The Privacy Risks in User Agreements and Privacy Policies

User agreement icon on the edge with fire flames
Click here for a short summary of this article
Summary: Privacy Risks in User Agreements and Privacy Policies

Did you know that Instagram has the license to do whatever they want with your photos? Or that TikTok doesn’t need to inform users in case of a data breach?

Few people read the terms of service and privacy policies of their favorite apps and social media. And it’s hard to blame them. Going through these documents seems like an endless task. However, accepting these agreements without reading them can result in very serious privacy risks.

After all, by doing so, you often give companies permission to:

  • Collect your data
  • Use this data in almost any way they see fit
  • Share your data and even give other companies permission to use your data

Although these documents make it challenging, you can take steps to protect yourself by reading user agreements (or their summaries!) and by setting up your privacy settings properly. You should also familiarize yourself with data privacy laws in your region, such as the CalOPPA for Californian residents or the GDPR for EU citizens.

How many of us have clicked “accept” on the terms and conditions without bothering to read them? For some, it’s because the document is so long and confusing. For others, it’s because they simply didn’t have the time to read. And then, of course, the more we get used to not reading these documents, the less motivation we have to read the next one we encounter…

The problem is, by blindly accepting these terms, we end up endangering our online privacy.

Why are license agreements and privacy policies so difficult to read, anyway? What purpose do they actually serve, and why should we take the time to study them? In this article, we cover everything there is to know about terms and conditions and privacy policies, including the rules that govern them and how you can protect yourself from the predatory terms hiding in these documents.


What is a User Agreement?

User agreement iconAlso known as the terms and conditions (T&Cs), terms of service (ToS), end-user license agreement (EULA) and plenty of other names, a user or license agreement is simply a contract between you and the party providing you with a service or software.

This document specifies the service being provided to you. It should also tell you what you are allowed to do with the app, software, or service.

Generally, there’s also a section on the permissions you grant the company so they can properly offer your their service. For instance, Google Maps needs access to your location data so it can show you directions.

Most of the mobile apps, computer software, and social media websites you use have a user agreement. You were asked to accept them before or during installation or signup.

Note that, since this user agreement is a type of contract, it is legally binding. Of course, there could be sections or stipulations in such an agreement that no reasonable court would enforce, but in principle, it is a legal document with real implications for both parties.


What is a Privacy Policy?

Privacy policy iconA privacy policy is similar to a user agreement but has the opposite purpose: it serves to protect you instead of the company behind the software or service. A privacy policy should prevent clients from having their privacy violated.

This document states what user data the company collects and processes, as well as how this data is used, how long it’s stored, and with whom it’s shared.

According to data privacy laws in many jurisdictions (such as the CalOPPA in California or the GDPR in Europe), companies that process user data in any way must have a privacy policy. Since most websites and apps these days cater to international audiences, the companies behind them often simplify their situation by providing a privacy policy for anyone who uses their services.


Why Don’t People Read the Terms and Conditions?

It’s no secret that the terms and conditions are often scrolled past and ignored. While it’s part of our individual responsibility to read every contract we’re presented, it’s still a tall order to expect people to study long, complicated, and vague user agreements and privacy policies.

Infographic showing reasons why people don't read the terms and conditions

1. Length

The number one problem with these agreements is length. For instance, both Facebook’s Terms of Use and Privacy Policy are about 4,200 words long each. Granted, the part that concerns your privacy isn’t that long (a mere 1,100 words). Nevertheless, most people don’t want to read an obscenely long document just to find out what happens to their data.

Facebook is just one of many with lengthy user agreements. According to a 2018 research, the average word count of the 20 most-used mobile apps’ privacy policies (in English) was about 4,000 words.

2. Complexity

Long sentences, unclear phrasing, and complex jargon make these documents uninviting to read. This is because many of these documents are written with the intention to protect the company in case of a legal dispute. They’re not written with the average user in mind.

Take the example below. It’s hard to believe someone who is not specialized in copyright law will get this excerpt of the Facebook privacy policy on their first read-through:

“Specifically, when you share, post, or upload content that is covered by intellectual property rights on or in connection with our Products, you grant us a non-exclusive, transferable, sub-licensable, royalty-free, and worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate and create derivative works of your content (consistent with your privacy and application settings).”

3. Delayed documentation

When you pay for software, you often only get to see the terms and conditions during installation. This means you’ve already paid for something without knowing the conditions of your purchase. Delaying the presentation of these documents is a disservice to customers. It’s like buying a house or a car and only getting to see the contract afterward.

Of course, these days you can find plenty of user agreements online. However, not everyone might be tech-savvy enough to find the most recently updated license agreement for their product in their language.

