How to read a privacy policy – general guidance

Reading a privacy policy is essential for understanding how an organization collects, uses and protects your personal information.

Review this general guidance on how to read a privacy policy to help you make informed decisions before using services or tools that collect personal information.

If you are reviewing a tool for collecting/processing personal information of others at the University, please submit a request for privacy impact assessment (PIA). The University is subject to the Freedom of Information and Protection of Privacy Act (FIPPA) and this guidance is not meant to assess compliance with privacy regulations.

Topics on this page:

  1. Start with the introduction
  2. Understand the scope
  3. What information is collected?
  4. How is information being collected?
  5. Purposes of collection
  6. Use and disclosure
  7. Consent and permission
  8. Third-party sharing
  9. Security measures
  10. Cookies and tracking technologies
  11. Legal jurisdiction and compliance
  12. Your rights and choices
  13. Policy updates
  14. Look for contact information

Start with the introduction

Look for an introduction or overview section that summarizes the purpose of the privacy policy and how it applies to you as a user. Sometimes people make mistakes. You could be presented with the wrong policy. Double check!

Understand the scope

Identify the scope of the privacy policy. Determine the specific services, websites or applications it covers. Some policies are global and apply to all vendor offerings, and some policies are specific to an individual service or tool. Some protections in policies are only relevant to citizens of certain geographical regions; an example of this is General Data Protection Regulation (GDPR) protections that apply only to EU citizens.

Take note:

  • Is your use of the service included in the privacy policy?
  • Is this policy written to cover all vendor products/services or is specific to one product?
  • Are you relying on privacy protections that are only applicable to certain geographical regions?

What information is collected?

Check what types of personal information the organization collects. Remember, if the policy covers a vendor’s entire portfolio of products rather than a specific product, it may include information collection practices that do not necessarily apply to your use of a particular product.

Take note:

  • Does the policy contain a statement about not collecting more than is needed to provide the service?
  • Are there collections listed that you feel aren’t relevant to your use of a product?

How is information being collected?

Vendors may collect data about you in various ways. This may include data you provide directly and information collected indirectly or automatically through use (i.e., analytics) or data obtained from third parties. The distinction between direct and indirect collection of personal information lies in how the information is obtained.

Direct collection: Information is gathered directly from the individual. The individual is usually aware of the collection since they are actively involved in the process and normally have consented to provide the information. Examples of direct collection include filling out a form online or in person, providing details over the phone or in a survey, or submitting personal information via email or an application.

Indirect collection: Information is gathered from other sources or through other means, without direct input from the individual. The individual may not be aware that their information is being collected or how it is being used. Examples of indirect collection include data mining from social media profiles or websites, collecting information through cookies and tracking technologies on websites, or obtaining data from third parties or public records.

Key differences in direct vs. indirect collection:

  1. Awareness: Direct collection involves explicit consent and awareness from the individual, while indirect collection may not.
  2. Control: Individuals have more control over the information they provide directly, but less over what is collected indirectly.
  3. Source: Direct collection is from the individual, whereas indirect collection involves third-party sources or technologies that gather data passively.

Take note:

  • What information is collected directly from you and what is collected indirectly?
  • If you have questions, reach out to the vendor’s privacy contact (usually listed in the policy for more information).
  • If contacting vendors, be prepared for lengthy response times in many cases.

Purposes of collection

Understand the reasons why your information is being collected.

Take note:

  • Is the collection reasonable in relation to the service provided? For example, ordinarily your fitness app should not be asking for your health insurance information.
  • Is information collection and use limited to only what is necessary for providing the service?

Use and disclosure

Look for explicit explanations of how the organization intends to use the collected data. Purposes often include mention of additional reasons like, “Your data may be used for training purposes.” This is common practice for services that have AI components or capabilities as user inputs are used to train the AI data set. Vendors may provide a user with the ability to opt-out of having their information used in such ways.

