric, ratings, and definitions are not intended to be read as legal documents.
Personal data — (from the GDPR) "any information relating to an identified or identifiable natural person ('data subject')" (examples include IP addresses, individual usage statistics, etc.)
Non-critical purposes — any use of personal data beyond what is reasonably necessary to provide the user the desired core service (a critical use of personal data would be using email addresses to send password reset emails; a non-critical use of personal data would be using email addresses and browsing habits to serve behavioral marketing)
A product's overall rating is calculated according to its subratings in all of the rubric questions (see below). Higher ratings are better. Here are the steps our scoring algorithm takes to calculate the overall score:
- Find the total number of points the policy receives across all rubric questions (subscore sum);
- Find the total number of possible points to receive (maximum score sum);
- Divide the points received by the points possible;
- Multiply by 10 (to fit the score to the final ten-point scale).
For example, if there are three total questions with max scores of 5, 10, and 10, the total number of possible points is 25. If a policy receives scores of 4, 7, and 6 on each of those questions (respectively), it will have received 17 points. The overall score would be (4 + 7 + 6) / (5 + 10 + 10) = (17 / 25) = 0.68, which, when fitted to our final ten-point scale, is displayed as 6.8.
A key element of PrivacySpy is its ratings, which are calculated based on a consistent rubric. All of our scores are fully transparent and backed by citations and/or notes.
Note that while we do our best to ensure accuracy and consistency in our grading, there are bound to be some errors. If you find an error, please correct it using our 'suggestions' functionality (or offer to be a maintainer yourself). Thanks for helping us make PrivacySpy even better.
If you have an idea for how we could improve our rubric, or want to learn about how to contribute, check out the contributing guide.
Our rubric is shown below.
Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.
This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).
Note that whether the policy allows sharing aggregated user data does not affect this question.
If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).
If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).
Note that all companies operating in the EU are subject to Art. 33 of the GDPR, which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it.
Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.
This includes the use of data brokers and independent verification authorities (such as background check providers).