Browse all articles

How We Keep Track of Privacy Policy Changes

Our privacy evaluation process keeps track of policy changes so you don't have to.

Girard Kelly | April 11, 2019

Companies are required to post privacy policies.

A company that collects personal information is required to post a privacy policy on its website to explain how it collects, uses, and shares the personal information you provide through its application or service. If a company includes a version or an effective date on its policy, that indicates which privacy terms apply to your use of the product or service. When you see a new date, this may indicate that changes have been made to the policy. For a complete overview of a company's privacy practices, we recommend also reading a company's terms and conditions (often called "terms of use" or "terms of service") before using an application or service, because it can provide additional detail about a product's use of personal information.

We evaluate privacy policies.

The Common Sense Privacy Program evaluates the policies of popular consumer and education technology applications and services that are currently used by millions of students in the classroom and by kids at home. We have found that the majority of policies we evaluate do provide an effective date or version number of the policy. This is helpful because it provides you with notice of what date the policy is effective so you can understand what the company's practices are on the date when you download or sign up to use that product. With this information you should be able to provide informed consent to use the application or service. If the policy changes, the company should provide you with notice, but if it doesn't, or you don't happen to see the notice, you can check the effective date to see whether the date on the policy has changed.

Our easy-to-understand privacy evaluations can help you make informed choices about the products you use at home and pass on that information to other parents and families using the same apps with their kids.

How to determine whether a policy has changed.

Even if you are provided notice by email or another type of notification through the application or service itself that the policy has changed, it's often extremely difficult to determine what changes the company actually made since the last effective date and what those changes mean for you. Companies know it can be difficult to communicate the changes they have made to their policies, so in some cases they will try to help you understand them with simple, bullet-pointed language and a summary of the changes.

These change summaries are helpful in that they can provide you with a general understanding of what has changed and allow you to provide informed consent to their updated terms -- even if you don't read all the policies or don't read them all again. However, you should keep in mind that these summaries are exactly that: just summaries. The summary of changes may not contain all the important changes that were actually made to the policies. There may be some changes the company did not feel were important enough to summarize but that would still affect you.

Some companies may provide a link on their websites to their old policies for your review of all the changes, but this practice is exceptionally rare. Companies may update their terms several times a year, and given that the average consumer actively uses dozens of applications and services, researchers have found that it would take on average approximately 76 work days per year for a person to read all their updated privacy policies. However, even if you were able to find the older versions of the polices for review, they are still very difficult to read, and most consumers find it challenging to even understand what the updated terms mean.

Unfortunately, this means consumers are typically on their own as they try to understand a company's updated policy changes. We recommend the following steps to provide informed consent to a company's updated terms:

  1. Read and understand the company's updated terms.
  2. Track down and read an archived copy of the company's old policy (if it's still available).
  3. Determine what changes were made in the updated policy compared to the old policy with comparison and track-changes features available in document-editing software.
  4. Navigate the updated changes that directly affect you.
  5. Provide your consent to continue using the application or service, or delete your account.

We track changes to policies.

The Privacy Program recognizes that taking all the steps required to understand a company's updated terms can be challenging, even for our team. To solve this problem, we created a tool that automatically provides us with detailed information about a company's updated terms using an open-source program called wdiff. This tool was incorporated into our policy annotator and automatically scans a company's privacy policies on its website to determine whether or not there have been any additions or deletions to them since we completed a privacy evaluation of its product using its older terms.

For example, the company Canva updated its privacy policy, and our updated policy-detection tool automatically determined the policy text differences between the old and new policies. The tool then displayed for us the percentage of policy content that had changed -- and that had not changed -- since we crawled and archived its previous policies.

We used this information to determine that Canva had updated its policy on May 25, 2018. We could see several policy text additions highlighted in green and subtractions from its policy text highlighted in red. We used this information to determine exactly which privacy practices had changed and whether the changes could have had a substantive impact on the company's privacy evaluation.

We update our privacy evaluations.

In this example, our team then uses detailed information about Canva's policy changes to update Canva's privacy evaluation to reflect the updated changes in its practices. We also change the date on the evaluation to reflect that we've updated its evaluation so you know how current our evaluation is. A product's updated policy changes can also have a positive or negative impact on a product's evaluation tier and evaluation score. More importantly, the wdiff program allows our evaluators to more quickly reevaluate a product that has updated its terms. Privacy evaluations often take many hours to complete, and rather than starting over when a company updates its terms, we can tell precisely which policy changes have been added or removed since our previous evaluation and update the evaluation to reflect only those specific changes.

We save you time tracking policy changes.

Parents and educators can save time when they use our privacy evaluations to keep track of all the dozens of applications and services they use, especially when the companies update their privacy policies. Our easy-to-understand privacy evaluations can help you make informed choices about the products you use at home and pass on that information to other parents and families using the same apps with their kids. The ultimate goal of building our policy tracking tool that incorporates wdiff is to help our team update a company's privacy evaluation as quickly as possible after an update. This allows parents and educators to catch up to the changes and revise their own decision-making process when products update their terms, so they can focus on finding the most appropriate apps to use with their students in the classroom, with their kids at home, and in their daily lives.