4. Vagueness

Many privacy policies are very vague about what data they’re gathering, how they use it, and especially which third parties they share it with and what for. To illustrate this last point, just have a look at one of Snapchat’s clauses on sharing your data:

“We may share information about you, such as device and usage information, to help us and others prevent fraud.”

The above clause appears under the section about sharing your data with “third parties.” It doesn’t explain whatsoever who these “others” are and what the extent is of this clause. Moreover, the term “usage information” sounds like using a nice way of saying Snapchat can virtually share anything you do on your device with third parties.


The Privacy Risks in User Agreements and Privacy Policies

Padlock with Warning iconIt’s true that companies use your data in ways that help you get the best experience out of their software or service. However, they also often use your data for advertising, tracking, and third-party sharing.

As such, it’s vital to look out for dangerous clauses in user agreements and privacy policies so you don’t put your privacy at risk. We provide some examples of these clauses below.

Instagram can post your pictures wherever they want

According to Instagram’s Terms of Service, they can post your photos online as they please. By accepting this agreement upon signup, you’ve given them a “transferable, sub-licensable, worldwide license” to do so. And the fact that this license is “transferable” means they can give other parties the rights to your photos, as well.

Facebook can sell your data to advertisers

Some people will argue that Facebook doesn’t actually sell your data. However, part of the transaction agreement whenever someone purchases ad space on FB is this: “We provide advertisers with reports about the kinds of people seeing their ads…

They go on to explain that they don’t make the data so specific that you can be identified. However, no matter how you slice it, Facebook receives money in return for passing on information about you to advertisers. Furthermore, even if the data they sell doesn’t have your name attached, in the age of big data, there are people who are crafty enough to piece the clues together.

YouTube, Amazon, and Instagram can change terms at any time

Youtube, Amazon, Instagram, and many other companies can change their terms whenever they want. Even if you somehow find a company that doesn’t violate your privacy in any way, there may be no assurance that that’s always going to be the case.

US courts have established that customers need to be notified when terms change, such as in the case of Rodman v. Safeway, Inc. in 2014. And many companies or organizations do indeed inform their customers about policy changes. However, the sad reality is that many people still miss this announcement if they’re not paying attention.

Some VPNs can forward your data to third parties

The present-day data ecosystem is anything but straightforward. Just because you permit Company A to access your data doesn’t mean the risks end with them. Company A’s privacy policy may allow them to share your data with plenty of other companies or organizations. And if any of these parties get hacked, there’s always the risk that your data will find its way to the dark web or will be used to scam you through phishing and other techniques.

Some companies are also mandated to surrender user data to law enforcement when demanded to do so. This is especially dangerous if you’re a journalist fearing persecution or a citizen in a country with a strict government.

These kinds of policies are even more worrying when they’re used by apps that supposedly protect your privacy, such as virtual private networks (VPNs), antiviruses, and password managers. If you’re concerned about the digital safety software you’re currently using, we rounded up a list of VPNs that don’t keep any records of your data so you can stay protected while browsing online.


Laws Governing User Agreements and Privacy Policies

Rules for user agreements iconAs the cases above illustrate, complex user agreements and privacy policies make it pretty difficult to protect your own privacy. As such, it’s only natural to ask: are there any laws to help protect consumers? Fortunately, the answer is yes.

Privacy policies, more so than user agreements, are subject to laws and regulations, some of which we discuss below.

Privacy laws in the United States

There is no specific federal law in the US that makes having a license agreement mandatory — although some business sectors do require privacy policies. US laws agree more or less that privacy policies should discuss the following elements:

  • What information is being collected and how it’s collected
  • The measures taken to protect that information
  • How the information being collected is used
  • Whether the information collected is shared with any third parties and, if so, what information is shared and with which third parties
  • The consumers’ rights regarding their personal data

Furthermore, according to the Federal Trade Commission (FTC)’s guidelines, privacy policies should be written in clear and understandable language. You’ll notice, however, these laws say nothing about the length of these policies. There’s no mention of making privacy policies easy to navigate, such as by using clear, concise language or employing tables of contents.

There’s also the notoriously strict California Online Privacy Protection Act (CalOPPA), which requires commercial websites and online services to have a privacy policy if they’re collecting any kind of personally identifiable information from California residents.

CalOPPA is enforced by the Attorney General of California. The Office of the Attorney General previously went head-to-head with Delta Airlines for the company’s violation of CalOPPA, although the case was ultimately dismissed by the California Court of Appeals.

Privacy laws in the European Union

The European Union (EU) has clear rules on both user agreements and privacy policies. For license agreements, they list three clear requirements:

  1. User agreements can’t be contrary to the requirement of good faith.
  2. License agreements should not disadvantage consumers in terms of rights & obligations.
  3. Contract terms must be drafted in plain, understandable language.

If certain terms of service are not in line with the first two requirements, the EU deems them “unfair.” This means that these terms, according to the EU, are not legally binding.

