We at CDP recently decided that in keeping with our work on developing new standards for online data collection, we should also create a survey of the privacy policies of the biggest online companies. We want to help users not only understand privacy policies more quickly and easily, but also to help them compare the practices of different companies.
As a result, I’ve been spending a lot of time reading privacy policies. I knew it wouldn’t be a fun activity, but it’s also been challenging in ways I didn’t quite anticipate. As I started to sit down and actually compare policies across a set of specific issues, it became quickly obvious that although they use many of the same words—private, personal, anonymous—they aren’t all using the same definitions.
For example, Yahoo defines “personal information” as “information about you that is personally identifiable like your name, address, email address, or phone number, and that is not otherwise publicly available.” Although it discusses the collection of other information, like log data and IP addresses, it never calls this information “personal.” Ask.com takes a similar tack, disclosing that it does collect such information, but calling it “anonymous information.”
AOL, in contrast, defines “AOL Network Information” as “personally identifiable information” that includes data like IP addresses, sites visited, and search history. Of course, AOL can’t pretend that such data is actually “anonymous.” After all, its proud release of “scrubbed” search query data two years ago was quickly shown to reveal the individual identities of thousands of users.
And what does it mean to us, as a society, that companies are defining these words on their terms?