| 9
April 2003 Policy Analysis by Don Chalfant Since I use Yahoo! mail on a regular basis and have never read or bothered to open their privacy policy, I thought this would be ideal time learn something about it. By doing so I better understand and, in some cases, make some adjustments to the privacy available to me while I am within the Yahoo! domain. In this exercise, I will be reviewing most of the main privacy page, however, I will not be reviewing the policy relating to children at this time. Summary of Policy The Yahoo! privacy policy is broken up into eight sections including: What This Privacy Policy covers; Information Collection and Use; Information Sharing and Disclosure; Cookies; Your Ability to Edit and Delete Your Account Information and Preferences; Confidentiality and Security; Changes to this Privacy Policy; Questions and Suggestions. In a nutshell, this policy discloses how they collect information and from whom it is collected, what is done with the personal information that they collect in the course of doing business, the amount of control customers have regarding information collection and how to apply these controls, and what safeguards are in place to protect the information that they collect. One of the more interesting parts of this policy concerns information collection practices, which are fairly regular and wide ranging. Yahoo! collects information directly during registration, from transactions with them and with their business partners, and indirectly through cookies and the recording of IP addresses. Although they do not share information with their business partners, they allow advertisers to collect information via advertising. Criteria for Analyzing Policy
Analysis Is the privacy policy easy to understand? Yahoo! has created a privacy policy that is, for the most part, easy to understand. By breaking the policy into sections, they have made it much easier to follow as well as find specific information that a concerned user may be looking for. For example, “cookies” are given a separate section heading allowing users to be quickly informed on how they are implemented within the Yahoo! domain. Additionally, the fact that the main privacy page is not too long, is both good and bad. Kept to a minimum, the main page is not too unwieldy and provides some valuable information upfront, making it easy to quickly browse for needed info. The downside is that there are numerous links to other pages that also have important information. Users might not take the time to search them and unfortunately that is where most of the information used to change privacy settings is located. Whether users actually go as far to follow these links and change privacy settings could be the subject of a wonderful master’s paper! To what lengths does the policy go to ensure user privacy? The policy does help to protect the privacy of users in several ways. First, having a policy that declares the information collection practices implemented on the various sites allows users to better understand what kind of privacy can be expected when using Yahoo!. Therefore, if users don’t want their personal information collected, say, beyond the registration for E-mail, they should not enter contests offered by Yahoo!. Additional protection is managed through third party certification. TRUSTe is a non-profit group that issues certificates of compliance to websites that meet specific privacy standards. While the certification is legally non-binding, websites that are in compliance can use certification as evidence that they offer a reasonable amount of privacy. Under certain circumstances, TRUSTe will also work as an arbitrator to help settle privacy disputes between individuals and websites. These two examples show that Yahoo! does make attempts to protect the privacy of individual visitors to their websites. Does the policy allow users to take action to protect personal privacy? Yahoo! does make available certain procedures that users can follow to limit access to personal information. For example, they allow customers to opt-out of “web beacons” (single pixel GIFs that allow the counting the number of times visitors access certain pages) by following links to a page that removes this function. Furthermore, they provide a page with links to third party ad networks that advertise on Yahoo! but are not subject to the Yahoo! privacy policy. In providing these links, Yahoo! identifies companies that could possibly be gathering information on users via advertisements and facilitates the means in which users can eliminate outside threats to privacy. Finally, Yahoo! should be commended for providing a physical address and telephone number to users that wish to contact them outside of E-mail. This addition indicates to me that yahoo is committed to the issue of privacy. Is the policy adequate and, if not, what loopholes exist? I feel that, for the most part, the privacy policy offered by Yahoo! is reasonably straightforward. However, there is one vagary that should be addressed. The first example is from the statement “We limit access to personal information about you to employees who we believe reasonably need that information to provide products or services to you or in order to do their jobs.” Essentially, I read this as, “we can and will give your information to anyone who works for us if we want to.” While not necessarily unusual, what this statement does not explain is how this personal information is delivered to an employee with a “reasonable need” or what happens to it after it has been distributed. They do mention safeguards that comply with federal regulations, however, there is not a link to a document that explains the federal regulations mentioned. Recommendations While the policy provided by Yahoo! offers a fair amount of privacy information and protection, here are a couple suggestions that could be implemented to further this effort. First, A separate section on the main page for how info is captured and used by businesses not part of Yahoo! could provide additional information upfront concerning information gathering that occurs from inside the domain but is not regulated by it. As it stands now, the majority of this information is located on other pages and users must follow links to find it. Second, although Yahoo claims it follows federal regulations regarding “physical, electronic and procedural safeguards, there is no other information that identifies these regulations. A link to these federal regulations would provide additional assurance for users concerned with how their personal information is managed. |