Privacy policies in the EU are governed by the General Data Protection Regulation (GDPR), perhaps the most stringent privacy law in the world. The rules in the GDPR apply to any company that collects data from EU residents.

The GDPR lists a host of information these policies should include, which you can find on this page. In summary, however, privacy policies should be:

  • Written in a concise, transparent, intelligible, and easily accessible form
  • Written in clear and plain language, particularly for any information addressed specifically to a child
  • Delivered in a timely manner
  • Provided free of charge

The GDPR has been used by many organizations as the basis for condemning companies that violate data privacy. For instance, the Dutch Data Protection Authority fined LocateFamily for € 525,000 in 2021. More recently, the French privacy watchdog Commission Nationale de l’Informatique et des Libertés (CNIL) claimed that Google Analytics violates the GDPR.


How to Protect My Privacy from User Agreements

There are some steps you can take to significantly limit the privacy risks of these documents. Below we will discuss three of the most important ones.

Infographic showing how to protect your privacy against user agreements

1. Read the agreement (or a summary of it)

The best way to guard yourself against predatory agreements is to read those agreements. For the 99% of people who don’t have the time or energy to do so, we recommend reading a summarized version. Here’s where you can find simplified versions of user agreements:

  • tl;dr Legal — provides software licenses in plain English and highlights important parts of the document
  • TOSDR — grades popular websites and services from A (very good) to E (very bad) based on how well their terms of service protect consumer rights and data privacy
  • PrivacySpy — grades and monitors the privacy policies of popular services like Facebook, Google, Amazon, Windows, Apple, and plenty more

2. Search for keywords

When going over terms of agreement or privacy policies, look out for important keywords (using Ctrl + F or by skimming), such as “agree,” “accept,” “third parties,” “advertising partners,” “affiliates,” and “retain.” Doing so will let you jump to the areas in the agreement that deal specifically with user data, licenses, and permissions.

3. Adjust your privacy settings

Regularly check your privacy settings to make sure they’re optimized to protect you. Companies often state in their policies that you can alter or disable some of the data permissions you’re giving them simply by adjusting the privacy settings on their app or site. Even if you’re using AWS S3 for storage, make sure you learn how to secure your S3 buckets.

Do note that these settings mainly serve to protect your privacy from other users and not the platform itself. However, this can still be useful.

Case in point: Facebook is allowed to use your content even after you remove it from your account. However, they may only do so as long as it’s still being shared by others. By making your account private, you greatly decrease your chances of this happening.

We collected resources on how to adjust your privacy settings on different apps and websites, as well as what data practices these companies have, here:


Protecting Your Privacy Online

Security and privacy iconThere’s no way to avoid encountering user agreements and privacy policies (unless you can somehow stop using every single site, app, and software forever). It may be daunting and time-consuming, but reading the terms and conditions is an important step in keeping your data privacy protected. Make it a habit to read these user agreements, and soon enough, it’ll just be a part of your routine.

For more tips on keeping yourself safe online, we recommend the following articles:

Privacy Risks in User Agreements and Privacy Policies: Frequently Asked Questions

Do you have a specific question about the privacy risks in user agreements? Check out our FAQ below to see if we already addressed your question. If we haven’t, feel free to leave us a comment with your question, and we’ll answer it as soon as possible!

“Terms of service” is simply a name given to a document that outlines the service being offered by a company to its customers. This document also covers how customers are allowed to use the product or service, as well as which permissions you’re giving a company regarding data gathering. You have to accept the terms of service of a certain product or service before you’re able to use it.

A privacy policy is a document that outlines what kinds of data a website, app, or service collects from you. It also discusses how the data is collected, why it’s collected, how it’s used, and who it’s being shared with.

Privacy policies originally came into being because lawmakers wanted a way to protect consumers and inform them how their data is used. However, due to their complexity and sheer size, they are often anything but helpful in this regard. Privacy policies don’t need to be accepted before using a service. However, by doing so, it is implied you have accepted the privacy policy.

The issue is two-fold. First, these documents are often incredibly long and written in complex legalese that virtually only a trained attorney specialized in data laws will understand. Secondly, this is most likely done to hide privacy clauses that are very unfavorable to consumers, such as clauses that give the company permission to collect enormous amounts of data from their consumers. Check out this article about the privacy risks in user agreements for more information.

Author
Tech journalist
Nathan is an internationally trained journalist and has a special interest in the prevention of cybercrime, especially where vulnerable groups are concerned. For VPNoverview.com he conducts research in the field of cybersecurity, internet censorship, and online privacy. He also contributed to developing our rigorous VPN testing and reviewing procedures using evidence-based best practices.
Contributor
News & Tech Editor
Nica is a news and tech editor at VPNOverview. She has an educational background in journalism and has worked in content marketing across several industries, including finance and cybersecurity.