Icon for eBay

eBay

Founded in 1995, eBay is an online retailer and auction site where users both buy and sell products.


Collection

Does the service collect personal data from third parties? Yes

0/10

Decided Sept. 4, 2019. This question accounts for 12% of the final score.

This includes the use of data brokers and independent verification authorities (such as background check providers).

Possible Options

Yes0/10
Only for critical data7/10
No10/10

Citation

"We also collect personal data about you from other sources and from third parties to the extent permitted by applicable law."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy list the personal data it collects? Yes, generally

7/10

Decided Sept. 4, 2019. This question accounts for 12% of the final score.

All general categories of collected personal data are listed, though not all types of personal data are explicitly mentioned (for example, the list might use a phrase like 'such as' when listing types of personal data).

Possible Options

No0/10
Only summarily3/10
Yes, generally7/10
Yes, exhaustively10/10

Note

While the "What personal data we collect and process" section is very specific, it is nonetheless filled with phrases like "such as," making it a _general_ description, not an _exhaustive_ one.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is it clear why the service collects the personal data that it does? Mostly

7/10

Decided Sept. 4, 2019. This question accounts for 12% of the final score.

This question deals with transparency. Even if the service uses data for reasons that aren't ideal for privacy, provided they list all of those uses, the service can still receive full credit for this question. However, if they are not explicit about their uses (by employing language like "such as"), a lower score is assigned.

Possible Options

No0/10
Somewhat4/10
Mostly7/10
Yes10/10
No personal data is collected10/10

Citation

"We process your personal data for various purposes and pursuant to various legal bases. We process your personal data primarily to provide and improve our Services, to provide you with a personalized user experience on this website, to contact you about your eBay account and our Services, to provide customer service, to provide you with personalized advertising and marketing communications, and to detect, prevent, mitigate and investigate fraudulent or illegal activity. We also share your information with third parties for these purposes."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow the user to control whether personal data is used or collected for non-critical purposes? On an opt-out basis, but only for some non-critical data/uses

1.5/5

Decided Sept. 4, 2019. This question accounts for 6% of the final score.

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Possible Options

No0/5
On an opt-out basis, but only for some non-critical data/uses1.5/5
On an opt-out basis, for all non-critical data/uses3/5
N/A (no data used for non-critical purposes)5/5
On an opt-in basis5/5

Citation

"To manage the settings regarding the use of first-party cookies (and similar technologies) for advertising-related purposes, please go to AdChoice - eBay Advertising Preferences."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Transparency

Does the policy require users to be notified in case of a data breach? No

0/7

Decided Sept. 4, 2019. This question accounts for 8% of the final score.

Note that all companies operating in the EU are subject to Art. 33 of the GDPR, which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it.

Possible Options

No0/7
Yes, eventually5/7
Yes, within 72 hours7/7
N/A (the service collects so little personal data that notification would not be possible)7/7

Note

No part of the policy specifies a data breach disclosure protocol.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Will the affected users be notified when the policy is meaningfully changed? Yes

5/5

Decided Sept. 4, 2019. This question accounts for 6% of the final score.

Possible Options

No0/5
Yes5/5
N/A (no personal data—or contact information—collected)5/5

Citation

"We may change this User Privacy Notice at any time by posting the revised User Privacy Notice on this website and indicating the effective date of the revised User Privacy Notice. You will be notified of any material changes to this User Privacy Notice via My Messages in My eBay and/or by email."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is the policy's history made available? Yes, with revisions or a change-log

5/5

Decided Sept. 4, 2019. This question accounts for 6% of the final score.

Possible Options

No0/5
Only the date it was last modified3/5
Yes, with revisions or a change-log5/5

Note

A link at the top of the page allows navigation to a previous version of the policy, and the last revision date is available.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy outline the service's general security practices? Somewhat

1/3

Decided Sept. 4, 2019. This question accounts for 4% of the final score.

