Sweet Sixteen Privacy Policies — Part 2

5qum5izzrr6vltwjcoqb Kyle Schryver August 03, 2018
Data Privacy GDPR Privacy Policies Technology

Ever wonder where, how, and why your personal data is processed? Post-GDPR, you might be able to find the answers by looking at privacy policies. In part 2 of our Sweet Sixteen series, we’re bringing you the highlights from 8 more privacy policies, informing you on how to gain control of your personal data privacy. Check out the first part of our series here!

1. — May 23, 2018

OpenTable — the restaurant reservation platform — has taken substantial steps toward hosting a privacy policy compliant with the GDPR. To begin, their privacy policy features a quick summary at the top that helps users locate specific sections of their policy.

Opentable offers extensive information regarding how your data is shared. Some of these include sharing:

Opentable does well to offer a way to opt out of information sharing through your account preferences, and allows users to opt out of marketing communication through an unsubscribe link.

Opentable has a specific page tailored toward residents of the EU and UK that includes these additional rights regarding personal data:

To make a request, you can contact OpenTable.

2.    — May 25, 2018

Rubrik has a fairly simple privacy policy, covering the bases of information collected — who it’s shared with, and how it’s used. Rubrik states that it uses a third party to process user data and create targeted advertisements. There’s a way to opt out of this through an external portal, but users will still receive non-targeted ads.

Similar to OpenTable, Rubrik has a designated section for EU residents. Additional information is included such as:

You can request access to your data by contacting Rubrik.

3.    — May 25, 2018

Dropbox’s privacy policy is simple and straightforward. They cover what data they collect, how they use it, and with whom it’s shared.

The following information is collected:

Dropbox has options for users in regard to personal data as stated:

It’s important to note that the data accessible through these methods is simple account information. Personal data that is processed, shared, and used by Dropbox may have limited access for users. The discrepancy between account data and personal data isn’t always visible to users but is important in determining the privacy and transparency level of the company.

Dropbox also publishes a transparency report twice a year that informs users of the company’s requests in regard to data.

4. — June 4, 2018

InVision has one of the most extensive privacy policies we’ve seen, and it attempts to cover all user concerns. The policy illustrates processing grounds, data transfers, data subject rights, security, and more.

Some of the uses for data processing are as stated:

InVision offers the following options with regard to personal data:

These tools can be accessed through their rights management page or by contacting InVision.

Finally, InVision has a GDPR compliance page. This page provides EU residents with greater transparency in terms of compliance with the GDPR.

5.  — May 25, 2018

Lever, similar to InVision, has a comprehensive privacy policy. It includes basic processing and the transfer of information in addition to collection and use of data. The policy states the following rights for EU residents, that can be exercised by contacting Lever:

Similar to Dropbox, Lever has account data accessibility for all users. However, account data accounts for only a small portion of the personal data a company collects, and non-EU residents aren’t able to access, delete, or object to the processing of their personal data. Further, this distinction highlights that many companies are attempting to comply with GDPR but aren’t as focused on increasing transparency across all users in terms of personal data.

Lever does state some of their third-party processors with whom personal data is shared with — a great addition to their privacy policy that provides customers with transparency into what businesses have access to their data.

6.  — May 16, 2018

One of the highlights of Mixpanel’s privacy policy is the inclusion of a Data Protection Officer. This individual is available to address the concerns of users, specifically EU residents, and their privacy. There is contact information included — and after reaching out — we found the officer responds quickly and provides insight into the processing of data by Mixpanel.

Mixpanel also features a data processing addendum that includes information about compliance with the GDPR, terms of data processing, and the types of personal data processed. After requesting, we were able to access Mixpanel’s list of subprocessors — which is a clear indicator that the company is taking steps to be fully compliant with the GDPR.

As stated by Mixpanel, “A subprocessor is a third party data processor engaged by Mixpanel, including entities from within the Mixpanel group, who has or potentially will have access to or process Customer Content (which may contain Personal Data).”

7.   — November 11, 2017

Sumologic covers its bases in terms of information collected, privacy shield coverage, and data usage. The policy states that information is used to:

The policy is lacking in certain key areas, as it fails to address the concerns of the GDPR and other upcoming regulation. There is a section regarding access to personal data, with a contact, however, no time frame or additional information is specified for data subjects.

8. — May 25, 2018

Intercom’s privacy policy proves to be detailed and well-organized. Just like Mixpanel, Intercom has hired a Data Protection Officer to help the company comply with data privacy regulation and support transparency for the organization.

Intercom also offers access to the following rights for data subjects:

Our Insights

Post-GDPR, many companies are making personal data more accessible for its users. To find out the type and depth of information companies collect on you, we suggest reaching out to a few through their privacy policy contact. In our requests, we’ve found that companies with an appointed Data Protection Officer are more likely to respond in a timely manner with the information you requested.

To take control of your personal privacy, it’s crucial to first find out what personal data companies have collected on you. Submitting access requests helps consumers take hold of their privacy. In the future, regulation may grant additional rights to citizens worldwide including data deletion and the right to be forgotten. California already has a bill set to release in early 2020, which will grant many rights to its residents in regard to their data.

For companies, privacy will continue to be a hot topic. Both in order to comply with future regulation, and to provide users with confidence, firms will have to be transparent with their data processing and use. Many policies have been changed to provide additional resources for EU residents in order to comply with the GDPR, however, companies that are looking to the future will want to provide these resources for all of their users and customers.

According to a study by Label Insight, 94% of consumers surveyed indicated that they were more likely to be loyal to a brand that offers transparency, while 73% said they were willing to pay more for a product that offers complete transparency.

By providing these rights, users will build greater trust in the business and are more likely to continue working with the company.

A Deloitte survey of 2,000 consumers in the U.S found that 91% of people consent to legal terms and services conditions without reading them. For younger people, ages 18–34 the rate is even higher with 97% agreeing to conditions before reading.

It’s evident that privacy policies and similar documents are often ignored by the average user. Unfortunately, this allows companies to have users agreeing to any terms they want, as it rarely affects a user’s decision to proceed with the product or service.

We hope you were able to learn more about your personal privacy in this two-part series and took away some key points about the data processing that companies currently employ. As privacy continues to become a greater concern, policies will need to be looked at from both a compliance and personal privacy perspective.

In the coming weeks, we will be continuing to interview Data Protection Officers, several of who were involved in writing privacy policies.

Check out the first part of our series here!

About the Author: Kyle Schryver is a Growth and Marketing Content Intern at DataGrail. He’s an eager worker, producing targeted content designed to provide actionable insights and solutions to readers. You can find him on LinkedIn and contact him at kyle@datagrail.io.

Something went wrong. Please try again. Like what you read? Sign up for the Weekly Grail to receive insights in data privacy. Thanks! Check your inbox to verify your email.