Image Source: https://bit.ly/2CptqVz

This article is written by Somnath Iyer.

Prologue

With the arrival of the internet and due to continuous improvement in technology, online platforms have become a genuine tool for the enormous allocation of content. It has a marvelous effect on the society at large by allowing users to get news at fingertips, online shopping, connecting and communicating with people located at different parts of the world and most importantly online movies and TV shows. However, as every coin has two sides, streaming over the internet also has its own disadvantages majorly “Privacy Concerns”.

Different Internet Platforms have different privacy policies in place. For the purpose of this article we are comparing the privacy policies for three different platforms viz. ‘Over the Top Platform, Social Media Platform and E-Commerce Platform’.

Download Now

Firstly, let’s understand the basic meaning of OTT Platform and how it is different from the other platforms.

Over the Top (OTT) Platform refers to any type of video or streaming media that provides a viewer access to movies or TV shows by sending the media directly through the internet. Some of the most popular OTT providers include Netflix.

Social Media Platforms are those where users/customers directly connect and communicate with one another through websites and applications. The most popular Social Media Platforms is Facebook.

E-Commerce Platforms are software applications which allow businesses to sell products and services online. It allows customers to buy products and services through online stores. E.g. Amazon.

Meaning of privacy policy

Privacy Policy is a set of policies that an organization uses to collect about an end user or customer, chiefly where it concerns private information. A privacy policy expresses all of the ways that a company accumulates, uses, and broadcasts user data.

The types of data that is usually collected by such platforms are Personal details like name, birthday, gender, country, email address, telephone number, credit card, profile photo; Device Id’s: model, OS, unique device identifiers, mobile network, phone number; Log info: search queries, call metadata (Google Voice), IP address, device event info, Google account cookies; Location: IP address, GPS location, and device sensors; Unique application numbers (used when installing, uninstalling, and updating Google apps); Local storage: browser web storage and application data caches; Cookies: Used in Google Analytics and advertising services; search queries, Google Map activity, websites visited, videos watched (YouTube), ads clicked; User-created content: Gmail emails and contacts, calendar events, uploaded photos and videos, all Drive content, User Advertisements, Contact List.

https://lawsikho.com/course/diploma-cyber-law-fintech-technology-contracts
             Click Above

Privacy policies of companies

Netflix

Netflix allows people to create accounts without confirming their identity and date of birth. It accepts prepaid debit cards as payment, and people can set up a Netflix account using a pseudonymous identity.

The type of data assembled by Netflix are user names, email addresses, address or postal code, payment method and telephone number, user content reviews, ratings, taste preferences, account settings, and preferences of user activity such as title selections, watch history, search queries, customer service interactions, device info like unique identifiers, type, configuration, connection info, IP address, referral URL, browser, connection info Cookies, Info from third-parties:, interest-based data, and internet browsing behavior.

Additionally, it also stores most-watched categories, the total number of hours spent watching, number of minutes spent watching each Netflix item (flix), the title, episode, description, and sort of content watched, date last viewed, completed and unfinished items, whether the user is the Netflix account owner, and whether the flix was watched on a mobile device o any other device.

Netflix collects information on user’s web history, cookies, advertising information, and Web beacons. The information so collected is used to display ads to users. 

Such data is predominantly used for receiving regular newsletters, for sending push notifications to desktop and mobile devices and for enhancing customer experience.

Netflix further uses data to protect itself and customers and for compliance with the law. Such information is also shared with third parties for data processing, customer support, making improvements, and for offering joint promotions.

  1. Browser and IP Information; Cookies

Every time you visit NetflixGuides.com, we may indirectly gather some data regarding the type of browser you use, as well as Internet Protocol address (“IP”) and store such data through the use of so-called “cookies.” Cookies are pieces of data stored on a computer, and they are tied to the virtual information about the user. The kind of information collected includes URL addresses (the URL you came from and the URL you are accessing next), as well as IP address and browser information. Cookies enable us to confirm whether or not a user is online, to offer easier browsing and increase the quality of the website. We never use cookies to gather or store information that could be employed to identify you personally, such as email addresses. If you are worried about security issues, you can set your browser’s options to reject or accept all cookies, or even to notify you when a cookie is set.

A copy of the user’s personal information that Netflix collects can be obtained by emailing [email protected].

Facebook

Facebook’s Privacy Policy is very clearly drafted and provides very wide scope making it efficient. Facebook not only collects information on users based on their own information and activities, but also collects information on a user from that user’s friends. 

