Ever wonder where, how, and why your personal data is processed? Post-GDPR, you might be able to find the answers by looking at privacy policies. In part 2 of our Sweet Sixteen series, we’re bringing you the highlights from 8 more privacy policies, informing you on how to gain control of your personal data privacy. Check out the first part of our series here!
1. OpenTable — May 23, 2018
OpenTable — the restaurant reservation platform — has taken substantial steps toward hosting a privacy policy compliant with the GDPR. To begin, their privacy policy features a quick summary at the top that helps users locate specific sections of their policy.
Opentable offers extensive information regarding how your data is shared. Some of these include sharing:
- Information with restaurants and affiliates
- With third parties for their own marketing purposes
- Information with third-party vendors, consultants, and other service providers
Opentable does well to offer a way to opt out of information sharing through your account preferences, and allows users to opt out of marketing communication through an unsubscribe link.
Opentable has a specific page tailored toward residents of the EU and UK that includes these additional rights regarding personal data:
- Access
- Rectification
- Erasure
- Restrict Processing
To make a request, you can contact OpenTable.
2. Rubrik — May 25, 2018
Rubrik has a fairly simple privacy policy, covering the bases of information collected — who it’s shared with, and how it’s used. Rubrik states that it uses a third party to process user data and create targeted advertisements. There’s a way to opt out of this through an external portal, but users will still receive non-targeted ads.
Similar to OpenTable, Rubrik has a designated section for EU residents. Additional information is included such as:
- The legal basis for processing
- Personal data transfers outside of the EEA
- Data subject rights
- Access
- Rectification
- Erasure
You can request access to your data by contacting Rubrik.
3. DropBox — May 25, 2018
Dropbox’s privacy policy is simple and straightforward. They cover what data they collect, how they use it, and with whom it’s shared.
The following information is collected:
- Account information. We collect and associate with your account, the information you provide to us when you do things such as sign up for your account, upgrade to a paid plan, and set up two-factor authentication (like your name, email address, phone number, payment info, and physical address)
- Your Stuff. Our Services are designed to make it simple for you to store your files, documents, photos, comments, messages, and so on (“Your Stuff”)
- Contacts
Dropbox has options for users in regard to personal data as stated:
- Erase or delete all or some of Your Stuff in your Dropbox account. You can learn more about how to delete files saved on Dropbox here.
- Change or correct personal data. You can manage your account and the content contained in it, as well as edit some of your personal data, through your account settings page.
- Access and take your data. You can download a copy of Your Stuff in a machine- readable format as outlined here. You can also ask us for a copy of personal data you provided to us. Find out how here.
It’s important to note that the data accessible through these methods is simple account information. Personal data that is processed, shared, and used by Dropbox may have limited access for users. The discrepancy between account data and personal data isn’t always visible to users but is important in determining the privacy and transparency level of the company.
Dropbox also publishes a transparency report twice a year that informs users of the company’s requests in regard to data.
4. InVision — June 4, 2018
InVision has one of the most extensive privacy policies we’ve seen, and it attempts to cover all user concerns. The policy illustrates processing grounds, data transfers, data subject rights, security, and more.
Some of the uses for data processing are as stated:
- Learn more about our users and their internet behaviors
- Target offers to users
- Evaluate the types of offers, products, or services that may be of interest to users
- Facilitate marketing, advertising, surveys, contests, sweepstakes, and promotions
InVision offers the following options with regard to personal data:
- Access
- Rectification
- Erasure
- Objection to processing
- Withdrawal of consent
These tools can be accessed through their rights management page or by contacting InVision.
Finally, InVision has a GDPR compliance page. This page provides EU residents with greater transparency in terms of compliance with the GDPR.
5. Lever — May 25, 2018
Lever, similar to InVision, has a comprehensive privacy policy. It includes basic processing and the transfer of information in addition to collection and use of data. The policy states the following rights for EU residents, that can be exercised by contacting Lever:
- Right to withdraw consent
- Right of access
- Right to erasure (or the “Right to be Forgotten”)
- Right to object to processing
Similar to Dropbox, Lever has account data accessibility for all users. However, account data accounts for only a small portion of the personal data a company collects, and non-EU residents aren’t able to access, delete, or object to the processing of their personal data. Further, this distinction highlights that many companies are attempting to comply with GDPR but aren’t as focused on increasing transparency across all users in terms of personal data.
