Terms of service: pitfalls, loopholes, and legal traps

These documents are often written in dense legalese, a technical language that can be confusing for the general public. In fact, this became such a problem that the European Union implemented the General Data Protection Regulation act, specifying that all new privacy policies need to be written using plain, accessible language. However, this only applies to EU territories.

To help us explore the pitfalls and legal loopholes that may be hidden in data consent forms, we’re talking to Diego Naranjo. Naranjo has worked for the organization European Digital Rights, or EDRi, since 2016 and became head of policy in 2019. EDRi works to protect the digital rights of citizens across the EU.

NordVPN: What are the most common pitfalls found in privacy policies and terms of service that everyone should be aware of?

Diego Naranjo: The most common problem is that they are too long and/or in legalese and most people do not have time to read them. Even if you went through the hard work of reading them, they are written in such vague terms that you would not really know what you are signing for.

N: Is there any particular industry (or specific company) that is notorious for having confusing or misleading privacy policies and terms of service? Can you share or are you aware of any specific cases where a company was discovered to be using misleading policies?

D. Naranjo: The most recent example is the one of Facebook and their privacy policies regarding the use of facial recognition in their platform.

Editor’s note: The Facebook facial recognition fiasco refers to a supposedly opt-in-only facial recognition service that links users to their faces. Facebook claimed to only store your biometric data with consent. The first wave of users were informed that their biometric data had been taken, but there was no consent confirmation. Facebook then automatically opted-in the second wave of users.

N: Are there any particular keywords we can find in a privacy policy that are red flags and should be avoided? What tips would you provide to our readers?

D. Naranjo: As it happens with laws, words in conditional form — “we may”, “we could” — should raise suspicions if the conditions following those expressions are not clear and could be subject to arbitrary abuse. Furthermore, references to unnamed “third parties” that may use personal data you exchange with that platform should raise questions.

N: When are privacy policies binding and non-binding? Is there a way for someone to agree to a privacy policy without signing away their data?

D. Naranjo: Privacy policies are a way to explain to users how their data is being used. What is really binding are data protection laws, and if the privacy policies (or in general data protection practices) are not in line with the applicable law then they are invalid.

N: What does the future look like for privacy policies and terms of service? Do you think they will become more complex, or will there be a stronger push to simplify them for users? How about their privacy protections?

D. Naranjo: I have not agreed to any “No Fire Policy” when I bought my ironing machine or to a “Non Explosion Policy” when I bought my vacuum cleaner. By default, these products need to respect a number of fire-safety and consumer safety regulations. In the same way, I believe that the best protection is to have privacy by design and by default in all hardware and software that is put on the market rather than expecting people to suddenly become data protection officers when they buy their smart fridge.

N: Is there anything else you believe consumers need to be aware of before agreeing to a privacy policy or terms of service?

D. Naranjo: Regarding terms of services: In most cases people do not have an option. It is a take it or leave it situation and we are forced to accept whatever they tell us if we want to use the service. Regarding privacy policies, that is a bit different. It is a good practice to check what companies are going to do with your data, whether it is Facebook or your local e-commerce shop. If you believe the privacy policies may be not in line with applicable data protection laws, check with a lawyer or present a complaint before your data protection authority so they can deal with it for you.

Protecting your privacy with NordVPN

While privacy policies may indeed be in place to protect your rights, it’s not a stretch to believe that some giant corporations may not take those contracts as seriously as others. Rather than relying on the good faith of faceless entities, why not take a proactive approach and get a VPN.

NordVPN will keep your activity hidden from anyone trying to spy on you — even your internet service provider. You can keep your privacy protected on the go, since NordVPN is compatible with all operating systems and most devices. One NordVPN subscription will cover 6 of your devices, potentially securing your entire household.

With NordVPN, you can protect your data from both hackers and the major corporations trying to monetize it.

Enjoy a premium encryption experience and strengthen your online privacy.