UAE cybersecurity experts warn that we should start paying more attention – and also thoroughly read privacy policies – before signing up to a mobile application, website or even a streaming platform. Image: Shutterstock
Have you ever wondered what websites and companies are really doing with all of your personal information after you click ‘I Agree’ to those lengthy privacy policies?
Most people click through privacy agreements without giving them thought. According to data by Statista, three in four individuals between 18 and 29 always or often confirmed online privacy policies on websites without reading them – and this is in the United States alone.
However, UAE cybersecurity experts warn that we should start paying more attention – and also thoroughly read privacy policies – before signing up to a mobile application, website or even a streaming platform.
Timothy Wood – Partner, Head of Cyber Security & Data Privacy, Member of LG board at KPMG Lower Gulf
“Privacy policies are important to read because they provide insight into how organisations collect, handle, and store data,” Timothy Wood – Partner, Head of Cyber Security & Data Privacy, Member of LG board at KPMG Lower Gulf told Arabian Business.
KPMG’s Wood explained that as our digital footprint expands, it is “crucial” to understand how personal data is being used and it becomes stored online.
“Privacy policies outline the practices regarding data protection, ensuring that users have the knowledge and agency to make informed decisions about their information and how it is used,” he said.
Moreover, today – where privacy and data protection are at the forefront of discussions – these policies serve as a tool for users to understand their rights and how their data is managed, particularly regarding sensitive information, Wood said.
By familiarising themselves with privacy policies, individuals can proactively safeguard their privacy and ensure their data is handled responsibly by organisations, he added.
However, the definition for data privacy “varies legally country by country, and by technology and vertical within each country too,” Morey Haber, Chief Security Advisor, BeyondTrust said, adding that regulations regarding telemetry, data analytics, personally identifiable information, data collection and retention, and even ownership of data once uploaded may (or may not) be covered by legislation that is bound to all users of a solution.
Morey Haber, Chief Security Advisor, BeyondTrust
“For example, “the right to be forgotten” may exist in one country but not another and the retention of the data for development, quality assurance, or future public disclosure might not even be addressed in some of parts of the world based on the maturity of a government’s influence over data privacy. Therefore, every user, in every country, should be aware of a solutions’ privacy policy before using it for personal or business use,” he said.
BeyondTrust’s Haber explained that certain characteristics may be enforceable in some regions, even if not clearly defined in the policy. Or conversely, they may be wide open where no enforcement is possible.
Therefore, he recommends to know your rights and read an application’s privacy policy to ensure your information is secured in line with your personal risk tolerance. Haber added that local laws will outweigh any privacy statements and can be enforced (with legal costs) if necessary.
“Just because a company does not state their data privacy compliance appropriately does not mean they can’t be forced to do so. Ultimately, you must always weigh the effort and cost that will be involved, in your final decision.”
Your data might end up being used for all sorts of sinister purposes, from targeted ads about your obscure hobby to secretly livestreaming individual browsing sessions for the entertainment of hackers worldwide.
“It makes sense to go through the privacy policy contract before signing up for an app or providing information that you think is sensitive. As sensitive data is increasingly being collected, stored, and shared by service providers, understanding your rights allows you to be able to control what happens to your data,” Wood said.
However, organisations need to comply with varied regulatory requirements for privacy, which change at a swift pace, he explained adding that these regulations can affect how organisations collect, use and share data.
More importantly, Wood said that they can also affect what approvals organisations need from their users.
“It [privacy policies] also explains what rights users have, for example, the right for a user to be ‘forgotten’.”
Echoing the sentiment, BeyondTrust’s Haber added although it is legally recommended to read an entire license agreement and privacy policy before using an application, users “rarely do so” because these documents are “lengthy and full of legalese.”
“It is therefore recommended to search the applications permissions in the application store to see what the application will have access to and then judge whether that information being collected and disclosed is a risk to you. This decision is based on your personal risk tolerance,” he said.
In addition, you should be able to search the application’s data privacy policy (potentially after you download it) for key words describing their intended usage of your information and whether they reserve the right to sell your information to a third party.
Some keywords to look out for while reading your privacy policy contract
Terms such as ‘third-party sharing’, ‘cross-border transfers’ and ‘opt-out’ are particularly crucial.
“In my opinion, this is the biggest risk to end users based on data collected. What will happen to that information and who might purchase it. This is why it is always important to review the whole privacy policy, or at least the section on the data being collected. For example, are you comfortable with an application collecting your browser history and contact list? If the permissions for the applications grant this access, you have no control as to what it may be used for in the future,” he explained adding that is it advised to look for keywords such as ‘sale’, ‘third party’, ‘retention’, ‘deletion’, ‘ownership’, and ‘data’.
In addition, KPMG’s Wood advised users to be on the lookout for specific words and terms that indicate important aspects of data handling and user rights.
“Terms such as ‘third-party sharing’, ‘cross-border transfers’ and ‘opt-out’ are particularly crucial,” said.
According to Wood, ‘third-party sharing’ refers to sharing information with other businesses, potentially affecting how data is used beyond the original context. ‘Cross-border transfers’ indicate if data may be processed in different jurisdictions, affecting privacy protections due to varying laws. ‘Opt-out’ informs users how to refuse certain data usage, like for marketing purposes.
“When deciding what data to share with an organisation, it’s important to consider the context and relevance of the information being requested. Share only the data that is necessary for the service or product you are using. For example, a hospital will need sensitive health information for medical reasons, while most organisations won’t require such sensitive data. Therefore, be cautious about sharing personal information that is not relevant to the context. If a service asks for information that seems excessive or unnecessary, it’s a red flag,” he said.
Wood explained in addition to understanding privacy policies and being selective about the data shared, “it is also crucial for businesses to stay informed about data protection laws and regulatory changes that might affect them, especially in rapidly developing landscapes.”
Implementing strong data governance practices and regularly training staff on privacy standards are crucial for safeguarding user data and ensuring compliance with changing regulations, he said.