8 big gotchas to watch out for in tech privacy policies

Data protection declarations contain long texts with lots of information, often consisting of heaps of legal wording. This means that there are a number of pitfalls, especially for end users, which can lead to data loss, cyberattacks, and other negative consequences. That’s why it’s important to take a closer look at long data protection declarations and watch out for the following “gotchas.”

Further reading: How to protect your digital accounts from hackers

Unclear wording leaves room for providers to maneuver

Many privacy policies use vague or ambiguous terms such as where applicable, may, or in certain cases. These are imprecise and leave room for interpretation.

Pay attention to the context of these sentences and clarify with the provider why certain sections or sentences are vague.

In many cases, imprecise wording is the reason why you are unable to obtain legal redress in the event of problems, as a vague sentence usually brings little or no benefit to the customer.

Ambiguous terms may indicate that the provider doesn’t trust its own security functions and data protection requirements.

Avoid extensive data collection

Pay attention to what data a provider collects from you and whether it’s necessary or not. If a provider collects data that it doesn’t need for its service, this indicates that this data will be used for commercial purposes.

The provider may sell the data to other companies, which in turn uses it for advertising purposes, spam, and other areas to contact you.

Shutterstock / Gorodenkoff

There’s also the risk of the provider itself becoming the victim of a cyberattack. If criminals steal your personal data, there’s a risk of identity theft, phishing, and other cyberattacks. Therefore, make sure you do not unnecessarily disclose data that the provider doesn’t need for its services.

Earmarking the data ensures that it’s reasonably secure

The respective privacy policy should define exactly what the provider collects your data for and the purpose behind it. Make sure that it’s comprehensible to you. General statements such as to improve our service are too vague. This is where the pitfalls mentioned above come into play.

Disclosure to third parties is a problem

Check where your data is being passed on to. Data protection declarations should inform you about which third parties are granted access to the data and for what purpose.

Nongasimo / Shutterstock.com

Look out for clauses that allow far-reaching disclosures. After all, the provider sells your data to other companies that use it for advertising and contact purposes. Ultimately, there’s a risk of your data being misused, which includes theft by the third-party provider.

The data storage period shouldn’t be too long

It should be clearly stated how long the provider stores the data. Indefinite periods or missing information on the storage period are critical. Data should only be stored for as long as is necessary for the stated purpose. Watch out for imprecise wording here, too.

The longer the provider collects your data, the longer the period during which criminals can obtain the data through cyberattacks.

What are your rights?

The declaration should make it clear what rights you have been granted. These include the rights to information, correction, deletion, and objection to data and its use. These rights should be explained clearly and in full.

Pay attention to whether the provider restricts any of your rights or whether rights that are important to you are missing. Firstly, the right to information must be enshrined. This enables you to obtain information at any time about what personal data the provider stores and for what purpose it is used.

Elnur/Shutterstock.com

Equally important is the right to rectification, which allows you to have incorrect or incomplete data corrected. In addition, the right to erasure, also known as the right to be forgotten, should be guaranteed. This allows data to be deleted under certain conditions. Another important right is data portability.

The right to object must be available so that you have the opportunity to object to the processing of your data. Does the declaration also state whether you have to consent to the transfer of your data? It must also clearly state that you can withdraw your consent at any time. The granting of rights is therefore extremely important. There should be no restrictions here in particular.

What security measures does the provider take to protect your data?

The privacy policy should state what measures are taken to protect your data. Pay attention to information on encryption, access restrictions, and other technical and organizational measures that guarantee the protection of your data. There should also be no vague sentences. The privacy policy must clearly state how the provider protects your data.

You should also know where your data is being stored. Does the provider operate its data centers, including data storage, in Germany or Europe? Does the provider possibly not use its own infrastructure, but uses the infrastructure of a cloud provider such as Amazon (AWS), Microsoft (Azure), or Google (GCP)? These are important things to keep in mind.

Note updates to the privacy policy

The privacy policy should inform you how and when it will be updated. If an update is made, you should make sure that it does not introduce any of the pitfalls mentioned here into the declaration.