Networks and Connections: We collect information about the people, pages, accounts, hash tags and groups that you are connected to and how you interact with them across our Products, such as people you communicate with the most or groups that you are part of. We also collect contact information if you choose to upload, sync or import it from a device (such as an address book or call log or SMS log history), which we use for things such as helping you and others find people you may know and for the other purposes listed below. 

“…partners provide information about your activities off Facebook– including information about your device, websites you visit, purchases you make, the ads you see, and how you use their services– whether or not you have a Facebook account or are logged into Facebook.” 

Facebook accumulates data like information user provides through their profile including photos, posts created or shared, messages sent on messenger, duration of activity, information other user and online friends provide, payment and billing information including authorization, device information like IMEI Number, Operating System, battery, Bluetooth signals, information about nearby Wi-Fi access points,  phone number etc.

Such data is used by Facebook to personalize content on a user account, updating news feeds, checking nearby events using user location. 

Cookies are used to track user activities on third party sites, advertisements thereby accumulating user preferences and providing personalized content and for better understanding user behavior.

Authentication: We use cookies to verify your account and determine when you’re logged in so we can make it easier for you to access the Facebook Products and show you the appropriate experience and features.

Data stored in such fashion are importantly used for combating harmful content, reducing spam and other such bad experiences in so doing promoting safety and security.

Further, on the behest of any legal requirement from the Government of any country other than the United States, Facebook reserves the right to pass on such personal information as required in Good Faith.

The intention of a privacy policy is that the controller agrees to keep user data confidential. Facebook states that the user grants Facebook “a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content” that is uploaded. The company also reserves the right to transfer users’ information between their other services such as Facebook Payments, Instagram, and WhatsApp in accordance with their respective terms. Thus a situation arises where users become so entangled and dependent on said company, that they can perhaps be considered as “locked-in”.

Amazon

According to the Amazon Privacy Notice, it collects the data of that user who visits Amazon.com. The data so collected are “any information entered on the web site or provided in any other way”, user name, user address, user phone numbers, user credit card information, “people to whom purchases have been shipped, including addresses and phone number”, “e-mail addresses of users’ friends and other people” “personal description and photograph in user profile”, “financial information, including Social Security and driver’s license numbers”, IP address, user login, user email address, user Amazon password, user “computer and connection information such as browser type, version, operating system, and platform”, user “purchase history, “the full URL”, information about user location and user mobile device. Further Amazon also stores 

user’s credit history, user address, user search and search result information.

Amazon collects information about people using Amazon.com, and all other subsidiaries that Amazon controls such as audible.com, goodreads, Alexa.

The company’s privacy page provides a few examples of companies that may end up with Amazon’s user data via their joint offerings like “Starbucks, OfficeMax, Verizon Wireless, Sprint, T-Mobile, AT&T etc”.

Amazon’s privacy policy states that, 

“some third-parties may provide us information about you (such as the sites where you have been shown ads or demographic information) from offline and online sources that we may use to provide you more relevant and useful advertising.” 

Amazon’s smart home devices including Alexa, is just another communication point for Amazon to collect information about the people who use these products. 

Comparison of privacy policies

Netflix’s Policy on May 11, 2018

Data Protection and Security: The Company only states that it implements “reasonable administrative, logical, physical and managerial measures” but does not specify what those are. Moreover, the company expressly states that “Unfortunately, no measures can be guaranteed to provide 100 % security. Accordingly, we cannot guarantee the security of your personal information.” Netflix also does not list the instruments used in international data transfers, but states that the data will be shared in accordance to the Privacy Statement and “as permitted by the applicable laws on data protection.”   

Data Subject Rights: Data subject rights are limited to owing to the nature of the services. Users can deactivate or delete their account and edit their information freely. But other GDPR rights can only be enforced by request.

Third Party Data Sharing: Data sharing on Netflix is primarily focused on enhancing viewer suggestions and features along with advertising.

Data subject access and interface: Netflix follows a request based model of user access. Personal data submitted to the website can be viewed and managed by the Account Settings. But the settings only allow users to review their submitted information and recent streaming activity.

Facebook’s Policy as on April 19, 2018

Data Protection and Security: Data protection standards are unlisted in FB’s Data Policy. Websites additional sources mention that messaging services are protected with end-to-end encryption. The website uses “secure browsing” (HTTPS) and also offers users privacy and security checkups through their controls. Users can also implement 2-step authentication for logins.

Data Subject Rights: All rights have been provided in the Settings except the Right to Objection and explanation to automated processing.

Third Party Data Sharing: The Platform lets users restrict and view advertisers who receive data for marketing purposes. Additionally, FB Ad Controls explains the process of advertising on the website.  

