Go to page content

The top 20 lockdown sites and what they do with your data

We read the privacy policies the most popular websites during lockdown so you don't have to.

privacy policy

Curious about what companies do with your data, but don't have the time to trawl through privacy policies? We get it, so we did it for you.

The amount we do online has increased dramatically during Covid-19

Particularly during such a troubling time, we want to be able to do everything with speed and ease: from catching up on global headlines to ordering food to our doorstep.

While websites and apps are designed to increase convenience, it’s very often in return for personal data.

Ultimately, whether your personal data is shared should be up to you. Privacy policies should also be easy to understand, so that we know exactly what we're agreeing to.

Thanks to GDPR, websites and apps have to publish their privacy policies. But, many don’t make them concise or easy to understand. Even the most privacy conscious of us aren’t sure exactly what’s going to happen to our data when we press ‘Agree’ on a website.

Here are what some of the most popular lockdown sites say in their privacy policies:

VIDEO-CALLING PLATFORMS

government zoom call

The Cabinet's zoom meeting

Zoom

With the huge shift to working from home for many, it's unsurprising that there are now over 200 million daily users on the site. But how do they handle your data?

Zoom’s privacy policy has come under fire recently after The Citizen Lab found that Zoom was using a non-standard type of encryption, and transmitting information through China. However, the BBC’s Cyber Security Reporter Joe Tidy says that the platform is 'still fine for most', and that it would take a hacker a huge amount of time to unscramble and piece together your work meeting.

Key privacy policy points:

  • Zoom doesn’t sell your data
  • But, there is a lot of secondary processing through external servers when you use the app
  • Their privacy policy is currently being overhauled. There's actually a team overhauling their privacy policy as we speak.

Houseparty

Houseparty app logo

Houseparty boomed in popularity at the beginning of lockdown, providing a new way of connecting with people.

We've gone through their privacy policy, and have to admit that it's very vague. For example, the personal data that they collect depends on 'the exact nature of our relationship with you'. So, rather than going into detail, they offer 'the most common examples'.

For example, they collect:

  • account information you provide
  • data about your usage of the app
  • location information
  • information when you link third party accounts and apps to Houseparty

But, if you go into more detail the privacy policy also tells you:

  • If you link your contacts, they'll collect information about your friends including 'their phone numbers and addresses'
  • They also let everyone know when you log on or join and show your details to friends of friends
  • Houseparty also uses 'tracking tools to collect information from you passively'

And who are they sharing your data with? Unfortunately, everyone and anyone. As an 'integrated social media platform' they share and receive personal information with third parties, arguing that they see themselves as 'part of the digital community'.

WebMD

webmd logo

In a 2019 investigation The Financial Times found that health websites, including WebMD, were sharing sensitive data. This sensitive data included 'medical symptoms, diagnosis, drug names, menstrual and fertility information', and was being shared with Google, Amazon and Facebook, as well as Data brokers Scorecard and OpenX. Mainly, data went from WebMD’s symptom checker straight to Facebook.

Since the 2019 investigation, it appears that they don’t share data with these apps anymore.

However, their privacy policy notes:

  • WebMD Lab Testing, WebMD Allergy store, app WebMD Baby, and WebMD Pregnancy all collect and store your data.
  • In the event of a merger, or bankruptcy, your stored information would be shared with their legal successor.

It may be well worth requesting that data stored with them be erased if you have concerns. To do this, you can send a deletion request below.

Send a deletion request

Babycenter

Babycentre logo

The Financial Times investigation we mentioned above found that Babycentre shared their users' menstrual and ovulation information with Amazon Marketing.

In their current privacy policy, they no longer mention Amazon Marketing. However, their privacy policy does say:

  • Tracks the websites you use before and after visiting their website
  • They do sell your data
  • While Amazon is absent, they do mention social media sites such as Facebook
  • They say these are 'reasonable' measures, but that you should be aware that any data you do give them can't be fully secure

We have to note that they do give a cookie choice banner upon entering the site, which is a plus, but the above still seems like a lot.

The Mayo Clinic

The Mayo Clinic says that they 'respect the right to privacy of all users', and their privacy policy seems to back that up.

Their privacy policy says:

  • They don’t collect personal information unless you know you are providing it, or if you choose to join the Mayo Clinic Online Community.
  • They do use cookies to track your path on the site and to tailor ads.
  • Unless you sign up for their newsletter, the Mayo Clinic doesn't provide any third party access to your IP address and email address.

Extra points to the Mayo Clinic!

SOCIAL MEDIA SITES

Facebook

Facebook has been at the centre of many privacy concerns, most notably the Cambridge Analytica scandal of 2018, which you can read more about in our blog. One thing that we can be sure of is that Facebook's privacy policy is often evolving.

So how has their privacy policy changed?

Facebook is being clearer about what information they collect and share on you, but there haven’t been any new significant limits on themselves doing so.

