SLIDESHOW: Translating a privacy policy

Marketplace Staff Sep 17, 2010

Photo 2: In order to understand the comments to the section below, it helps to have a general notion of how websites collect information.

Personal information may be collected from a user in many ways, for example:
-When the user lands on the site; (these are information about your browser, your IP address, your general location as determined from your IP address, the site from which you come)

-When the user merely browses through the site; (this information is collected through cookies and web beacons, and looks at how you use the site)

-When the user registers and voluntarily provides information in response to questionnaires; (this includes, your name, email address, phone number, location, gender, age. It may include more such as profession, income level, interests, etc.)

-When the user conducts activities on a site; (for example, when you purchase a book on Amazon, Amazon would record which book you purchase, to whom you send it, etc.)

In addition, information could be collected from third parties. For example, a site that knows enough about a user could run a credit check.

Photo 3:In addition, the user is also required to provide his “login credentials”, i.e. his username and password to the Gmail, Yahoo! mail, Facebook and other webmail or social networks that the user wants to link to the Blippy account; any account on websites from which it makes purchase, for example, the user’s Amazon, Netflix, or Orbitz account.

For example, if you give your login credentials to Amazon, this means that you will give Blippy unrestricted access to any information that is stored on your Amazon account, such as the names and addresses of all the people to whom you made a gift, what you purchased for them, which books or media you have in your wishlist. It also gives Blippy the ability to make purchases in your name since your credit card number is stored in your Amazon account. Blippy would not do this, but a disgruntled employee or former employee might do so.

If you give Blippy your “login credentials” for your Orbitz account, then they will have access to information on your past trip, your future trips, with whom you took the trip, and they may be able to purchase trips in your name, if your credit card is stored with Orbitz.

Q: Does Blippy have the right to sell/give out this information, or if asked by a court, to turn over this information?

A: If there is a proper court order or search warrant: Yes. Blippy would be obligated to provide the requested information in response to the request, unless the request was improper, used the wrong type of document, etc.

Do they have the “right to sell” information? It depends. If it is information that they created (for example, how many times Suzy bought chocolates at the Godiva store), they can do whatever they want because it is their property.

If it is some information that they saw on a third party site, such as Orbits in my example, that is more questionable.

If it is information that a user provided or gave out voluntarily through his or her membership in the site, then in most cases, websites tend to do whatever they want because there is little law or regulation about this. One of the obstacles may be that they may have said something in their privacy policy, and they have to do what they said they would do.

However, the FTC has an opinion about this, and it is going after companies when companies do what the FTC thinks of as being “unfair.”

Photo 4:If the user provides her photo, the photo will be displayed on the site.

The user may decide to provide other information. Examples: Your bio, your location, your personal website, your cell phone number, your address book.

This information is made public by default. If you do not want this information to be made public, do not give it or adjust the settings of your account accordingly.

Photo 5: The Blippy policy only provides very general information. All that is being said is that the information is collected to: Provide the service, administer the user’s membership, enable the user to easily navigate the service.

This general information is provided directly under the title “information collection and use.” There is no other more specific indication of what this means. The policy indicates that the information is used to market to the users.

Later in the document, it will be stated that the information is also provided to direct marketing organizations.

Q: Does this mean your name, phone number and e-mail address and possibly your friend’s addresses (from your address book) along with your interests will be sold to marketers?

A: The policy does not say so clearly. What we know is that they will “use the information to market to the user.” This can be achieved without “selling” the information to a third party.

For example, Blippy could identify through some internal means, all the “30 something that spends a lot of money on cosmetics.” Then Blippy have a contract with an advertising network, whereby Blippy will send a request for an ad from the advertising network that pertains to cosmetics, or something that fits the personality, such as fashion, shoes, jewelry, etc. and will send a code to the advertising networks, so that when someone in the category “30 something that spends a lot of money on cosmetics” is on the site, the advertising network servers an ad that is displayed on the Blippy site on that advertising space that the advertising network has rented on the Blippy site.

In the Blippy case, in addition, the policy says “we may use your contact information.” That could mean e-mail, text, phone, fax, etc. Thus, arguably, they could also send e-mails or text to the 30-something to send her advertisements about the cosmetics, etc.

It is not clear whether they would provide this information to third parties, “share it,” or “sell it,” so that the third party directly sends its ads to the 30-something, but they might. It does not say clearly that they would not do so.

Photo 6: Log data are also collected for “analytics” reason. That is, like all companies, websites use statistics to understand their visitors, what interests them, who recommended them, etc.

