Privacy Policy Database Overview and Tutorial

How the PPD was created
What the PPD is
What the PPD is not
How to use the PPD
How to interpret terms with multiple meanings

 

The Privacy Policy Database is organized around 13 industry sectors, including financial services, healthcare, telecommunications, Internet, tourism and education. Each industry has search capabilities based on privacy policy topics and consumer options.

How the PPD was created

P&AB experts have assembled privacy policies from both company websites and offline mailers. Privacy policies located online were converted into PDF form. Online policies located on more than one webpage were combined into a single PDF file. To provide users with a more accurate account of how consumers would be expected to read and navigate through a policy, the top-level table of contents for policies located on multiple webpages has been given live links. Offline policies have been scanned and placed into a single PDF file in a manner most closely resembling their true appearance.

Once the policies were assembled, the P&AB staff coded each policy based on a list of terms thought to be useful to PPD users. Two different types of terms were used for coding.

  • The first involves information stated in the privacy policy, such as company third party information sharing practices and the methods by which a consumer can opt-out of certain types of information sharing.
  • The second category of terms does not involve information stated in a policy. Instead, P&AB experts have included a list of unstated terms we believe our users will find useful. These include the industry (or industries) that a specific organization belongs to and the specific privacy-related laws that an organization is legally obligated to follow.

Some of these terms can have multiple meanings or be interpreted in a variety of ways. Furthermore, actual business practices do not always fit perfectly into a particular category. To ensure accuracy and consistency throughout the coding process, P&AB has created a detailed glossary of all the coded terms and the specific way the each term was applied during the coding process.

What the PPD is

The Privacy Policy Database provides users with a way to see how other organizations are formulating and expressing their privacy policies. Each industry is distinct and no "model" privacy policy can be all-encompassing or ideal for every company. The nature of the data collected, how it is used and varying business-consumer relationships all require privacy policies to be case-specific. As such, the PPD was set up to provide users with the flexibility to search for policies that meet their organizationŐs objectives. Users can benchmark their policies against those in the same industry, generate a list of policies bound by the same privacy-related federal regulations, or view a list of policies that explain a specific Internet term.

What the user can learn from the results is open-ended. For example, users can evaluate the scope of policies among industry peers, or see how organizations explain their use of cookies or other online tracking devices.

What the PPD is not

The Privacy Policy Database does not rank the attributes of a policy, such as readability or content. The policies do provide users with a representative sample of privacy policies within a specific industry.

P&AB has coded each organizationŐs privacy policy based on the policyŐs presentation and the specific privacy practices communicated by the organization. P&AB makes no promise that organizations will actually adhere to and comply with the privacy practices laid out in their policies. For example, if a company provides a toll-free number for customers to opt-out of third party information sharing in its privacy policy, then "toll-free number" will be coded as a consumer response method.P&AB does not try to verify that such a consumer response method is actually available or how well it is administered.

Conversely, organizations might adhere to certain privacy practices, but fail to explicitly state them in their privacy policy. For example, if Company A provides a toll-free number for customers to opt-out of third party information sharing, but fails to note this in its policy, searching for companies that provide toll-free numbers will not yield Company A. Since privacy policies are a way for organizations to communicate with customers, P&AB has based its coding system only on the terms that are explicitly communicated in the policy.

How to use the PPD

POLICY SEARCH PAGE

By checking a term and hitting the search button, a user will generate a list of all policies that apply to that term. For example, checking "banking" and hitting the search button will generate a list of all bank privacy policies.

Checking multiple terms and hitting the search button will generate a list of policies that cover ALL of the selected terms. For example, checking "banking," "online," and "cookies" will generate a list of online bank privacy policies that discuss cookies. Online bank policies that do not discuss cookies will NOT be included in the search results.

 

  • To view a list of all companies with privacy policies in the database, simply leave all term boxes unchecked and hit the search button.

RESULT DISPLAY

Search results will be displayed on the Result Display page. Users will see a list of organizations with privacy policies that match the desired search criteria. Next to each organization will be a link to a detailed description of the organizationŐs privacy policy.

RECORD DETAILS

This page will present the user with a profile of an organization. All of the terms that apply to the organizationŐs privacy policy will be displayed. Additionally, the Record Details page will allow users to view a copy of the organizationŐs privacy policy.

 

How to interpret terms with multiple meanings

Industry-specific meaning

While most of the searchable terms have the same meaning throughout all of the policies in the database, the meaning of a select few depends on the particular industry in which the policy falls.

  • SHARING INFORMATION WITH AFFILIATES AND/OR THIRD PARTIES: While organizations that fall into particular industries have control over certain aspects of their customer information sharing practices, there are various legal requirements that permit or require various types of information sharing. The coding for the policies in this database are therefore based on information sharing practices beyond those required by law. For example, health-related organizations bound by the Health Insurance Portability and Accountability Act have a host of third parties with whom they are permitted to share information in order to carry out standard healthcare operations (healthcare providers sharing patient information with health insurance organizations for payment purposes) or with whom they are obligated to share information (Department of Health and Human Services). Therefore, health-related organizations coded as opt-in under "shares with third parties" will not share patient information with third parties - other than those stipulated by HIPAA - unless the patient provides prior consent.
  • DIRECTORY LISTING: While the term "Directory Listing" is self-explanatory in Communications and most other industries, the term has a special meaning in the educational context. Under FERPA, the Family Educational Rights and Privacy Act, directory listing includes a compilation of general student information such as name, telephone number, address, university issued email address, college and degree received. Therefore, opt-in and opt-out coding under "Directory Listing" refers to the designated student record information for policies falling under the Education category.

A word about COPPA

The Childrens Online Privacy Protection Act mandates specific privacy provisions for companies or groups that either operate commercial Web sites or online services directed at children under 13, or that knowingly collect personal information from children. While all online companies have to be in compliance with COPPA, P&AB has decided to only designate companies that are currently geared toward children or knowingly collect personal information from children as bound by COPPA for the purposes of this database. When COPPA is selected as a search criteria under "Legal Requirements," only companies believed to fall under the "geared toward children" and "knowingly collect information from children" categories will appear on the Results Display page. It is important to note that any organization with an online presence must comply with COPPA if its online information collection and use practices should change.

The Federal Trade Commission has jurisdiction over COPPA enforcement, and the law is written in a way that gives the FTC discretion to determine whether or not an organization is making an effort to ensure that childrens information is not improperly gathered or used. The openendedness of the law has caused many organizations to address the issue even when no products and services are directed toward children. Organizations that fall under this category have been coded for Addressing "Child Users," which is located under "Other Criteria."

 

Back