SLIDESHOW: Translating a privacy policy

  • Photo 1 of 16

    This introductory paragraph provides a general overview.

    It refers to the Terms of Service of the website. This means that to understand the conditions for the use of the site, one must look at both the Terms of Service and the Privacy Policy.

    - Marketplace

  • Photo 2 of 16

    This section is supposed to explain (a) what information Blippy collects and (b) how and for what purposes Blippy uses this information.

    There is little information about (b). Look below for information on how websites collect information.

    - Marketplace

  • Photo 3 of 16

    When a user registers to become a member of Blippy, he is required to provide some information. This information includes the user's name and contact information.

    In addition to the mandatory information listed above, the user may elect to provide his phone number and city.

    The IP address is actually collected automatically because it helps the website determine the location of the user. This is useful to send ads that are relevant to the user.

    For example, if the website knows that you are located in Chicago, it may send you ads for a Bears game, whereas if it know that you are in San Francisco, it may send you ads for a visit of Alcatraz.

    Look before for more information about this section of the policy.

    - Marketplace

  • Photo 4 of 16

    The user's username will always be posted on the site. Given the social networking aspect of the site, it is likely that a user's screen name will be her actual name.

    - Marketplace

  • Photo 5 of 16

    The Privacy Policy does not indicate what Blippy does with all the information collected above. It is common, in a privacy policy, for the company to explain how it uses the information that it collects from its users.

    Look below for more information about this section of the policy.

    - Marketplace

  • Photo 6 of 16

    All websites collect "log data," and Blippy does so as well. This information is used for technical reasons. For example a website operator may send the site to your iPhone in a different format as it will to your portable computer. It makes the decision based on the log data.

    Look below for more information about this section of the policy.

    - Marketplace

  • Photo 7 of 16

    All websites use cookies and so does Blippy.

    Blippy says that its cookies do not collect personally identifiable information. While this may be true, once someone has logged-in as a registered user, Blippy will be able to identify the user.

    Look below for more information about this section of the policy.

    - Marketplace

  • Photo 8 of 16

    Information Sharing and Disclosure

    - Marketplace

  • Photo 9 of 16

    Blippy shares personal information with its own service providers. This is common to most companies. In any company, a portion of the services needed to operate the company is subcontracted to other third parties.

    Look below for more information about this section of the policy.

    - Marketplace

  • Photo 10 of 16

    Blippy may disclose personal information in connection with litigation and law enforcement issues. This provision is common to most websites.

    Website operators are frequently requested by law enforcement or litigants to provide information about their users. They generally comply.

    For example, if there is a divorce case, and one spouse wants to argue that the other has an alcohol problem, she may want to ask the Blippy site to provide all information about the spouse's purchases of fine wines and spirits, in order to prove her point.

    Blippy, like most other sites, is likely to respond to a request for this information.

    Look below for more information about this section of the policy.

    - Marketplace

  • Photo 11 of 16

    If Blippy is sold to another company, or if its assets are sold to another company in bankruptcy, the Blippy database will be transferred to that third party.

    The policy indicates that if the policy of the new custodian of the information significantly differs from that of Blippy, each user will have an opportunity to object to the transfer of his information to that new entity. If a user receives a communication from Blippy to this effect, she must react promptly. If she does not answer, she will be deemed to have accepted the transfer.

    Look below for more information about this section of the policy.

    - Marketplace

  • Photo 12 of 16

    The Policy allows each user to access and correct the information that Blippy has about him. To do so he has to write to the specified email address.

    The policy also indicates that if a user wishes to have certain information deleted or removed from the system, he also must write. Blippy will try to accommodate the request. However, it may reject it if it has a legal obligation to retain the information.

    There is no indication of when Blippy will respond, and when it will provide the access or complete the correction or deletion requested.

    - Marketplace

  • Photo 13 of 16

    Blippy protects personal information from loss, destruction, modification, unauthorized access, etc. through administrative, physical, and electronic measures.

    If there is a breach of security, and applicable law requires that Blippy inform its users whose personal information is exposed through the breach, Blippy will inform these users.

    Blippy will provide this information through an email or a posting on the website.

    - Marketplace

  • Photo 14 of 16

    Most websites link to other websites. For example, this may be done because there is a hyperlink in the text of an article to refer to another person's article on the same topic. If one clicks on this link, one is sent to the other person's article.

    This can also happen through advertisements posted on a site. When one clicks on the advertisement, one is transported on the website that is being promoted.

    These other websites have their own policies.

    - Marketplace

  • Photo 15 of 16

    This section addresses compliance with the Children Online compliance Protection Act (COPPA). COPPA creates numerous limitations on the collection of personal information about children under 13. As a result, most websites attempt to avoid collecting information from children, so that they do not have to comply with COPPA's complex and stringent requirements.

