Sweet Sixteen Privacy Policies — Part 1

5qum5izzrr6vltwjcoqb Kyle Schryver July 27, 2018
Data Privacy GDPR Privacy Policies Technology

Inbox flooded in May? Tired of the words Privacy Policy? What’s Changed? After the EU instated the GDPR, companies were forced to update privacy policies, and we’ve looked into a few of them to break down the most important parts!

According to the Consumer Policy Research Center, 73% of people said they accepted a privacy policy that they were uncomfortable with because it was the only way to access the product.

Many people ignore reading privacy policies, so we’re here to inform you of key points of the privacy policies of frequently used apps, services, and platforms. Similar to the excitement at the World Cup, we’re bringing you a Sweet Sixteen, but this time, it’s privacy policies.

We’ve explored the first eight here, and you can look forward to future insights on the final eight in our next post! Check out the second part of our series here!

1.  — May 25, 2018

It’s no surprise that Google made major changes to their privacy policy prior to GDPR. After facing potential fines of up to $4.8 billion, the company has taken new measures to ensure compliance. In their approximately 8,000-word privacy policy, Google addresses many of the concerns of the GDPR — including access and deletion rights, information collection data, consent, and third parties that data is shared with. Although the policy is extremely extensive, it emphasizes the main points clearly.

The scoop: Google collects the following, among other forms of data:

Google states this information is used to build better services, measure performance, and communicate with users. Google also offers a way for users to update, review, and manage their information.

Google's Data Export


2. — May 25, 2018

AppDynamics — the project management and IT operations analytics platform — made major changes to their privacy policy on May 25th as well.

The company states that it collects the following information:

What stands out about AppDynamics their unique page for EU residents directly affected by the GDPR. This page highlights the steps that the company has taken to comply and the key features that affect data subjects. AppDynamics also lists subprocessors of their system — a required addition for GDPR compliance.

Request your data by contacting AppDynamics


3.  — May 15, 2018

Due to the abundance of features in their app, Snapchat has collected swathes of data on users in the past years including pictures, chat messages, usage, content consumption, camera information, location, advertisement interaction, and more. And because of the amount of personal data collected, it’s essential for Snap to provide information regarding their app in the privacy policy. As highlighted in our last article, Snapchat also provides access for users to download their data — and in the case of an EU resident — delete their data.

Snapchat’s privacy policy also shines due to its readability and plain language, making it easier to understand than most. Similar to AppDynamics, Snapchat has a section focused on EU residents and the GDPR.


4.    — May 25, 2018

One of the highlights found in Cloudera’s privacy policy as well as AppDynamics, Pinterest, Intercom, and Mixpanel is the inclusion of a Data Protection Officer. With trends towards transparency and the surge in Subject Access Requests, DPO’s have become essential for success in a modern business. Simply stating the official in a company policy and including contact information provides customers with greater trust in the company and their data. In addition to a privacy policy, Cloudera also hosts a Data Policy featuring data use and retention.

Request or delete your data from Cloudera by contacting them

5.  — February 8, 2017

Although Lyft does not operate in the EU, they have done nothing to advise their users on how their data is handled since the release of the GDPR. As shown by their last policy update being in February of 2017, Lyft is not taking steps towards providing transparency for its users and their personal data. However, Lyft does well to include information about the data they collect and how it’s shared between drivers and riders. In order to be compliant and gain customers trust, Lyft must take many steps towards transparency. Currently, Lyft’s policy states that users can only review and edit certain account information — not personal data.

Unfortunately, there’s no option to delete the personal data the company has stored on you. Users are allowed to delete their Lyft account through the help center, but this is no guarantee that their personal data is actually erased.


6.    — July 1, 2018

JetBlue’s privacy policy has a unique structure, featuring 17 questions with responses as to how the company handles privacy. To comply with the GDPR, jetBlue offers a method to access personal data by contacting them through phone or mail. However, this path toward accessing data can prove difficult for users, and jetBlue doesn’t state a method to delete personal data. As with most companies, jetBlue reports the information collected from users and automated services.

This includes:


7.Pinterest — June 29, 2018

Pinterest features a detailed and dense privacy policy that includes extensive information on how the company collects and handles information. According to the policy,

“Whenever you use any website, mobile application or other internet service, certain information gets created and logged automatically. The same is true when you use Pinterest. Here are some of the types of information we collect: user given data, logs, cookies, devices, and information from partners and advertisers”

The company states that it uses this data to recommend content, suggest other people to connect with, conduct analysis, and improve the application. Additionally, Pinterest claims to have a legitimate interest in the customer when using data to deliver relevant ads and inform ad partners of how they’re performing with certain user bases. The company also informs partners as to what you may be interested in — based on your behavior in the application.

In terms of access and deletion requests, Pinterest states:

If you're an EEA user, you can:


8.     Dollar Shave Club — May 25, 2018

Dollar Shave club shares an interesting relationship with their customers. As a company that offers shaving products, you might think that they don’t have a controller relationship with customer data. However, as a company that uses digital marketing and operates under the GDPR, they have many obligations to their customers.

In the privacy policy, it is evident the company has taken steps to protect customer privacy and explain how data is collected and processed. Dollar Shave Club shares information with the Digital Advertising Alliance (DAA) and offers an option to opt out of the use of information about online activities through an external link, however, users will still receive advertisements that are not customized. Additionally, to opt out of Dollar Shave Club’s marketing list, you must mail or email the company about the subscription.

Dollar Shave Club has 2 unique privacy policies, one for the US, and one for the EU. Their European policy includes information regarding rights specific to European residents including the right to be informed, the right to erasure, the right to restrict processing, and more.

Key Trends

Post-GDPR, almost all companies are supplying users with information about their methods of obtaining data as well as how the information is used and stored. Companies looking to comply with the GDPR must offer information and access to exporting and deleting personal data from their systems. Companies with high user satisfaction also provide easy access for opting out of marketing and other communication.

The most forward-thinking policies include information about the company’s compliance with the GDPR — including appointing Data Protection Officer — and future data regulation, such as the CCPA.

Many privacy policies still fail to include necessary information about subproccessors and access or deletion of personal data. However, users are beginning to expect higher standards for transparency when trusting companies with their data. The Age of Privacy requires transparency. This starts with the governing framework defining how data will be acquired, used, and sold.

Check out the second part of our series here!

About the Author: Kyle Schryver is a Growth and Marketing Content Intern at DataGrail. He’s an eager worker, producing targeted content designed to provide actionable insights and solutions to readers. You can find him on LinkedIn and contact him at kyle@datagrail.io.

Something went wrong. Please try again. Like what you read? Sign up for the Weekly Grail to receive insights in data privacy. Thanks! Check your inbox to verify your email.