How to Understand the Privacy Practices of an Online Business Based on Their Privacy Policy

Updated: 13 April 2021
Updated: 13 April 2021

Fact-checked by

In this guide you will learn about:

  • How to understand an online business’ privacy practices by looking at their privacy policy
  • What elements to look for in a privacy policy
  • Understand the elements of a privacy policy
  • Understand what an online business must disclose in their privacy policy
  • How to read and judge a privacy policy

This guide was written in plain language, aimed at regular every day readers. No fancy legalese, so dive in and enjoy the read.

If you want to learn more about any company’s privacy practices, their privacy policy is a good place to start. A privacy policy is a document that data protection laws require businesses to publish on their websites in order to inform users on what they do with the personal data they process.

It certainly won’t give you all the answers, but will show you why a company processed personal data, what they process, and with whom they share it.

Some data protection laws have an explicit requirement for a Privacy Policy. The California Consumer Privacy Act (CCPA), for example, explicitly requires a privacy policy and clearly lists every single element obligatory for a compliant privacy policy.

Understanding Businesses Privacy Practices

The General Data Protection Regulation (GDPR) of the EU, on the other hand, does not explicitly require one, but it requires businesses to provide users with information on their personal data operations under the transparency and accountability principles.

Unlike the CCPA, it is not explicit about the information that should be provided to users, but is sprinkled with many requirements regarding the information a business needs to provide to users in relation to transparency and accountability.

When you sum it up, business and website owners that collect and process personal data understand that a privacy policy is by far the most practical way to comply with the transparency requirements.

To the benefit of the internet users, they can use the privacy policy as a transparency tool and look into the privacy practices of any given online business. This guide aims to show you how to read privacy policies and how to draw conclusions from them.

It is important to note that we assume that the business is really transparent about their data processing, but not all privacy policies are GDPR-compliant. Businesses, sometimes knowingly and sometimes unknowingly, hide some information that should be included in the privacy policy.

That would require a further investigation that is beyond the scope of this guide. For this purpose, we will assume that everything laid down in the privacy policy is accurate.

We will explain to you what the obligatory elements of each privacy policy are and how to connect the dots between them to understand what is being done with your personal data.

Elements of a GDPR-Compliant Privacy Policy

Each privacy policy that aims to ensure compliance with the GDPR must contain the following elements.

1. Identity of the data controller

You have to tell your users who you are. No need to get into too much detail or write too much prose. Providing your business name, address, and state or country of incorporation would be enough.

If you run a business or a simple blog as an individual, your name along with location or email address would be enough.

2. The categories of personal data you collect and/or process

Categories of personal data can be a person’s name, alias, home address, email address, ZIP code, phone number, ID number, passport number, Social Security Number, etc.

Personal data under the GDPR also includes health data, information about private life, IP address, political views, religious views, or any other information that could be directly or indirectly linked to an individual. Therefore, anything can be a category of personal data as long as it can by itself or in combination with other data identify a person.

3. How you collect and/or process personal data

Here you should describe the methods of data processing. In most cases, either:

  • Users give you their data, such as when they give you their name and home address for delivery of goods, oir
  • You collect the data by the use of cookies and other online trackers, such as Facebook Pixel, Quora Pixel, Google Marketing tools, and so on.

4. The purposes of data processing

Transparency under the GDPR means that you have to disclose to users why you need their personal data processed. Purposes of processing may include:

  • Analytics purposes, such as collecting statistics about website visits with Google Analytics or website usage with Hotjar,
  • Marketing purposes, such as when you collect their email to send them marketing materials, or track their online behavior to serve them ads relevant to such behavior,
  • Preferences, such as processing data to remember language preferences of a specific website visitor,
  • Customer support, when you collect user’s email address or phone number to reach out back to them for solving a customer issue,

5. With whom you share personal data

You likely use third-party tools to collect and process data, such as Google Analytics, Facebook Pixel, Hotjar, Mailchimp, and others. In order to process your users’ personal data with these tools, you need to disclose that personal data with them.
Your users have the right to know with whom you share their data and you need to disclose it in your privacy policy.

6. Data subject rights

GDPR calls users data subjects. When you collect personal data of a user, they become your data subject.

Data controllers, which means the business that collects data and has it processed on their behalf, owes data subjects certain rights. These rights include the right to be informed of the processing, the right to have data deleted, objection to processing, and so on.

You have to list the rights your users have in your privacy policy.

If you have to comply with multiple data protection laws at once, then you have to list all the rights that each of the laws grants to data subjects.

For example, compliance with the CCPA requires providing information on the sales of personal information. It is unique for the CCPA and is not required by the GDPR, LGPD, PIPEDA, or other laws.

So, if you need to comply with the CCPA, in addition to all other elements, you need to add those specific to this law.

7. How can users exercise their data subject rights

Businesses must provide data subjects with means to exercise their data subject rights and these means need to be laid down in the privacy policy.

In most cases, providing an email address would be enough. Some businesses may also provide a contact form, a phone number, or any other means for exercising these rights.

