Blog Skip the Intro Data Collection Data Sharing Data Retention Your Rights Security Policy Changes Red Flag Cheatsheet

Skip the Introduction — Start Here

Privacy policies all start the same way: a friendly welcome explaining how much the company cares about your privacy. Skip it. The real information is buried deeper. Here's your lawyer-style scanning strategy:

  1. Ctrl+F "share": See who gets your data
  2. Ctrl+F "sell": Check if your data is being sold
  3. Ctrl+F "retain" or "delete": Understand how long they keep data
  4. Ctrl+F "right": Find your data rights
  5. Ctrl+F "change" or "update": See how policies can be changed
Pro Tip: Use your browser's "Find in Page" (Ctrl+F / Cmd+F) to search for these keywords. They'll take you straight to the most important sections.

Section 1: What Data They Collect

The first thing to understand is what information the company gathers about you. Look for these categories:

Standard Collection (Expect This)

  • Name, email, and account information
  • Basic device information (browser type, OS)
  • Usage data (pages visited, features used)

Concerning Collection (Red Flags)

  • Location Data: "Precise geolocation," "continuous location tracking"
  • Biometric Data: "Facial recognition," "fingerprint," "voice patterns"
  • Behavioral Data: "Browsing history across sites," "purchase history from third parties"
  • Device Sensors: "Microphone access," "camera access," "keystroke patterns"
  • Financial Data: "Income information," "credit score data"
Major Red Flag: If you see "we may collect other information" or similar open-ended language, the company is giving itself permission to collect anything in the future without updating the policy.

Section 2: Who Gets Your Data

This is arguably the most important section. Companies use vague language to obscure who actually receives your information:

Watch for These Phrases

  • "Service Providers": Usually legitimate (hosting, analytics, customer support)
  • "Business Partners": Very broad — could be anyone they do business with
  • "Affiliates": Related companies — could be dozens or hundreds
  • "Third Parties": The vaguest category — potentially unlimited recipients
  • "Data Brokers": Companies that buy and sell your data as their business model

The "Sell" vs "Share" Distinction

Many companies have stopped using the word "sell" and instead say "share" or "disclose." Under some laws, they might be technically different, but the practical effect is the same: your data goes to other companies.

Section 3: How Long They Keep Your Data

Companies should specify retention periods. Vague language here is a red flag:

  • Good: "We retain your data for 12 months after account closure"
  • Bad: "We retain data for as long as necessary" (essentially forever)
  • Good: "You can request deletion at any time"
  • Bad: "We may retain de-identified data indefinitely" (de-identification isn't perfect)

Section 4: Your Rights Over Your Data

Privacy regulations give you specific rights. Look for these key rights:

Essential Rights Checklist

  • ✅ Right to access your data
  • ✅ Right to download/export your data
  • ✅ Right to delete your data
  • ✅ Right to opt-out of data selling
  • ✅ Right to correct inaccurate data
  • ✅ Right to opt-out of targeted advertising

If a policy doesn't mention these rights, that's a red flag — even if the company isn't legally required to provide them.

Section 5: How Your Data Is Protected

Companies should describe their security measures. Look for specifics, not vague assurances:

Good Signs Red Flags
End-to-end encryption "Industry-standard security" (unspecified)
Two-factor authentication "No security is perfect" (preamble to accepting risk)
Regular security audits No mention of breach notification process
SOC 2 / ISO 27001 certifications "You are responsible for your account security"
Bug bounty programs No contact for security issues

Section 6: How the Policy Can Change

The policy change section reveals how much the company respects your consent:

  • Best: "We will notify you directly of material changes and obtain consent"
  • Okay: "We will post changes on this page and update the date"
  • Bad: "Continued use constitutes acceptance" (you agree just by using the service)
  • Worst: "We may change this policy at any time without notice"

The Ultimate Red Flag Cheatsheet

Print this out or save it. These are the clauses that should make you think twice:

🚨 Dealbreakers (Walk Away)

  • Data selling to third parties without opt-out
  • Unlimited liability disclaimers ("we are not liable for anything")
  • Class action waivers with mandatory arbitration
  • No data deletion rights whatsoever
  • Social Security Number or government ID collection without clear purpose
  • "Perpetual," "irrevocable," or "worldwide" license to your content

⚠️ Warning Signs (Proceed with Caution)

  • Vague third-party sharing with unspecified "partners"
  • Automatic policy changes without notification
  • Biometric or facial recognition data collection
  • Continuous location tracking
  • Data retained "as long as necessary" (indefinite retention)
  • No GDPR or CCPA rights mentioned

The best way to protect yourself? Don't just trust companies — verify. Use PolicyLens to automatically scan any privacy policy for these red flags in seconds.

Ready to Check a Privacy Policy?

Use our free AI-powered analyzer to see what's in any privacy policy.

Analyze a Policy Free