What information do they collect?

This list is not exhaustive, and also includes sensitive data.

  • metadata like the location of a photo
  • religious views
  • political beliefs
  • relationship status
  • if you’re expecting a baby
  • contact information if you choose to upload, sync or import it from a device (such as an address book or call log, or SMS history)

N.B. You CAN access controls on marketing communications, as well as which cookies third parties are allowed to use to target you for advertisements. We'd say this is well worth doing.

Twitter

Twitter seemed to escape the global data scandal relatively unscathed. Perhaps that’s because users always feel the information they share on the platform is public, and being sent out into the world.

Still, Twitter does collect data.

What their privacy policy says:

  • They collect web data from third parties to inform your experience of their site
  • They use information such as your age, gender and language to do this
  • When you use the site, you’re agreeing to their privacy policy, but you can opt out of interest based ads, and letting Twitter access your location.

You can also add extra security measures, as well as changing what you'd like to be publicly seen.

Twitter seem comparatively strong about data in their privacy policy, they state that you're in control of all of it. Our type of message!

N.B. With both Facebook and Twitter you can avoid using them to verify your accounts on other apps. This will make sure that they aren’t sharing information they’ve collected on you to say, Deliveroo.

LinkedIn

On this professional networking platform, the personal data that they collect you most often publicly share. For example:

  • your schooling
  • employment history
  • notable achievements

While LinkedIn do state that you aren’t obliged to share more than your basic information to create an account, they do encourage you to give more. They state that a more embellished and 'completed' profile may increase your 'economic opportunity'.

Linkedin does provide the user with choices about how their data is collected and shared in relation to advertising, as you can opt in or opt out of cookies.

N.B. A notable form of sharing that you may not realise is happening is via premium accounts. If your premium account is paid for by your employer, they receive information about how you are using the premium features. So, bear this in mind if you're job hunting using premium.

CONTENT STORAGE SITES

Google Drive

Google drive logo

Google Drive is a cloud-based storage site owned by Google, which means you can be sure that personal information you provide here will be shared with all Google Companies, including Google Ads.

What does their privacy policy say?

  • They will scan uploaded content to 'provide better services'.

The range of information they are scanning for is vast, from 'basic stuff like which language you speak' to 'more complex stuff like which ads you’ll find useful, the people who matter most to you online, or which YouTube videos you might like'. Basically, everything.

It's also unclear what the difference between 'scanning' and 'reading' is, as they don't clarify.

  • If a legal request is made for your saved documents, Google will hand it over.
  • They might review content to determine if it's 'illegal' or violates their 'program policies'. If it does, they may refuse to display content.
  • If you delete something, it's not entirely deleted for some time. They will likely be in their backup systems for a further 30-60 days.

A good thing that Google does is provide a 'privacy check up' section, which enables you to review all your settings with them. Take a look at yours and let us know what you think @rightlydata!

Dropbox

Dropbox is another handy site for sharing and storing files. They’ll ask your permission to 'do things like hosting your stuff, backing it up, and sharing it when you ask us to', which sounds good.

What they say in their privacy policy:

  • They’ll 'access, store and scan' your content to provide you with advanced features.
  • Dropbox will share information and metadata they gather from your content with 'trusted third parties', but they won’t tell us what exact standards a company has to meet to gain their confidence. However, they do list some third parties, which is more than many companies do.
  • They also take full responsibility for your data when sharing it.

They do offer a banner to learn more about cookies upon opening the site but you're only taken to a blog with no preference options. Hmm.

Apple

After many data leaks, Apple wants you to know that they take data privacy extremely seriously. They even put the slogan 'What happens on your iPhone stays on your iPhone' on a billboard.

Apple's privacy policy is pretty water-tight it has to be said.

Some key takeaways:

  • Their security measures include end-to-end encryption of your data, and two factor authentication to access devices and iCloud.
  • In some cases, your iCloud data may be stored with third party partners, like Amazon Web Services or Google Cloud Platform, but these partners won’t be able to decrypt your data, which is pretty smart.

SOME OF THE MOST POPULAR SITES DURING LOCKDOWN

Gov.uk

We would expect the UK government website, Gov.UK, to be an example of best practice when it comes to data privacy, and they’ve kept things pretty simple. In their privacy policy they state that:

  • they'll only ever share your data if required to by law

They use cookies to:

  • make the site better
  • remember your settings
  • measure website use
  • communicate with you

ASOS

Initially, it might seem like the data we share with ASOS isn’t too personal.

In reality, your dress size and the price range you shop in is great information for advertisers to use for behavioural targeting.

ASOS has a great, easy to read privacy policy with a handy little poem video that tells us 'we collect information about you, we protect information about you, to help you find you'.

Unfortunately their privacy policy also says:

  • They won’t sell any of our information to any third party, except marketing agencies. Unfortunately, this defeats the point a bit.
  • If you let them, they’ll take all of your social media information.

