- Key issues
The top 20 lockdown sites and what they do with your data
We read the privacy policies of the most popular websites during lockdown so you don't have to.
By eleanor blackwood
Fri 19 June 2020
Curious about what companies do with your data, but don't have the time to trawl through privacy policies? We get it, so we did it for you.
The amount we do online has increased dramatically during Covid-19
Particularly during such a troubling time, we want to be able to do everything with speed and ease: from catching up on global headlines to ordering food to our doorstep.
While websites and apps are designed to increase convenience, it’s very often in return for personal data.
Ultimately, whether your personal data is shared should be up to you. Privacy policies should also be easy to understand, so that we know exactly what we're agreeing to.
Thanks to GDPR, websites and apps have to publish their privacy policies. But, many don’t make them concise or easy to understand. Even the most privacy conscious of us aren’t sure exactly what’s going to happen to our data when we press ‘Agree’ on a website.
Here are what some of the most popular lockdown sites say in their privacy policies:
With the huge shift to working from home for many, it's unsurprising that there are now over 200 million daily users on the site. But how do they handle your data?
- Zoom doesn’t sell your data
- But, there is a lot of secondary processing through external servers when you use the app
Houseparty boomed in popularity at the beginning of lockdown, providing a new way of connecting with people.
For example, they collect:
- account information you provide
- data about your usage of the app
- location information
- information when you link third party accounts and apps to Houseparty
- If you link your contacts, they'll collect information about your friends including 'their phone numbers and addresses'
- They also let everyone know when you log on or join and show your details to friends of friends
- Houseparty also uses 'tracking tools to collect information from you passively'
And who are they sharing your data with? Unfortunately, everyone and anyone. As an 'integrated social media platform' they share and receive personal information with third parties, arguing that they see themselves as 'part of the digital community'.
In a 2019 investigation The Financial Times found that health websites, including WebMD, were sharing sensitive data. This sensitive data included 'medical symptoms, diagnosis, drug names, menstrual and fertility information', and was being shared with Google, Amazon and Facebook, as well as Data brokers Scorecard and OpenX. Mainly, data went from WebMD’s symptom checker straight to Facebook.
Since the 2019 investigation, it appears that they don’t share data with these apps anymore.
- WebMD Lab Testing, WebMD Allergy store, app WebMD Baby, and WebMD Pregnancy all collect and store your data.
- In the event of a merger, or bankruptcy, your stored information would be shared with their legal successor.
It may be well worth requesting that data stored with them be erased if you have concerns. To do this, you can send a deletion request below.
The Financial Times investigation we mentioned above found that Babycentre shared their users' menstrual and ovulation information with Amazon Marketing.
- Tracks the websites you use before and after visiting their website
- They do sell your data
- While Amazon is absent, they do mention social media sites such as Facebook
- They say these are 'reasonable' measures, but that you should be aware that any data you do give them can't be fully secure
We have to note that they do give a cookie choice banner upon entering the site, which is a plus, but the above still seems like a lot.
The Mayo Clinic
- They don’t collect personal information unless you know you are providing it, or if you choose to join the Mayo Clinic Online Community.
- Unless you sign up for their newsletter, the Mayo Clinic doesn't provide any third party access to your IP address and email address.
Extra points to the Mayo Clinic!
SOCIAL MEDIA SITES
Facebook is being clearer about what information they collect and share on you, but there haven’t been any new significant limits on themselves doing so.
What information do they collect?
This list is not exhaustive, and also includes sensitive data.
- metadata like the location of a photo
- religious views
- political beliefs
- relationship status
- if you’re expecting a baby
- contact information if you choose to upload, sync or import it from a device (such as an address book or call log, or SMS history)
N.B. You CAN access controls on marketing communications, as well as which cookies third parties are allowed to use to target you for advertisements. We'd say this is well worth doing.
Twitter seemed to escape the global data scandal relatively unscathed. Perhaps that’s because users always feel the information they share on the platform is public, and being sent out into the world.
Still, Twitter does collect data.
- They collect web data from third parties to inform your experience of their site
- They use information such as your age, gender and language to do this
You can also add extra security measures, as well as changing what you'd like to be publicly seen.
N.B. With both Facebook and Twitter you can avoid using them to verify your accounts on other apps. This will make sure that they aren’t sharing information they’ve collected on you to say, Deliveroo.
On this professional networking platform, the personal data that they collect you most often publicly share. For example:
- your schooling
- employment history
- notable achievements
While LinkedIn do state that you aren’t obliged to share more than your basic information to create an account, they do encourage you to give more. They state that a more embellished and 'completed' profile may increase your 'economic opportunity'.
Linkedin does provide the user with choices about how their data is collected and shared in relation to advertising, as you can opt in or opt out of cookies.
N.B. A notable form of sharing that you may not realise is happening is via premium accounts. If your premium account is paid for by your employer, they receive information about how you are using the premium features. So, bear this in mind if you're job hunting using premium.
CONTENT STORAGE SITES
Google Drive is a cloud-based storage site owned by Google, which means you can be sure that personal information you provide here will be shared with all Google Companies, including Google Ads.
- They will scan uploaded content to 'provide better services'.
The range of information they are scanning for is vast, from 'basic stuff like which language you speak' to 'more complex stuff like which ads you’ll find useful, the people who matter most to you online, or which YouTube videos you might like'. Basically, everything.
It's also unclear what the difference between 'scanning' and 'reading' is, as they don't clarify.
- If a legal request is made for your saved documents, Google will hand it over.
- They might review content to determine if it's 'illegal' or violates their 'program policies'. If it does, they may refuse to display content.
