Written by Luke Patterson

Often, looking at the privacy policy of a company’s website to confirm I’m happy with their data collection practices makes my head hurt. I can almost never quickly pick out the relevant pieces of information I’m looking for, and usually don’t have the time to sift through reels of information that seem written for a privacy lawyer as opposed to an everyday user.

The General Data Protection Regulation (GDPR) in the EU has helped. Our research has registered a steady shift in the quantity and quality of the content of privacy policies across every industry, as well as an increase in the number of data-minimisation cookie policy pop-ups. These pop-ups either allow users to easily reject all cookies or have all non-necessary cookies switched off by default. We’ve also noticed an increase in the number of companies implementing privacy by design measures such as data anonymisation and encryption. Strengthening data privacy was marked the first priority of digital regulation; and it shows, with privacy representing the best performing aspect of the EthicsGrade model for nearly all companies we cover.

However, one thing most companies still fail to get right is making the privacy information they share as user-friendly as possible. Privacy policies must be designed to feel as though they’ve been written for the user, not a courtroom. Unfortunately, many privacy policies are relegated to the dusty underside of a company’s website, in size 6 font where once clicked, you’re transported to a black and white page of intimidating chunks of opaquely written paragraphs, only navigable by section titles. Substantive transparency over company data practices isn’t achieved solely by putting the right information on a website, but by making that information as universally accessible and communicable as possible.

On this, the 16th annual Data Protection Day, we at EthicsGrade want to celebrate by offering two examples of the companies we analyse who are hitting the right notes with the quality of user experience of their privacy policy and shame one company who needs to raise data privacy reporting to the top of their responsible governance to-do lists. A drum roll, please…

Best: Google

The public and regulatory appetite for strong data privacy principles has been growing over the past decade. Google assumed the role of the primary antagonist in Shoshana Zuboff’s transformative ‘The Age of Surveillance Capitalism’ and were fined $391 million in November 2022 for unlawfully tracking users’ locations in the US. With regulatory pressure now boiling over, it should come as no surprise that Google has finally upped the quality of their privacy measures – including the accessibility of their privacy policy!

In an article featured in TIME, the Center for Plain Language rated the Google privacy policy as number 1 in terms of comprehensibility. Google has dedicated an entire webpage to laying out the details of their privacy measures and data collection practices; with an easily accessible glossary of terms, engaging video explanations attached to each section, and a privacy check-up feature which allows users to easily tailor their privacy settings according to their preferences. We understand that no privacy policy is ever going to be a page-turner, but Google’s policy is easy to find, a pleasure to navigate and is clear and comprehensible.

Click here for access to Google's full EthicsGrade report

Pretty Good: Match Group

Match Group is the cupid-like conglomerate behind Match.com, Tinder and Hinge, to name but a few of their biggest subsidiaries. It’s important I start by saying that, technically, their privacy policy isn’t amongst the two absolute best we’ve researched at EthicsGrade. For instance, Microsoft’s privacy policy is predictably outstanding and would tip Match Group for a top spot. However, what makes Match Group’s policy especially notable is that it marks the first time in our research that we’ve come across a company that is taking privacy stewardship seriously within the dating platform industry. Their subsidiaries’ privacy policies are average at best, as is Bumble’s, their main industry competitor.

The reason this is important is because the personal data that dating platforms collect is incredibly sensitive. They hold information about a users’ sexual preferences, gender identity, and race, and have access to any media a user shares on their messaging platforms. Thus, it is especially important that any user can be in total confidence that the data they share on a dating platform is sufficiently protected.

Match Group’s privacy policy sits front and centre of their website headed under their ‘Trust & Safety’ tab, the language of the policy is clear and accessible, and they open their policy with details on the principles that guide their privacy measures. This makes the substandard quality of their individual platforms’ (Match.com, Tinder, Hinge etc.) privacy policies all the more confusing. We would like to see the principles guiding Match Group’s privacy measures spill over more obviously into the governance structures and reporting practices of their subsidiary platforms.

We have not published our first rating of Match Group yet. To access the performance of the dating platform industry from previous quarters, click here.

Worst: Zoom

Zoom’s privacy policy is difficult to find, onerous to navigate, and very boring and unclear to read. It has the feel of a policy that has been written purely to comply with minimum regulatory standards, rather than to substantively and transparently report on privacy measures that could instil confidence in the privacy and security of personal data amongst Zoom users.

Given the explosion of video conferencing platforms during and since the pandemic, and the sensitivity of the personal data Zoom collects about a user’s job title, home address, and email address, we would expect Zoom to have improved their privacy messaging in a similar way to companies such as Google.

Zoom needs to conduct a thorough review of its privacy messaging so users are properly able to assess and exercise control over the ways the company collects and secures their personal information. We’d recommend that Zoom starts by dedicating time and resources to improving the user experience of their privacy policy with a particular focus on improved comprehensibility. Further, developing a tool for users to easily alter their privacy settings according to their preferences.

We are finally beginning to see a gold standard of privacy reporting emerging from companies such as Google and Microsoft, who have historically been at the centre of criticism surrounding data privacy. As the governance structures that have properly integrated respect for privacy into their digital ethics frameworks mature, it will become increasingly difficult for stragglers, such as Zoom, to justify half-baked measures designed to toe the regulatory line. The rising prominence of ESG means that companies who proactively weave digital responsibility into their business practices are gaining competitive advantages over those neglecting digital risk considerations. A poor privacy policy is a good indicator of a poor overall digital governance strategy. Thus, to begin demonstrating a commitment to corporate digital responsibility, a good place for Zoom to start would be their privacy policy.

Click here for access to Zoom’s full EthicsGrade report.