Data protection declarations contain long texts with lots of information, often consisting of heaps of legal wording. This means that there are a number of pitfalls, especially for end users, which can lead to data loss, cyberattacks, and other negative consequences. That’s why it’s important to take a closer look at long data protection declarations and watch out for the following “gotchas.”

Further reading: How to protect your digital accounts from hackers

Unclear wording leaves room for providers to maneuver

Many privacy policies use vague or ambiguous terms such as where applicable, may, or in certain cases. These are imprecise and leave room for interpretation.

Pay attention to the context of these sentences and clarify with the provider why certain sections or sentences are vague.

In many cases, imprecise wording is the reason why you are unable to obtain legal redress in the event of problems, as a vague sentence usually brings little or no benefit to the customer.

Ambiguous terms may indicate that the provider doesn’t trust its own security functions and data protection requirements.

Avoid extensive data collection

Pay attention to what data a provider collects from you and whether it’s necessary or not. If a provider collects data that it doesn’t need for its service, this indicates that this data will be used for commercial purposes.

The provider may sell the data to other companies, which in turn uses it for advertising purposes, spam, and other areas to contact you.

Shutterstock / Gorodenkoff

Shutterstock / Gorodenkoff

Shutterstock / Gorodenkoff

There’s also the risk of the provider itself becoming the victim of a cyberattack. If criminals steal your personal data, there’s a risk of identity theft, phishing, and other cyberattacks. Therefore, make sure you do not unnecessarily disclose data that the provider doesn’t need for its services.

Earmarking the data ensures that it’s reasonably secure

The respective privacy policy should define exactly what the provider collects your data for and the purpose behind it. Make sure that it’s comprehensible to you. General statements such as to improve our service are too vague. This is where the pitfalls mentioned above come into play.

Disclosure to third parties is a problem

Check where your data is being passed on to. Data protection declarations should inform you about which third parties are granted access to the data and for what purpose.

Nongasimo / Shutterstock.com

Nongasimo / Shutterstock.com

Nongasimo / Shutterstock.com

Look out for clauses that allow far-reaching disclosures. After all, the provider sells your data to other companies that use it for advertising and contact purposes. Ultimately, there’s a risk of your data being misused, which includes theft by the third-party provider.

The data storage period shouldn’t be too long

It should be clearly stated how long the provider stores the data. Indefinite periods or missing information on the storage period are critical. Data should only be stored for as long as is necessary for the stated purpose. Watch out for imprecise wording here, too.

The longer the provider collects your data, the longer the period during which criminals can obtain the data through cyberattacks.

What are your rights?

The declaration should make it clear what rights you have been granted. These include the rights to information, correction, deletion, and objection to data and its use. These rights should be explained clearly and in full.

Pay attention to whether the provider restricts any of your rights or whether rights that are important to you are missing. Firstly, the right to information must be enshrined. This enables you to obtain information at any time about what personal data the provider stores and for what purpose it is used.

Elnur/Shutterstock.com

Elnur/Shutterstock.com

Elnur/Shutterstock.com

Equally important is the right to rectification, which allows you to have incorrect or incomplete data corrected. In addition, the right to erasure, also known as the right to be forgotten, should be guaranteed. This allows data to be deleted under certain conditions. Another important right is data portability.

The right to object must be available so that you have the opportunity to object to the processing of your data. Does the declaration also state whether you have to consent to the transfer of your data? It must also clearly state that you can withdraw your consent at any time. The granting of rights is therefore extremely important. There should be no restrictions here in particular.

What security measures does the provider take to protect your data?

The privacy policy should state what measures are taken to protect your data. Pay attention to information on encryption, access restrictions, and other technical and organizational measures that guarantee the protection of your data. There should also be no vague sentences. The privacy policy must clearly state how the provider protects your data.

You should also know where your data is being stored. Does the provider operate its data centers, including data storage, in Germany or Europe? Does the provider possibly not use its own infrastructure, but uses the infrastructure of a cloud provider such as Amazon (AWS), Microsoft (Azure), or Google (GCP)? These are important things to keep in mind.

Note updates to the privacy policy

The privacy policy should inform you how and when it will be updated. If an update is made, you should make sure that it does not introduce any of the pitfalls mentioned here into the declaration. Read More