Lever does state some of their third-party processors with whom personal data is shared with — a great addition to their privacy policy that provides customers with transparency into what businesses have access to their data.
6. Mixpanel — May 16, 2018
One of the highlights of Mixpanel’s privacy policy is the inclusion of a Data Protection Officer. This individual is available to address the concerns of users, specifically EU residents, and their privacy. There is contact information included — and after reaching out — we found the officer responds quickly and provides insight into the processing of data by Mixpanel.
Mixpanel also features a data processing addendum that includes information about compliance with the GDPR, terms of data processing, and the types of personal data processed. After requesting, we were able to access Mixpanel’s list of subprocessors — which is a clear indicator that the company is taking steps to be fully compliant with the GDPR.
As stated by Mixpanel, “A subprocessor is a third party data processor engaged by Mixpanel, including entities from within the Mixpanel group, who has or potentially will have access to or process Customer Content (which may contain Personal Data).”
7. Sumologic — November 11, 2017
Sumologic covers its bases in terms of information collected, privacy shield coverage, and data usage. The policy states that information is used to:
- Assess the needs of your business to determine suitable products
- Send product updates or warranty information
- Send you a newsletter
- Send you marketing communications
- Improve our Website and marketing efforts
- Conduct research and analysis
The policy is lacking in certain key areas, as it fails to address the concerns of the GDPR and other upcoming regulation. There is a section regarding access to personal data, with a contact, however, no time frame or additional information is specified for data subjects.
8. Intercom — May 25, 2018
Intercom’s privacy policy proves to be detailed and well-organized. Just like Mixpanel, Intercom has hired a Data Protection Officer to help the company comply with data privacy regulation and support transparency for the organization.
Intercom also offers access to the following rights for data subjects:
- Opt-Outs
- Communication Preferences
- Blocking Cookies
- Data Subject Rights: You can access, rectify, erase, restrict or export your personal information at any time by emailing us at [email protected]. You can object to our processing of your personal information at any time. Contact our Data Protection Officer with requests or concerns at [email protected]
Our Insights
Post-GDPR, many companies are making personal data more accessible for its users. To find out the type and depth of information companies collect on you, we suggest reaching out to a few through their privacy policy contact. In our requests, we’ve found that companies with an appointed Data Protection Officer are more likely to respond in a timely manner with the information you requested.
To take control of your personal privacy, it’s crucial to first find out what personal data companies have collected on you. Submitting access requests helps consumers take hold of their privacy. In the future, regulation may grant additional rights to citizens worldwide including data deletion and the right to be forgotten. California already has a bill set to release in early 2020, which will grant many rights to its residents in regard to their data.
For companies, privacy will continue to be a hot topic. Both in order to comply with future regulation, and to provide users with confidence, firms will have to be transparent with their data processing and use. Many policies have been changed to provide additional resources for EU residents in order to comply with the GDPR, however, companies that are looking to the future will want to provide these resources for all of their users and customers.
According to a study by Label Insight, 94% of consumers surveyed indicated that they were more likely to be loyal to a brand that offers transparency, while 73% said they were willing to pay more for a product that offers complete transparency.
By providing these rights, users will build greater trust in the business and are more likely to continue working with the company.
A Deloitte survey of 2,000 consumers in the U.S found that 91% of people consent to legal terms and services conditions without reading them. For younger people, ages 18–34 the rate is even higher with 97% agreeing to conditions before reading.
It’s evident that privacy policies and similar documents are often ignored by the average user. Unfortunately, this allows companies to have users agreeing to any terms they want, as it rarely affects a user’s decision to proceed with the product or service.
We hope you were able to learn more about your personal privacy in this two-part series and took away some key points about the data processing that companies currently employ. As privacy continues to become a greater concern, policies will need to be looked at from both a compliance and personal privacy perspective.
In the coming weeks, we will be continuing to interview Data Protection Officers, several of who were involved in writing privacy policies.
Check out the first part of our series here!