Most websites collect the following log data: IP address, browser type, domain visited before visiting this site (for example, to know whether you clicked through an add, or landed on a site after a Google search), which web page you are visiting, how long your stay on this page, on which parts of the page you click. Blippy does all of the above.

In addition, Blippy also collects search terms used by the visitor. Since this is linked to the user’s username, Blippy can easily know the interests of a specific user. For example, someone who has clicked on ads for travel, or who has spent time on pages that display information on trips booked by members or books about Venice purchased by members is likely to be more receptive to adds about travels to Italy.

It can also keep track of the search terms over a long period of time, to establish a profile of the individuals.

The fact that websites do retain information about the searches made by users is a major topic in Europe, where the view is that this information should not be accumulated indefinitely. Currently, the European Union requires sites such as Google or Yahoo! to limit the retention of information about searches made by users to 6 months maximum.

Blippy appears to plan to retain these search terms indefinitely.

Photo 7:There is no information about the fact that other entities that occupy space on the Blippy site may be also be sending cookies to a user when the user visits the Blippy site. If Blippy “rents the real estate” of its website to create “billboards” where advertising networks display adds, these advertisers are also sending cookies to the user’s computer. These cookies allow the user to be identified by the advertisers.

In general, these cookies are used for the advertising network to recognize the user and pick the ad that it believes is most appropriate for the user. There is no information about the use of web beacons or other tracking devices. These devices are commonly used by most website in order to collect information about the manner in which users browse through the site.

It is likely that Blippy uses web beacons or similar tracking devices.

Q: Is this legal? Do they have to disclose this

A: The FTC is working on this, and is trying to make companies disclose some of the most invasive type of tracking (this is called “behavioral advertising”). Right now, I am not aware of anything that would require them to say anything.

Please keep in mind that there are some uses of the beacons or tracking that are not harmful to the customers, and do not invade their privacy.

The current trends are to say that it is OK to use tracking in some cases (for example, to determine how long people stay on a particular page, because that means that the page has “the right stuff”). However, it is not OK to track people from site to site in order to identify their personal tastes (for example, the advertising network tags the person when he is on the golf club site and the sports sites, and then when the person is on a new site, reading the news of the data, the advertising network arranges for sending him ads that have to do with golf tournaments, exercise equipment, tickets to a football game, etc.)

Ads that result from tracking pay more money than ads that do not. Of course. Thus, there is an incentive for sites that rely on advertising for their funding to use tracking.

Photo 9: Blippy uses third parties to host its servicers, or store its data. It also uses third parties for customer relationship management and for direct marketing. In general, these companies provide the technology for sending mass e-mails. Some of these companies are reputable, and have good ethics. Blippy explains that its relationship with these service providers are subject to contracts that requires them to “maintain the privacy and security” of the customer’s data.

It is not clear whether the contract requires these entities to provide a specific type of privacy and security — such as to require the use of measures equivalent to those of Blippy, or whether it merely contains a general requirement about privacy and security.

Photo 10: Q: Who owns this information, you or Blippy?

A: Who owns the data is irrelevant for this purpose. If the government or a judge asks Blippy to provide whatever is on its servers about Joe the Plumber, Blippy will do it. Otherwise, they would get in trouble. So long as they respond to a valid request from a court or from law enforcement, they are OK.

Photo 11: The policy does not indicate how Blippy interacts with advertising networks. Since Blippy’s site is financed through advertisers, Blippy needs to provide to advertisers an incentive to advertize on the site. These advertising networks are not “service providers.” They are third parties. Thus, the relationship between Blippy and these advertising networks should be mentioned somewhere in this Privacy Policy.

Q: Is it OK that this relationship isn’t mentioned?

A: Some companies, which I could call the “good companies,” do make this type of disclosures. Right now, there are little rules, especially for websites, and the FTC and the state AGs are doing their best to try create some order in this wild world, and prevent what they view as abuses. Aside from California (and probably a few more states) there is not even a law to require websites to say what they are doing, unless they are regulated companies, such as banks, hospitals, etc.

In general, when a user visits a website, the site identifies the users so that the advertisers can send “the right ad” to the user. There are different techniques and restrictions. Some technologies allow identifying a user, so that the advertising network does not serve twice the same ad. Some technologies allow sharing a user’s profile (e.g. “interested in travel to Venice”) so that the advertising network serves an ad that is related to travel or to Italy, for example, an ad for a cruise in the Adriatic Sea.

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.