    This section explains that if Blippy finds out that it holds information about children under 13, it will destroy it.

    - Marketplace

  • Photo 16 of 16

    Websites periodically change their privacy policies. This section explains what happens if Blippy changes its policy.

    It is important for users to periodically review the sites that they use because the policies may change - sometimes drastically - and these changes are likely to affect the way in which their personal information that is already in the hands of the site is being handled.

    - Marketplace

Photo 2: In order to understand the comments to the section below, it helps to have a general notion of how websites collect information.

Personal information may be collected from a user in many ways, for example:
-When the user lands on the site; (these are information about your browser, your IP address, your general location as determined from your IP address, the site from which you come)

-When the user merely browses through the site; (this information is collected through cookies and web beacons, and looks at how you use the site)

-When the user registers and voluntarily provides information in response to questionnaires; (this includes, your name, email address, phone number, location, gender, age. It may include more such as profession, income level, interests, etc.)

-When the user conducts activities on a site; (for example, when you purchase a book on Amazon, Amazon would record which book you purchase, to whom you send it, etc.)

In addition, information could be collected from third parties. For example, a site that knows enough about a user could run a credit check.

Photo 3:In addition, the user is also required to provide his "login credentials", i.e. his username and password to the Gmail, Yahoo! mail, Facebook and other webmail or social networks that the user wants to link to the Blippy account; any account on websites from which it makes purchase, for example, the user's Amazon, Netflix, or Orbitz account.

For example, if you give your login credentials to Amazon, this means that you will give Blippy unrestricted access to any information that is stored on your Amazon account, such as the names and addresses of all the people to whom you made a gift, what you purchased for them, which books or media you have in your wishlist. It also gives Blippy the ability to make purchases in your name since your credit card number is stored in your Amazon account. Blippy would not do this, but a disgruntled employee or former employee might do so.

If you give Blippy your "login credentials" for your Orbitz account, then they will have access to information on your past trip, your future trips, with whom you took the trip, and they may be able to purchase trips in your name, if your credit card is stored with Orbitz.

Q: Does Blippy have the right to sell/give out this information, or if asked by a court, to turn over this information?

A: If there is a proper court order or search warrant: Yes. Blippy would be obligated to provide the requested information in response to the request, unless the request was improper, used the wrong type of document, etc.

Do they have the "right to sell" information? It depends. If it is information that they created (for example, how many times Suzy bought chocolates at the Godiva store), they can do whatever they want because it is their property.

If it is some information that they saw on a third party site, such as Orbits in my example, that is more questionable.

If it is information that a user provided or gave out voluntarily through his or her membership in the site, then in most cases, websites tend to do whatever they want because there is little law or regulation about this. One of the obstacles may be that they may have said something in their privacy policy, and they have to do what they said they would do.

However, the FTC has an opinion about this, and it is going after companies when companies do what the FTC thinks of as being "unfair."

Photo 4:If the user provides her photo, the photo will be displayed on the site.

The user may decide to provide other information. Examples: Your bio, your location, your personal website, your cell phone number, your address book.

This information is made public by default. If you do not want this information to be made public, do not give it or adjust the settings of your account accordingly.

Photo 5: The Blippy policy only provides very general information. All that is being said is that the information is collected to: Provide the service, administer the user's membership, enable the user to easily navigate the service.

This general information is provided directly under the title "information collection and use." There is no other more specific indication of what this means. The policy indicates that the information is used to market to the users.

Later in the document, it will be stated that the information is also provided to direct marketing organizations.

Q: Does this mean your name, phone number and e-mail address and possibly your friend's addresses (from your address book) along with your interests will be sold to marketers?

A: The policy does not say so clearly. What we know is that they will "use the information to market to the user." This can be achieved without "selling" the information to a third party.

For example, Blippy could identify through some internal means, all the "30 something that spends a lot of money on cosmetics." Then Blippy have a contract with an advertising network, whereby Blippy will send a request for an ad from the advertising network that pertains to cosmetics, or something that fits the personality, such as fashion, shoes, jewelry, etc. and will send a code to the advertising networks, so that when someone in the category "30 something that spends a lot of money on cosmetics" is on the site, the advertising network servers an ad that is displayed on the Blippy site on that advertising space that the advertising network has rented on the Blippy site.

In the Blippy case, in addition, the policy says "we may use your contact information." That could mean e-mail, text, phone, fax, etc. Thus, arguably, they could also send e-mails or text to the 30-something to send her advertisements about the cosmetics, etc.

It is not clear whether they would provide this information to third parties, "share it," or "sell it," so that the third party directly sends its ads to the 30-something, but they might. It does not say clearly that they would not do so.

