Privacy Policy Analysis Framework

Data Collection Assessment

Personal Data (Identifiable)

• Name, email, phone, address
• Payment information
• Government IDs
• Biometric data
• Health information

🟢 Collects only what's necessary for service
🟡 Collects data that seems tangential to service
🔴 Collects sensitive data without clear need

Device & Usage Data

• IP address, device identifiers
• Browser fingerprinting
• Location data (precise vs approximate)
• Usage patterns, browsing history
• Content of communications

🟢 Standard operational data
🟡 Extensive tracking beyond basics
🔴 Collecting communication content, precise location without necessity

Data Use Assessment

Primary vs Secondary Use

• Primary: Providing the core service
• Secondary: Marketing, analytics, product improvement, AI training

🟢 Clear primary use, limited secondary
🟡 Extensive secondary uses but opt-out available
🔴 Broad secondary uses with no clear opt-out

AI and Machine Learning

• Is data used to train AI models?
• Can you opt out?
• Does training data include your content?

🟢 No AI training or clear opt-out
🟡 AI training with some limitations
🔴 Broad AI training rights with no opt-out

Data Sharing Assessment

Third-Party Categories

• Service providers (necessary operations)
• Analytics providers
• Advertising partners
• Affiliated companies
• Government/legal requests

🟢 Limited to necessary service providers
🟡 Analytics and advertising partners with some controls
🔴 Broad sharing, data sales, or unclear categories

Data Sales

• Explicit: "We sell your data"
• Implicit: "We share with partners for monetary consideration"
• CCPA definition includes many "sharing" arrangements

🟢 Explicit no-sale policy
🟡 Sharing that may qualify as "sale" under CCPA
🔴 Explicit data sales

User Rights Assessment

Access & Portability

• Can you see what data they have?
• Can you download your data?
• What format is it provided in?

🟢 Easy self-service access and download
🟡 Access available but requires request process
🔴 No clear access mechanism

Deletion Rights

• Can you delete your account?
• Is data actually deleted or just deactivated?
• Exceptions and retention periods?

🟢 Clear deletion with minimal exceptions
🟡 Deletion available with significant exceptions
🔴 No deletion rights or extensive data retention

Opt-Out Options

• Marketing communications
• Targeted advertising
• Data sharing
• AI training

🟢 Granular opt-out controls
🟡 Some opt-out but limited
🔴 Take-it-or-leave-it approach

Red Flags

• Vague language: "may share," "could include," "from time to time"
• Broad rights: "all purposes," "any lawful purpose"
• Silent on key issues: No mention of retention, deletion, or sharing
• Binding arbitration: Limited legal recourse for privacy violations
• Unilateral changes: Can change policy without notice
• Children's data: Collects from minors without protections

Green Flags

• Specific and limited: Clear data types and purposes
• Retention limits: Defined retention periods
• Strong user controls: Self-service privacy dashboard
• Transparency reports: Regular disclosure of data requests
• Privacy certifications: SOC 2, ISO 27001, Privacy Shield successor
• Data minimization: Collects only what's needed