The policy provides only a very vague overview of its security practices.

Possible Options

No0/3
Somewhat1/3
Yes2/3
Yes, including audits2.5/3
N/A (no personal data collected)3/3
Yes, including independent audits3/3

Citation

"We protect your personal data through technical and organizational security measures to minimize risks associated with data loss, misuse, unauthorized access and unauthorized disclosure and alteration. To this end we use firewalls and data encryption, for example, as well as physical access restrictions for our data centers and authorization controls for data access."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Handling

Does the policy allow personally-targeted or behavioral marketing? Yes, but you can opt-out

3.5/10

Decided Sept. 4, 2019. This question accounts for 12% of the final score.

Possible Options

Yes0/10
Yes, but you can opt-out3.5/10
Yes, but you must opt-in7/10
No10/10

Citation

"If you decide not to have your personal data processed by us for advertising purposes via cookies (and similar technologies), this does not mean that we will not show you advertisements. It simply means that these advertisements will not be personalized for you using first-party or third-party cookies, web beacons, or similar technologies."

"We process your personal data for various purposes and pursuant to various legal bases. We process your personal data primarily to provide and improve our Services, to provide you with a personalized user experience on this website, to contact you about your eBay account and our Services, to provide customer service, to provide you with personalized advertising and marketing communications, and to detect, prevent, mitigate and investigate fraudulent or illegal activity. We also share your information with third parties for these purposes."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow third-party access to private personal data? Yes, not all parties specified

0/10

Decided Sept. 4, 2019. This question accounts for 12% of the final score.

The policy allows sharing personal data with third-parties (not just critical service providers), and does not explicitly list the third-parties.

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Possible Options

Yes, not all parties specified0/10
Yes, all parties specified (including non-critical service providers such as advertisers)3/10
Yes, not all parties specified (but only to critical service providers)7/10
Yes, all parties specified (only to critical service providers)8/10
No10/10

Citation

"We process your personal data for various purposes and pursuant to various legal bases. We process your personal data primarily to provide and improve our Services, to provide you with a personalized user experience on this website, to contact you about your eBay account and our Services, to provide customer service, to provide you with personalized advertising and marketing communications, and to detect, prevent, mitigate and investigate fraudulent or illegal activity. We also share your information with third parties for these purposes."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow you to permanently delete your personal data? Yes, by contacting someone

3/5

Decided Sept. 4, 2019. This question accounts for 6% of the final score.

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Possible Options

No0/5
Yes, by contacting someone3/5
Yes, using an automated mechanism5/5
N/A (no personal information collected)5/5

Citation

"You can exercise your rights as a data subject via our contact forms. In addition, you are of course free to contact us in any other way."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


When does the policy allow law enforcement access to personal data? When reasonably requested

3/5

Decided Sept. 4, 2019. This question accounts for 6% of the final score.

Possible Options

Always0/5
Not specified0/5
When reasonably requested3/5
Only when required by a court order or subpoena4/5
N/A (no personal data to share)5/5
Never (special legal jurisdiction)5/5

Citation

"Where necessary, we transmit your personal data to processors and the following recipients for one or several of the purposes described above [...] Law enforcement agencies, courts, government agencies or public authorities, intergovernmental or supranational bodies..."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.



Warnings

eBay has no warnings published on PrivacySpy. PrivacySpy publishes warnings when it learns a service has announced a data breach or is found misusing user data. If you believe a warning should be published for eBay, submit one here.


Highlighted Policy Snapshot ALPHA

Highlighted policy snapshots are a highly experimental feature that provide an annotated version of the privacy policy (displayed in a simplified 'reader view') with automatically-generated highlights. This feature is still in its early stages, so apologies if things don't look right!

4.2/10

How we calculate ratings →


Version Added

Sept. 4, 2019

Ratings Updated

Sept. 15, 2019

Warnings

0

Maintained by

Miles

Original Location
Open in New Tab
Revisions