They do however have a 'Your Rights’ section that helps you make a data request. Way to go ASOS.

MAKE A DATA REQUEST THROUGH RIGHTLY

Deliveroo App

Deliveroo have been plagued by hackers accessing user’s accounts and ordering themselves meals.

Their privacy policy is quite vague. Here's what we do know:

  1. If you disable cookies, large parts of the app become inaccessible.
  2. They'll contact you with direct marketing when you’ve given consent, or 'when we have a justifiable reason for doing so', which is undermines the whole consent thing a bit.

For your data privacy, although we love a deliveroo as much as the next person, you should be aware that the BBC reported that users have been defrauded, and that hackers have previously sold access to accounts.

Pornhub

Pornhub made headlines recently for waiving its membership fees for Italy.

You should know, before you cash in on that deal, that when you sign up as a member, the amount of information Pornhub can collect and store on you greatly increases.

Rather than simply knowing your IP address, according to their privacy policy they'll collect:

  • your age
  • your gender
  • your username

Plus, the privacy policy states that they will not disclose any of your personal information, except to:

  • members of their corporate group
  • service providers for their site
  • legal successors in the event of a merger, reorganisation or bankruptcy

You can choose whether they use third party cookies to show you targeted ads. Although, be aware that if you’re signed into Google whilst on the site, Google- My Activity will be collecting data on your visit as well.

Netflix

It was all going well for Netflix on the data privacy front until a tweet exposed how they are tracking users behaviour. The irony being, that it was their own tweet.

twitter prince tweet

When calling out the 53 people who watched A Christmas Prince 18 days in a row, they also revealed the degree to which they monitor users.

Netflix argued that they identified the trend through metadata, without identifying specific users.

They do collect information to optimise their service, but they do not use the data to offer any third party advertising services, and your information is contained within Netflix servers only. The Christmas Prince debacle aside, we think we can forgive them.

NEWS SITES

The Mail Online

Here are the headlines.

The Mail Online's privacy policy states:

  • The Mail Online gives information to third party sites, and receives information from them through cookies.
  • If you log into The Mail through social media sites, you're 'granting permission for such companies to share your information for us'.

That includes your:

  • location
  • IP address
  • age
  • gender
  • and possibly even sensitive data like your political views and religious beliefs

The real catch with this policy is that through you, they collect information on other people. If you use their ‘Email a friend’ or ‘share this article’ buttons, they’ll collect your friends contact details. Apparently you should 'make sure that anyone you wish to email or share with is happy for this to occur'. Hmm, to put it lightly, this should be made a lot clearer.

Even more, it's a struggle to get back to your cookie preferences if you change your mind about how they hey should handle your data.

The Guardian

The Guardian’s privacy policy is very transparent and designed to be easy to understand. You’ll find helpful explanations of what cookies are, and a short video called 'Our Privacy Promise'.

They are collecting information such as your IP address and your previous browsing history on the site. The Guardian also offers you a table of advertising partners that they share and receive data from, giving you the option to opt out of each individually. This is more than a lot of companies will do. They also won't collect any data about your race, political opinions, religion, health or sexual orientation unless permission is granted.

The list of sharing partners is quite extensive, and includes AppNexus, Comscore, Facebook pixel, Google Adwords, Google Adx, Index Exchange and many more. It also includes OpenX, a known data broker, so even though this privacy policy is transparent, we might be opting out of that one.

Bloomberg

According to their privacy policy Bloomberg may collect:

  • employment-related information
  • Internet or other electronic network activity information
  • browsing history
  • search history
  • information regarding a user’s interaction with an Internet website, application, or advertisement

They do, through a handy pop up, ask your permission to use ‘required’ cookies that help the site operate, and you can then also opt out of 'functional cookies' that enhance the site. You're able to refuse all cookies except the required ones, which is pretty good.

Unfortunately, they don't state any of the third parties that they share information with or take any information from.

BBC News

The BBC News site also has required cookies, and lets you opt out of 'functional' and 'performance' cookies.

The BBC say they're committed to keeping your data safe, but that 'no service can be completely secure'.

  • The BBC will store information about your age, political opinions, gender and so forth, but only if it’s relevant. For example, if you’re applying for a political programme.
  • They say they can transfer data but don’t list any possible places it can be transferred, or why they would transfer it. They’ll collect and store our data, but they promise they’ll never sell it.
  • They share information with 'research' companies - this is quite vague.
  • They do research activities and sometimes collaborate with research partners. They sometimes share content and data with them, but they say that they're careful about what they share and who they share it with.

Final thoughts

We hope that these privacy policies are now much quicker to understand, but let us know if you still have any questions! You can tweet us @rightlydata.

If you'd like to tell any of these companies what to do with your data, like deleting it in full or in part, you can send requests through the Rightly platform, below.

HAVE MORE CONTROL OVER YOUR DATA