- If you delete something, it's not entirely deleted for some time. They will likely be in their backup systems for a further 30-60 days.
A good thing that Google does is provide a 'privacy check up' section, which enables you to review all your settings with them. Take a look at yours and let us know what you think @rightlydata!
Dropbox is another handy site for sharing and storing files. They’ll ask your permission to 'do things like hosting your stuff, backing it up, and sharing it when you ask us to', which sounds good.
- They’ll 'access, store and scan' your content to provide you with advanced features.
- Dropbox will share information and metadata they gather from your content with 'trusted third parties', but they won’t tell us what exact standards a company has to meet to gain their confidence. However, they do list some third parties, which is more than many companies do.
- They also take full responsibility for your data when sharing it.
They do offer a banner to learn more about cookies upon opening the site but you're only taken to a blog with no preference options. Hmm.
After many data leaks, Apple wants you to know that they take data privacy extremely seriously. They even put the slogan 'What happens on your iPhone stays on your iPhone' on a billboard.
Some key takeaways:
- Their security measures include end-to-end encryption of your data, and two factor authentication to access devices and iCloud.
- In some cases, your iCloud data may be stored with third party partners, like Amazon Web Services or Google Cloud Platform, but these partners won’t be able to decrypt your data, which is pretty smart.
SOME OF THE MOST POPULAR SITES DURING LOCKDOWN
- they'll only ever share your data if required to by law
- make the site better
- remember your settings
- measure website use
- communicate with you
Initially, it might seem like the data we share with ASOS isn’t too personal.
In reality, your dress size and the price range you shop in is great information for advertisers to use for behavioural targeting.
- They won’t sell any of our information to any third party, except marketing agencies. Unfortunately, this defeats the point a bit.
- If you let them, they’ll take all of your social media information.
They do however have a 'Your Rights’ section that helps you make a data request. Way to go ASOS.
Deliveroo have been plagued by hackers accessing user’s accounts and ordering themselves meals.
- If you disable cookies, large parts of the app become inaccessible.
- They'll contact you with direct marketing when you’ve given consent, or 'when we have a justifiable reason for doing so', which is undermines the whole consent thing a bit.
For your data privacy, although we love a deliveroo as much as the next person, you should be aware that the BBC reported that users have been defrauded, and that hackers have previously sold access to accounts.
Pornhub made headlines recently for waiving its membership fees for Italy.
You should know, before you cash in on that deal, that when you sign up as a member, the amount of information Pornhub can collect and store on you greatly increases.
- your age
- your gender
- your username
- members of their corporate group
- service providers for their site
- legal successors in the event of a merger, reorganisation or bankruptcy
You can choose whether they use third party cookies to show you targeted ads. Although, be aware that if you’re signed into Google whilst on the site, Google- My Activity will be collecting data on your visit as well.
It was all going well for Netflix on the data privacy front until a tweet exposed how they are tracking users behaviour. The irony being, that it was their own tweet.
When calling out the 53 people who watched A Christmas Prince 18 days in a row, they also revealed the degree to which they monitor users.
Netflix argued that they identified the trend through metadata, without identifying specific users.
They do collect information to optimise their service, but they do not use the data to offer any third party advertising services, and your information is contained within Netflix servers only. The Christmas Prince debacle aside, we think we can forgive them.
The Mail Online
Here are the headlines.
- The Mail Online gives information to third party sites, and receives information from them through cookies.
- If you log into The Mail through social media sites, you're 'granting permission for such companies to share your information for us'.
That includes your:
- IP address
- and possibly even sensitive data like your political views and religious beliefs
The real catch with this policy is that through you, they collect information on other people. If you use their ‘Email a friend’ or ‘share this article’ buttons, they’ll collect your friends contact details. Apparently you should 'make sure that anyone you wish to email or share with is happy for this to occur'. Hmm, to put it lightly, this should be made a lot clearer.
Even more, it's a struggle to get back to your cookie preferences if you change your mind about how they hey should handle your data.
They are collecting information such as your IP address and your previous browsing history on the site. The Guardian also offers you a table of advertising partners that they share and receive data from, giving you the option to opt out of each individually. This is more than a lot of companies will do. They also won't collect any data about your race, political opinions, religion, health or sexual orientation unless permission is granted.
- employment-related information
- Internet or other electronic network activity information
- browsing history
- search history
- information regarding a user’s interaction with an Internet website, application, or advertisement
They do, through a handy pop up, ask your permission to use ‘required’ cookies that help the site operate, and you can then also opt out of 'functional cookies' that enhance the site. You're able to refuse all cookies except the required ones, which is pretty good.
Unfortunately, they don't state any of the third parties that they share information with or take any information from.
The BBC News site also has required cookies, and lets you opt out of 'functional' and 'performance' cookies.
The BBC say they're committed to keeping your data safe, but that 'no service can be completely secure'.
- The BBC will store information about your age, political opinions, gender and so forth, but only if it’s relevant. For example, if you’re applying for a political programme.
- They say they can transfer data but don’t list any possible places it can be transferred, or why they would transfer it. They’ll collect and store our data, but they promise they’ll never sell it.
- They share information with 'research' companies - this is quite vague.
- They do research activities and sometimes collaborate with research partners. They sometimes share content and data with them, but they say that they're careful about what they share and who they share it with.
We hope that these privacy policies are now much quicker to understand, but let us know if you still have any questions! You can tweet us @rightlydata.
If you'd like to tell any of these companies what to do with your data, like deleting it in full or in part, you can send requests through the Rightly platform, below.