Photo 6: Log data are also collected for "analytics" reason. That is, like all companies, websites use statistics to understand their visitors, what interests them, who recommended them, etc.

Most websites collect the following log data: IP address, browser type, domain visited before visiting this site (for example, to know whether you clicked through an add, or landed on a site after a Google search), which web page you are visiting, how long your stay on this page, on which parts of the page you click. Blippy does all of the above.

In addition, Blippy also collects search terms used by the visitor. Since this is linked to the user's username, Blippy can easily know the interests of a specific user. For example, someone who has clicked on ads for travel, or who has spent time on pages that display information on trips booked by members or books about Venice purchased by members is likely to be more receptive to adds about travels to Italy.

It can also keep track of the search terms over a long period of time, to establish a profile of the individuals.

The fact that websites do retain information about the searches made by users is a major topic in Europe, where the view is that this information should not be accumulated indefinitely. Currently, the European Union requires sites such as Google or Yahoo! to limit the retention of information about searches made by users to 6 months maximum.

Blippy appears to plan to retain these search terms indefinitely.

Photo 7:There is no information about the fact that other entities that occupy space on the Blippy site may be also be sending cookies to a user when the user visits the Blippy site. If Blippy "rents the real estate" of its website to create "billboards" where advertising networks display adds, these advertisers are also sending cookies to the user's computer. These cookies allow the user to be identified by the advertisers.

In general, these cookies are used for the advertising network to recognize the user and pick the ad that it believes is most appropriate for the user. There is no information about the use of web beacons or other tracking devices. These devices are commonly used by most website in order to collect information about the manner in which users browse through the site.

It is likely that Blippy uses web beacons or similar tracking devices.

Q: Is this legal? Do they have to disclose this

A: The FTC is working on this, and is trying to make companies disclose some of the most invasive type of tracking (this is called "behavioral advertising"). Right now, I am not aware of anything that would require them to say anything.

Please keep in mind that there are some uses of the beacons or tracking that are not harmful to the customers, and do not invade their privacy.

The current trends are to say that it is OK to use tracking in some cases (for example, to determine how long people stay on a particular page, because that means that the page has "the right stuff"). However, it is not OK to track people from site to site in order to identify their personal tastes (for example, the advertising network tags the person when he is on the golf club site and the sports sites, and then when the person is on a new site, reading the news of the data, the advertising network arranges for sending him ads that have to do with golf tournaments, exercise equipment, tickets to a football game, etc.)

Ads that result from tracking pay more money than ads that do not. Of course. Thus, there is an incentive for sites that rely on advertising for their funding to use tracking.

Photo 9: Blippy uses third parties to host its servicers, or store its data. It also uses third parties for customer relationship management and for direct marketing. In general, these companies provide the technology for sending mass e-mails. Some of these companies are reputable, and have good ethics. Blippy explains that its relationship with these service providers are subject to contracts that requires them to "maintain the privacy and security" of the customer's data.

It is not clear whether the contract requires these entities to provide a specific type of privacy and security -- such as to require the use of measures equivalent to those of Blippy, or whether it merely contains a general requirement about privacy and security.

Photo 10: Q: Who owns this information, you or Blippy?

A: Who owns the data is irrelevant for this purpose. If the government or a judge asks Blippy to provide whatever is on its servers about Joe the Plumber, Blippy will do it. Otherwise, they would get in trouble. So long as they respond to a valid request from a court or from law enforcement, they are OK.

Photo 11: The policy does not indicate how Blippy interacts with advertising networks. Since Blippy's site is financed through advertisers, Blippy needs to provide to advertisers an incentive to advertize on the site. These advertising networks are not "service providers." They are third parties. Thus, the relationship between Blippy and these advertising networks should be mentioned somewhere in this Privacy Policy.

Q: Is it OK that this relationship isn't mentioned?

A: Some companies, which I could call the "good companies," do make this type of disclosures. Right now, there are little rules, especially for websites, and the FTC and the state AGs are doing their best to try create some order in this wild world, and prevent what they view as abuses. Aside from California (and probably a few more states) there is not even a law to require websites to say what they are doing, unless they are regulated companies, such as banks, hospitals, etc.

In general, when a user visits a website, the site identifies the users so that the advertisers can send "the right ad" to the user. There are different techniques and restrictions. Some technologies allow identifying a user, so that the advertising network does not serve twice the same ad. Some technologies allow sharing a user's profile (e.g. "interested in travel to Venice") so that the advertising network serves an ad that is related to travel or to Italy, for example, an ad for a cruise in the Adriatic Sea.


I agree to American Public Media's Terms and Conditions.
With Generous Support From...