Jump to main content
NY.gov Portal State Agency Listing
DOS, Consumer Protection logo DOS Home | About Us | Contact Us | Site Index | En Español | FOIL
Andrew M. Cuomo - Governor          
Consumer Topics A-Z Accessibility Disclaimer Privacy Policy
Make Privacy Your Policy (June 2009)

Industry groups often suggest that consumers are avid readers of website privacy policies, and understand their terms without confusion.1 Not so fast says the Consumer Privacy Awareness Project (CPAP) which conducted a November 2008 survey of consumer privacy policy reading habits. According to the survey, in only a minority of cases do consumers read privacy policies carefully: 32% of consumers say they read internet service provider policies carefully, 30% for online retailer policies, and a mere 18% for search engine policies.2 Based on the above, it appears that most consumers do not read privacy policies carefully--or maybe at all.

Why don't consumers read privacy policies? In the CPAP survey, 70% expressed confidence ("very" or "fairly knowledgeable") in their ability to protect their personal privacy online though many of these same respondents were not reading privacy policies. This confidence may not be well-founded, however, as 54% were either uncertain or denied that their online activity was being tracked by companies for commercial purposes. Industry groups assert that this widespread practice is generally understood and accepted by consumers.

What about you? If you avoid reading website privacy policies, is it because you believe you already know what these policies say? Do you assume that if a site has a "privacy" policy that means it is required to meet certain standards like giving you the right to access, correct and delete the personal information it has about you, the right to be told about security breaches and to receive assistance if your identity is stolen, and the right to sue for damages? Wouldn’t the site also be prohibited from selling your personal information to third parties?

If you agree that having a privacy policy requires a website owner to do or not do all of the above, you have a lot of company. According to a recent survey conducted among California Internet users, most believed that "privacy policies create the right to require a website to delete personal information upon request, a general right to sue for damages, a right to be informed of security breaches, a right to assistance if identity theft occurs, and a right to access and correct data." Furthermore, a majority who shop online believed that privacy policies prevent third party sharing of their purchasing information.3 Unfortunately, none of these consumer expectations are correct.

There are no state or federal laws that require website privacy policies to provide you with a right of access, correction and deletion for the information a website has about you or that require assistance if your identity is stolen through a website breach or that limit the website's right to sell the personal information of adults to third parties. Many states including New York require businesses to notify you if your computerized private information has been breached4, but these laws have nothing to do with whether a site must have a robust privacy policy. Many website privacy policies will voluntarily offer some of these rights (but not others).

Thus, when in doubt, check it out. Read the privacy policies of the sites you visit and frequent only those sites whose policies meet your expectations. As you are reading the privacy policy, ask yourself these ten questions:

  1. What information is being collected about you? Can any of this information be used to identify you personally? By itself or in combination with other information?
  2. For what are they using your information? Are they the purposes you expected? Any other purposes? Any you object to?
  3. With whom are they sharing your information? Are they employees of the company? Or are they subsidiaries or affiliates of the company? Are they individuals or businesses which are outside the company?
  4. Are you given choices? Are you able to grant permission for collecting, using or sharing your information?
  5. Is the choice to opt-in or opt-out? In other words, do you have to say “yes” before information can be collected, used or shared? Or is your only choice to say “no” to stop the collection, use or sharing that may have already occurred?
  6. Do you have the right to know what information the website has about you? Is there a way for you to access this information so you know what they have?
  7. Do you have the right to modify or delete information about you? Is there a mechanism for you to change information that is inaccurate or inappropriate?
  8. Is your web surfing behavior being tracked for commercial purposes? Does the site use cookies? Web bugs? Other tracking methods?
  9. How is your information being secured? What steps is the company/website taking to prevent identity theft or a data breach?
  10. How long is your information being retained by the company? Is it deleted right away? Or kept for a period of time? How long? Does the company explain why it needs to keep your information for this period?

Once you’ve read a website privacy policy and you've asked the questions above, we'd like to hear your thoughts. Specifically, we'd like to know:

1  See, e.g., NAI Response to Public Comments Received on the 2008 NAI Principles Draft, December 16, 2008, at pp. 13-14 (“…consumers are accustomed to seeking information responsive to their privacy concerns at links labeled ‘privacy’ on the homepage of various websites, where those websites communicate policies, practices and choices…”).
2  See Consumer Online Privacy Survey”, (accessed May 17, 2009).
3  Christopher Jay Hoofnagle & Jennifer King, Research Report: What Californians Understand About Privacy Online, Samuelson law, Technology & Public Policy Clinic, University of California, Berkeley, School of Law, September 3, 2008
4  For more information about the New York State Security Breach Law (N.Y. Gen. Bus. Law Section 899-aa).
5  The Great Debate: Ad strategy at root of privacy row of facebook privacy row, by Eric Auchard, last viewed 2-24-09. The popularity of these sites is exemplified by 1 billion in revenue for MySpace and 300 million for Facebook.
6  Reed Tucker, “Self-Incrimination in the Supermarket Checkout Line”, New York Magazine, March 6, 2006
7  Under California law (Civil Code Section 1749.60-1749.66) it is illegal to require a card applicant to submit a driver’s license number or Social Security number except when the applicant also desires to use the card as identification for check cashing or to debit a checking or savings account. New York law does not provide a similar prohibition against the store requiring this information on the application. However, New York does prohibit the store from requiring you to write your Social Security number on the check you want to cash.
8  Examples of card records being used in either a legal proceeding or a law enforcement investigation include: use of records of alcohol purchase in a divorce case by the card holder’s spouse and use of records of plastic bag purchase in a DEA drug investigation. Katherine Albrecht, Ed.M., “Supermarket Cards: The Tip of the Retail Surveillance Iceberg,” Denver University Law Review, Vol. 79, Issue 4, Summer 2002, pps. 537, 539.

Last Modified: May 02, 2011