8. Data transfers to third countries

Data transfers to third countries is arguably the trickiest issue for businesses who need to comply with the GDPR. Transfers within the Union and to adequate countries is free, but any other transfer required additional transfer tools and possibly protection measures.

No matter how and where you handle personal data, users have the right to know whether it is transferred to third countries, and if so, where it is being sent.

9. Children’s personal data

If you knowingly collect and process children’s data, that must be included in this document.

10. Contact information

If you have a Data Protection Officer or legal representative in the EU, their name and contact information go here. Otherwise, any means for contact with you would be enough to include in this section.

How to Read the Privacy Policy

If you want to know how to draw the lines and complete the picture of the privacy practices of a company based on their privacy policy, first you have to learn how to read it.

We assume that you never bothered with reading privacy policies and you always accept cookies.

If you do bother now, we are about to explain to you how to navigate a privacy policy and understand what GDPR wanted to make them say.

To give you an idea what we are talking about, we’ll read the key elements of the Shopify privacy policy with you. It is a Canadian company that complies with the GDPR. Moreover, the Canadian PIPEDA (federal data protection law) has plenty of similarities with the GDPR.

Does Their Privacy Policy Contain All the Essential Elements?

Companies that are serious about GDPR compliance, as well as compliance with any other data protection law, have comprehensive privacy policies.

Some of them do not collect too much personal data, so they have a short and simple privacy policy. That doesn’t necessarily mean they are non-compliant. They just do not bother with personal data and don’t have much to communicate with you about it.

Such websites are rare, though. Most online businesses collect lots of data, including data they are not aware they collect and process.

If you notice a bunch of social media widgets on a website, that’s usually a sign of data collection.

If you are not sure what the website you visit does about your personal information, scan it for free on WebCookies.org and get the answers you need.

The scan report will also tell you with whom they share your personal data. It is impossible for online business to do everything by themselves, so they outsource many processes to third-parties, i.e. SAAS companies who manage some processes on their behalf.

In many cases, outsourcing involves sharing of users’ personal data. For example, sharing the IP address with Google Analytics, sharing email addresses with Milchimp, and so on.

Talking about the privacy policy of Shopify, they have a wonderfully designed privacy policy with all the essential elements.

Privacy Policy Elements

In this image you can see the sections their privacy policy has. The number of sections is smaller than described in this article, but the rest of the required information is sprinkled throughout the other sections of the policy.

It is written in plain language, is easy to navigate, and easy to understand. It signals that the company wants to be transparent toward the users.

Moreover, they have separate privacy policy for each group of users that uses the website or services in any way.

Privacy Policy Example

Check out the purposes of data processing

The section on data processing purposes unveils the motives behind the personal data processing. Businesses are obliged to tell users what makes them want to collect and process data.

The most common purposes for data processing include, but are not limited to:

Provide you with products or services. They sell something and you have to provide your personal data, such as personal name, email address, home address, postal code, or other data they need to deliver you the product or service. The execution of a contract is a lawful basis for data processing under the GDPR and doesn’t require additional consent.

Marketing/Advertising purposes. When a business collects and processes personal data for marketing purposes, that means that they target customers based on the data they share with third-party services.

Examples for such services are social networks. They all provide advertisers with tracking pixels. These pixels track the web pages you visit online, match that activity with the data you have shared with them through your social media profile, and serve your profile as a potential buyer to the business.

The use of cookies or a pixel that could match you with more data points is part of the processing data for marketing purposes because the information is used for marketing of products and services.

Analytics purposes. Virtually every website on the internet uses some kind of analytics tool, such as Google Analytics, Plausible, Mixpanel, and others. Some of them collect personal data, others do not.

Check out which analytics tool they share data with in the section where they disclose the third-party tools they use.

Preferences. Businesses may collect your personal information to adjust the website to your preferences and improve your user experience. This may include accessibility adjustments, language, and others.

These are usually useful cookies that make the user’s life easier, but they collect personal data anyway, so consent is required before using them.

These are the most common processing purposes, but not the only ones. Different business activities lead to different processing purposes, so it is impossible to include them all here. However, most of them belong to these categories.
Shopify, for example, uses a more descriptive language to describe their purposes.

Data Collection Purposes

Instead of analytics purposes, they say “providing reporting and analytics” and “testing out features and additional services”.

Instead of execution of a contract, they say “answering questions or providing other types of support” (which is part of the execution of a contract).

Marketing purposes are described as “assisting with marketing, advertising, and other communications”.

Having read this, you can understand that they monitor the usage of their website because, as many other large companies, they take user experience seriously and they don’t hesitate to use personal data to figure out what a specific user wants from the website.

Also, you could understand that they use tracking tools to serve you with ads with tailored messages that are likely to interest you.

Finally, they have a purpose that serves their legitimate interest (fraud prevention) and some specific to their business (help merchants find and use apps in the app store).

Check out the categories of data collected

The next you should check out is what the business needs to fulfill these processing purposes.

Fulfilling each purpose requires processing of a certain category of personal data. So, now you need to see how categories of data processed relate to the purposes.

If the business collects your email address to send you a newsletter, then such a category of data relates to the purpose. Without the email address, the business could not send you the newsletter.

