Or is it still written in complex, “legalese” and/or opaque language (e.g., “We collect certain personal information to give you a better online experience” is too vague). If it does not pass this initial test, you can move on to a competitor of theirs who takes privacy seriously.
2. Are you really consenting?
3. Does it clearly present what information is collected and how it will be used and shared?
Does it enumerate the data collected and why? (e.g., to provide a service? for targeted marketing by a third party? for analytics?). Does it explain plainly what it does with the data and with what third parties it is shared? For example, does it sell personal data to third-party marketers? Is there an easy way clearly visible on the home page to opt out of such transfers of user data to third parties (for example, as required by California’s CCPA law).
4. Is the information collected reasonable with respect to the service or product you are acquiring?
Ask yourself if the site is justified in collecting each personal data item. For example, your date of birth may be needed for an online life insurance quote, but would be overkill for a website to ask when an age range would have sufficed. Perhaps there is no customer-beneficial reason for them to request an age range at all.
5. Does it clearly explain how each data item is collected and how long it is retained?
Is data collected via a user form that is submitted? through automated tracking (e.g., via placing a tracking cookie on your computer)? through automatic detection (e.g. “fingerprinting” your device by collecting your IP address, browser and version, operating system and version, fonts on your computer, screen resolution, etc., for the purpose of recognizing you and your activities even if you are not logged in). Does it spell out how long the collected data will be retained? For example, will they delete all data upon request? Upon account closing? After a designated amount of time?
6. Does it provide for an easy way to access, export, edit/correct, and/or delete personal data collected?
Both CCPA and GDPR stipulate certain requirements to allow users to access, correct or delete personal data.
7. Does it claim the right to contact you via email, text messages, phone, and/or snail-mail?
Is there an easy opt-out available or a way to limit the volume and frequency of contacts?
8. Does it reassure you about security of your personal data, and does it authenticate you thoroughly?
For example, are user data protected through measures to secure their server from intrusion, through physical security, encryption of sensitive data, and backup? Does it use the “https” protocol in the URL field of your browser? Does it provide strong authentication, such as by offering two-factor authentication (e.g., confirming your login credentials by sending you a code via text message or app that you must enter to proceed).
9. Does the site have a history of user data breaches?
A quick internet search for the “company name + breaches” might reveal a clean record or some distasteful history. Almost as important as a past breach is how the company handled the breach. Did they sit on the incident for an unreasonable amount of time before they disclosed it? Was there compensation to users?
If there is no contact-us form or alternate way of contacting the company, that is a red flag. Also, is there a date the policy was last updated, and does it promise to notify users when there is an update?
There is not anything in this post that should be construed as legal advice. Rather, this post provides general educational information, which is believed to be valid. Consult your attorney for guidance specific to your needs.