Take note:

  • Pay close attention to the language used to describe purposes. Is it restrictive in nature or is it open-ended? Open-ended language can be vague and open up your information to secondary processing. Examples:

    • “We only use your data for xyz purposes…”
    • “We may use your data for xyz purposes…”
    • “Your data will be shared with our partners for xyz purposes…”
  • Is information use and disclosure limited to what is reasonable and necessary to provide the service and support?
  • Do they indicate a control or opt-out processes with regards to uses of information?
  • If the product or service uses components of AI, are customer inputs (i.e., content submissions) used to train AI models? Is there an option to turn off model training?

Consent and permission

Pay attention to sections regarding consent. Understand how the organization seeks your permission to collect, use and share your information if outside of or different than the purposes for which it was originally collected.

Take note:

  • How does the vendor notify you of changes to policy? Do they provide direct notice – emails directly to users notifying them of the intended change – or do they simply post revision dates online?
  • Will the vendor seek direct consent from you if changes to use occur?
  • Will the vendor notify you if there has been a disclosure outside of the normal course of expected activities?

Third-party sharing

Check for details about information-sharing with third parties.

  • Identify the third parties involved and the purposes for sharing data with them.
  • Look for language that ensures any third parties are bound by the terms outlined in the privacy policy.

  • Be aware of phrases like, “We may share your data with our vendor partners for marketing purposes.” It is not uncommon for vendors to outsource their marketing to third parties, who will then have access to your data. For example, a company might use an email delivery provider such as Mailchimp to send out their marketing emails.

Security measures

A good privacy policy should explain how the organization safeguards your information, including details about third-party involvement, or direct you to relevant pages for more information.

Cookies and tracking technologies

Understand how the organization uses cookies, pixel tags and other tracking technologies. Check for information about your ability to manage or disable these technologies. Cookie tracking involves storing small pieces of data on users’ devices to track their online behavior and preferences. While this can enhance user experience by personalizing content and remembering login details, it also raises several privacy concerns. Cookies can track users across multiple sites, creating a comprehensive picture of their online behaviour. This can be intrusive and users may not always be aware of who is collecting their data.

Take note:

  • Configure your browser’s privacy settings to limit or block cookies.
  • Periodically delete cookies from your browser to reduce the amount of data collected and stored. Most browsers have settings that allow you to clear cookies manually.
  • Avoid granting unnecessary permissions or sharing personal information on websites that you don’t fully trust.

Legal jurisdiction and compliance

Look for sections outlining where your data is stored and what laws the vendor is required to comply with. This could affect your data if government agencies request access to your information. The vendor may also be required to comply with certain privacy laws as part of providing the service. Check if there are legislated requirements that could affect how your data is managed and what rights you have under these acts. Some privacy policies may link to other documents such as cookie policies, Data Protection Addendums (DPAs) or other security documentation. Review these documents to get a better understanding of their data protection and security controls.

The University is subject to FIPPA legislation. All activities at the University must use information in a manner that is compliant with this legislation. If you are reviewing a tool or service for use at the University, please request an information risk assessment prior to contract signing and implementation.

Your rights and choices

Look for sections outlining your rights, such as the right to access, correct or delete your data. Understand how you can exercise these rights and make choices about your data. A good privacy policy should provide you with details of how you can exercise your rights, specifically related to data deletion and opt-out options.

Take note:

  • Check the policy to ensure there are detailed instructions for the access, correction and deletion of your data.

Policy updates

Most policies will have a last updated date at the beginning of the policy. This is important to understand how relevant the policy is. If you come across a privacy policy which is more than a few years old, consider checking with the vendor on the relevance of the policy.

Take note:

  • Check how the organization will notify you of changes to the privacy policy.
  • Ideally, they will directly inform you of material changes. However, it is still common (though not ideal) for organizations to ask users to regularly review the policy and check the modification date.

Look for contact information

Find contact details for the organization’s privacy representative or data protection officer. Knowing who to contact for privacy-related inquiries is important.

Remember, if you have questions or concerns after reading the privacy policy, don’t hesitate to contact the organization for clarification. Privacy policies are meant to empower users by providing transparency about how their information is handled.

Last modified: August 15, 2024