Data subject access and interface: User control model that customizes privacy interests of the user and publicity of the information. User settings, Privacy Shortcuts, Privacy “checkups” and the Activities Logs are the modalities data subject use to control privacy. Users have full access to the data created by them but not to their advertiser profile, which is maintained by the company.

Amazon’s Policy on August 29, 2017

Data Protection and Security: Amazon implements security during transmission by using Secure Socket Layer (SSL) software, which encrypts information inputted. Credit Card digits are anonymized on screen (barring the last four numbers) but transmitted in full to the payment processor. Amazon follows the EU-US and Swiss-US Privacy Shield for international data transfers.

Data Subject Rights: Users can manage, delete, and alter data in their profile but assurances of erasure or an opportunity to object have not been given by the website.

Third Party Data Sharing: Unlike other policies, Amazon states that it only shares data with authorized subsidiaries which follows the Privacy Notice. The Privacy Statement lists the circumstances of data sharing with the subsidiaries but does not go into further details. Direct Marketing is controlled by a user’s Advertising Preferences.         

Analysis

After the introduction of the General Data Protection Regulation, the regulation includes a clause requiring privacy policies to be delivered in a “concise, transparent and intelligible form, using clear and plain language”. It further lays out clear rules on collecting, storing, sharing and using personal data, placing the burden of responsibility on businesses.

Amazon’s policy implies that it receives information only about existing Amazon users, but the wording is unclear. Facebook may have knowledge about the user’s web activity and purchases even if the user has never created a Facebook account before.

Amazon and Facebook share very akin privacy policies and definitions of information. Privacy Notice of Netflix advises that personal information may be processed for “other purposes described in the Use of Information section of this Privacy Statement”, but such purposes are not expressly defined in the statement. 

In their privacy policies all the companies were found to advise that they may use an individual’s personal data with their consent. Amazon’ policy is vague and ambiguous as it advises that it “may also ask for your consent to process your personal information for a specific purpose that we communicate to you,” but does not set out anywhere what purposes it relies on consent for? Amazon does set cookies for advertising purposes that require consent under EU law however does not refer to it in its cookie notice.(https://www.amazon.co.uk/gp/help/customer/display.html/?nodeId=2018 9 0 250). 

Such act of obtaining vague consent is in contravention to the laws of European Union. Further Amazon does not explain the specific purpose for which personal data is used and on what legal basis under the GDPR. This may avoid individuals from making decisions about the use of their personal data and understanding the implications of such use. 

Vis-à-vis third Party tracking, Netflix divulges information for “certain purposes and to third parties,” but it is again vague as to what third parties and what sort of personal data is involved. In addition, Netflix does not in any way guarantee the security of the information so provided.  In likeness, Amazon advises individuals that;

If you do not want us to use personal information that we gather to allow third parties to personalize advertisements we display to you, please adjust your Advertising Preferences” (https://www.amazon.com/gp/help/customer/display.html?ie=UTF8&nodeI d =46849 6& r ef_=footer_privacy). 

Yet, Amazon does not classify what personal information is used or what third parties are involved. 

With respect to the user’s right to access personal data, Amazon only refers to a small section “What choices do I have”. The said section does not contain any reference about the right to obtain such information. However, it does provide a section named as “Help and Customer Service” wherein the user requests data via email. Netflix places an obligation on the user to submit government-issued proof of identity in order to access all data of such users but does not specify as to what it considers an “official government-issued ID document” to be? 

In similarity, Facebook reserves the right to use information however it sees fit, as long as it is “in connection with the services and features”. What are the services and features are not clearly defined and explained making it extremely vague.

Epilogue

None of the companies mentioned supra makes it easy to understand what data is used for what specific purposes. Their privacy policies and associated policies on cookies or interest-based ads are difficult to interpret and understand. They are vague in some important places and do not spell out accurately what personal data is used and for what purpose, making them complex to comprehend. The rights and choices of individuals were found to be vaguely communicated making them painful to understand. 

Transparency is a foundation and an essential requirement of data protection law and crucial to help users understand how their information will be used to their benefit and also the risks and safeguards associated with them.

The bottom line is online companies are extracting too much data from its users. As technology becomes increasingly complicated, it is imperative to know prominently how to safeguard one’s data and at the same time understand how much companies know about the end user. The user must read the privacy policies of each platform before sharing personal information 

Furthermore, such internet platforms should review their privacy, cookie and advertising notices and be clear in their use of terms such as interest-based advertising, and make the information about the data involved, choices and rights easily and clearly available.


LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here