Skip to main content
Privacy Center

Red Flags in Privacy Notices

July 01, 2025 10:51 AM

What to Watch For Before You Accept Those Terms

If you’ve ever tried reading a privacy notice, you probably understand how overwhelming it can sometimes be. What should clearly explain how your data is collected, used, and shared often becomes dense with legal jargon and technical language. For many, it's confusing and discouraging.

Some common red flags to look for are:

  • Missing Information
  • Lack of Specificity
  • Contradictory Statements
  • Miscellaneous

Below, we’ll explain some tips to help you to spot when something might not be quite right.

Missing Information

One of the biggest red flags in a privacy notice may not be what it does say, but rather what it doesn’t. By understanding what companies are required to include in the notice, you can know whether you can trust them. Below are some items of information that should be included in a privacy notice, and if they are missing, it may indicate a company is mishandling your data:

  • The type of personal information collected, the purpose of the collection, and how long the data will be retained.
  • Explanation of data privacy rights such as Right to Access, Right to Opt-Out, Right to Delete, Right to Restrict, Right to Correct/Update your information, etc.
  • Contact information for the company’s Privacy Office or Data Protection Officer.
  • Reference to how children/minor’s data is handled and protected.
  • Clear statement that the company will NOT sell your data.
  • A “Last Updated” date that is within the last few years.
    • Privacy notices should be updated regularly based on numerous state and global privacy regulation requirements as well as the fast-paced, evolving technological environment. When this isn’t happening, there may be a gap in how the organization is accurately and compliantly handling your data.

Lack of Specificity

Another red flag to be on the lookout for is, companies will sometimes make their privacy notices very general in an attempt to hide how they collect and process your information. This violates the privacy principle of transparency, which should immediately raise suspicion. Below are two examples of how companies may write their privacy notices to contrast a poorly written privacy notice and a notice that is written with great clarity:

Ambiguous ExcerptClear Excerpt

"We may collect certain information from or about you and your device from time to time to improve our services. This information could be shared with third parties in various ways for different purposes, as permitted by applicable laws."

Why it's ambiguous:

  • "Certain information" is vague. The type of information collected should be specifically stated.
  • "From time to time" gives no sense of how often or under what conditions data collection occurs.
  • "Shared with third parties in various ways for different purposes" offers no transparency as to who the third parties are and the circumstances under which information can be shared.
  • "As permitted by applicable laws" sounds reassuring but actually offers little clarity about practices.

"We collect your name, email address, and browsing activity on our website to personalize your experience and improve our content. We share this information with our analytics provider, Google Analytics, to generate aggregated usage reports. You can opt out of this sharing at any time by visiting our privacy settings page."

Why it's clear:

  • Specifies exactly what data is collected.
  • States why it’s collected.
  • Names the third party involved (Google Analytics).
  • Mentions how users can exercise control (opt-out link).

Contradictory Statements

Another red flag to be mindful of is when sneaky businesses employ the strategy of contradiction. In a privacy notice, this could mean seeing statements like “We do not share your personal data” followed by “We may share data with partners for marketing.” Or, another example is, “We do not sell your data” followed by a later clause “We may share your personal data with our third-party vendors for our benefit,” which essentially constitutes a sale.

While these types of contradictions may not be as common as some of the other red flags, they do exist and it is important to be aware of them. Companies may intentionally place comforting statements at the beginning of their privacy notices, but refute them later with ambiguous verbiage, as discussed above.

Miscellaneous Red Flags

As you gain a deeper understanding of how to read privacy notices, here are some additional red flags to look for and questions to explore:

Potential Red FlagInformative Question(s)
Using your personal data to improve the company’s services or train their models.Does it tell you what personal data they are going to store/use for this?
De-identifying or aggregating your data for the company’s purposes.Do you trust the company’s privacy and technical maturity to be able to truly de-identify your data? And do you know what data they will be using?
Using your personal data for personalization offerings or features.Is the personalization service sufficiently beneficial to you? Can you easily opt-out?
Using your data for marketing and promotional purposes.Is it just with the company you signed up with or will they share it with a third-party for their marketing campaigns? Can you easily opt-out?

The best way to protect yourself is to be extremely vigilant before agreeing to share any personal information. Learn for yourself what should be included in a privacy notice and develop the habit of looking for the key pieces mentioned in this article. This will help you be more aware of what companies are doing with your information and how you can take personal action to protect it.

It is up to you to determine if you are comfortable with the degree of data sharing taking place, if you want more control over your personal data, and if you feel that the transparency and protections are sufficient.

Tags
Data Privacy Privacy Principles