If an app requires access to your photos on your smartphone to provide you image editing services, then that is adequate to the processing purpose. But, if they request your geolocation data to provide you with an app to add filters photos, this is an obvious red flag. That app doesn’t need to know where you are at any given moment. They may use the data for something else, or even sell it for money.

See how Shopify solves the transparency requirement in relation to categories of data:

Data Categories - Privacy Policy

This table explains what categories of personal data they collect and how they use it.

Some businesses are not as transparent as Shopify, but it doesn’t mean they are not compliant. If you doubt their privacy practices, you can submit a data subject request and have your questions answered.

Where Do They Transfer Personal Data?

GDPR forbids businesses from exporting personal data to countries where data protection is below the EU protection levels, unless they have a lawful basis to do so or eventually implement supplementary data security measures.

The lawful basis and the supplementary measures may be mentioned in the privacy policy, but it is not obligatory. Having said that, you may not be able to understand the data transfer practices of the company which privacy policy you read.

Data Transfer Locations

However, you can understand whether the data is being transferred outside of the European Union or not by having a look at the third parties to whom they disclose information.

Third Party Data Transfers

This image shows some of the third-parties they use for data processing. Many of them (and all of those on the image) are headquartered in the United States, which makes them subject to the US laws and may mean that the data is being transferred to the US. That makes things tricky in terms of the GDPR because such transfer requires supplementary protective measures.

Although chances that the US government will intrude your personal data suspecting that you are involved in terrorism or money laundering are small, if you are not comfortable with the transfer of your data to the US, you may want to address this with the company which privacy policy you are interested in.

Lawful Basis for Data Processing

To understand the privacy practices of a company, you also need to understand their legal bases for data processing. This is not visible from the privacy policy, though. Some businesses may state the lawful basis in the privacy policy, but that’s not obligatory and very few do that.

GDPR allows businesses to process data only if they have a lawful basis to do so. The lawful basis listed in Article 6 of the GDPR include:

  • Explicit user consent
  • Performing a contract
  • Legitimate interests
  • Vital user’s interest
  • Public interest
  • Compliance with laws, investigations, etc.

The two most common lawful bases are the explicit consent and the execution (performing) of a contract.

Businesses usually obtain consent by using a cookie banner that appears on arrival giving the user the opportunity to accept or refuse the cookies by clicking on a button.

Performing a contract is a legal basis for processing when the business needs your personal data to execute a contract with you, such as providing a SAAS, delivering a physical product, etc. Very often the Terms and Conditions (also called Terms of Use, or Terms of Service) are the contract being performed.

How to Draw the Lines

To understand the privacy practices through a company’s privacy policy, you need to draw a line between the processing purposes, categories of data processed, and the third-parties involved in the processing. On top of that, the business needs a lawful basis to process the data.

Basically, you need to ensure that:

  • The categories of data processed are aligned with the purposes of processing
  • The third parties’ business involves processing data for such a purpose
  • The business has a lawful basis to process the data, such as you explicit consent, performing a contract, legitimate interest, or others
  • The data transfers to third countries are lawful, and
  • The company has all the essential elements of a GDPR-compliant privacy policy present in the document.

Let’s imagine that an online business has collected your email address to deliver you a pdf on a subject that interests you. You gave them your email, they sent you the PDF. They also asked you if they could send you their weekly newsletter with marketing offers. You ticked the checkbox.

Now they have your email address. You have the PDF and their marketing materials.

They collected and processed your personal data for the purpose of execution of a contract (sending the pdf) and marketing purposes (sending the promo newsletter). They do not use the email address for anything else. They use Mailerlite, which is Lithuanian company with servers in the EU.

This means that they have adequate purpose for processing the email address, have a lawful basis to do so, and do not transfer data outside of Europe. That’s compliant with the GDPR and a nice privacy practice.

If they upload your email address on the Facebook Lookalike Audience tool and transfer your data in the US… well, that would be in violation of the GDPR, and many other similar data protection laws.

If you sign up for Shopify, they will monitor your behavior with Hotjar to see how you use the website and, when they gather enough information about that, make improvements. They have a valid purpose, a third-party tool to execute on the purpose and collect information on your behavior – that is all aligned and a valid privacy practice as long as they obtain your consent for the collection of personal information.

In the end, it is up to you to determine whether you are satisfied with certain online business privacy practices or not. This article explained how to determine the essential points of a privacy policy to understand why and how your data flows from one server to another and gives some business an insight from your data, but you are the one to make the decision if you are happy with how they handle data.

If you cannot determine yourself, just reach out to a professional.

Written by: Petar Todorovski

Connect with the author:

Petar Todorovski is interested in just about anything where law and technology intersect. His work includes legal consultation for companies, drafting IT-related legislation for the Macedonian government, and designing legal tech apps for a data protection management platform.

He has experience in data protection, cybersecurity, trust services, digital transformation of public services, access to justice, and writing for the internet.

He is a big advocate of automation, user-centered design, and the use of plain language in the legal industry.

Petar takes a break from law and tech by having a Crossfit workout, enjoying the outdoors, and reading smart people’s blogs.

Leave a Reply

Your email address will not be published. Required fields are marked *