Before You Sign That Privacy Statement, Know What It's Really Saying

What's happening with privacy statements these days? Why should consumers be on the alert?

(Image credit: &#169 Getty Images)

Everyone cares about privacy. But few of us actually read privacy policies. Why? Because most companies create dense, overly complex and incredibly long statements.

This isn’t new; Mark Zuckerberg has been apologizing for privacy issues for years. Facebook’s privacy policy takes about 18 minutes to read. It’s no wonder we’ve been trained not to bother, but we should.

The purpose of a privacy policy is to tell you how and with whom your personal and private data will be shared. Because almost all data is shared beyond the actual website or company with which you’re doing business, at the heart of the privacy problem is that we often have little idea of what these policies are actually telling us. Consumers can do better, but companies don’t make it easy.

Subscribe to Kiplinger’s Personal Finance

Be a smarter, better informed investor.

Save up to 74%

Sign up for Kiplinger’s Free E-Newsletters

Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.

Profit and prosper with the best of expert advice - straight to your e-mail.

Sign up

Many times, unless we click “I agree,” we can’t gain access to a website or to content or even to our checking accounts. Far too often we click “agree” without having any idea what we’re agreeing to.

To make that point, a few years ago the British company GameStation inserted the following statement into its privacy policy:

By placing an order via this Web site on the first day of the fourth month of the year 2010 Anno Domini, you agree to grant Us a non-transferable option to claim, for now and forever more, your immortal soul. Should We wish to exercise this option, you agree to surrender your immortal soul, and any claim you may have on it, within 5 (five) working days of receiving written notification from or one of its duly authorised minions.

By the end of the day, more than 7,000 people had agreed to give up their souls. Either people didn’t read the agreement, or they didn’t care who had authority over their souls. Of course, this occurred on April Fool’s Day, but the point was made.

In May 2018, things changed — somewhat. That was when the European Union’s General Data Protection Regulation (GDPR) went into effect. This regulation requires that companies doing business in the EU or with employees in the EU must create a privacy policy that customers can understand. This new regulation had somewhat of an effect on U.S. policies, but there is still much in the policies consumers do not understand, and we don’t read them. But feel free to complain to companies if we have difficulty understanding their privacy policies. They need to know that they’ve not “hit the mark.”

How can we do better? Here are three actions consumers can take to better protect their privacy.

1. Guard your privacy like nobody’s business

First, understand that privacy policies will identify two types of information they can collect: public personal information and nonpublic personal information.

Public personal information is information that can be easily discovered, including names, addresses, employment and email addresses.

Nonpublic personal information in the financial sector is information specific to a consumer that identifies that person’s financial data and is gathered during a transaction with a customer. For example, Social Security numbers, income, credit score and data the internet collects because you visited your bank’s website (i.e., cookies).

Second, do business with companies that take seriously that customers need to understand what happens with their data. For example, Ticketmaster has a policy that we all can understand. I’m a plain language expert, and I couldn’t have written it better — or more plainly — myself.

However, even as clear as this example is, whenever you see the mention of “third parties” that could include almost anyone or any company. So always check to see who those third parties are, if listed. Ticketmaster is very specific about who gets your data. If you don’t want that data shared, buy tickets elsewhere.

Third, protect your data. Limit how much data we’re willing to share. For example, be very careful about how and with whom you share your Social Security number and be cautious about the information you give on your social media accounts. For example, only give out your credit card information to a credible site. Also several scammers imitate large companies like American Express to get you to open a link that gives them access to your account. I always check the email address when I’m suspicious. It’s still very hard to hide the actual address an email comes from.

2. Share data only with companies you trust and limit what you’re willing to share

The Federal Trade Commission recommends that you:

  • Know who you share information with.
  • Store and dispose of your personal information securely, especially your Social Security number.
  • Ask questions before deciding to share your personal information.
  • Maintain appropriate security on your computers and other electronic devices.

Additionally, some browsers give us the option to not share our data by including “Do Not Track.” In as many circumstances as possible, use DNT to tell a company not to track your data. Although they don’t have to do what you ask, they do have to tell you whether they’re complying with your request. For help adjusting your own browser settings to use DNT, the Future of Privacy Forum has an online privacy tool to walk you through the process.

3. Know and use helpful online resources

In addition to the Future of Privacy Forum’s privacy tool mentioned above, which keeps browsers from sharing your information, there are other online resources to check out. These two sites offer clear, helpful information on privacy policies:

Finally, whenever possible, at least read the part of a privacy policy that tells you how they share data. Then you’ll have to make a decision, but at least you’ll make an informed one.


This article was written by and presents the views of our contributing adviser, not the Kiplinger editorial staff. You can check adviser records with the SEC or with FINRA.

Founder and Principal, The Plain Language Group LLC

Deborah S. Bosley, Ph.D., is founder of The Plain Language Group LLC and an international expert in plain language with Fortune 100/500 clients in financial, technology, health and legal sectors. She helps companies meet regulatory requirements for plain language and increase profits, trust and customer satisfaction. Deborah has been interviewed by Investment News, The Wall Street Journal This Weekend radio, The Atlantic, Time, HealthLeaders Media Inc. and Employee Benefit News, among others.