terms and conditionsWith the European Union’s General Data Protection Regulation (GDPR) requiring many companies to be more transparent about their terms and conditions and data use, the past two months brought a deluge of announcements regarding changes to the policies of many popular services. While these changes present a rare and excellent opportunity for users to reacquaint themselves with the terms and conditions of the services that they use, many of these documents haven’t gotten any easier to read. That’s why we took the time to survey the terms and conditions for over a dozen popular websites and services, and share what we’ve learned.

This post is designed to provide an in-depth breakdown of the structure reflected in the many terms and conditions we read. As an aside, you might know the terms and conditions documents by other names: user license agreements, terms of service agreements, ToS documents, terms of use or just user agreements — we’ll be using some of these terms interchangeably through the post. Prefer a basic breakdown? Click here to see the important points about terms of service.

The anatomy of user policies

As we read through various terms of service documents, in general, we noticed that their contents could be grouped into a handful of categories:

  • Privacy Policies. Technically, privacy policies are documents that are almost always separate from a service’s terms and conditions. These policies cover the rules governing a company’s data storage and data processing practices.
  • Rules and Responsibilities. These are clauses in a ToS denoting the standards of behavior expected of users and the conditions under which companies will provide their services to users. They also may contain provisions establishing the obligations companies have to their users.
  • Legal terms. Some ToS documents may outline specific words used within the text and define these within the document.
  • Gotchas. We don’t really have a name for these, but these terms are so important that they need to be called out individually, rather than within the section that they belong to.

It’s important to note that these aren’t formal names, nor do all of these exist in every ToS document. Generally, though, text within the user agreements we read ultimately seemed to fall into one of these categories. This was true even for agreements that had a structure which differed from other terms and conditions agreements we read.

We also observed that there are other aspects of a user agreement which didn’t quite fall into their own unique category but are extremely important to note. These “gotchas,” as we’ve called them, include arbitration clauses, clauses about retroactive changes to policies and lines discussing legal jurisdictions, as well as lines referencing other documents (like a cookie policy distinct from a privacy policy or terms of service) or referencing parent company policies that are distinct from service-level policies. In the case of the last point, what we noticed is that parent companies (e.g., Amazon, Apple) can have user agreements distinct from those of any services under their umbrella (e.g., Kindle, iTunes). This means that consumers must read a multitude of documents — from multiple privacy policies to both parent- and service-level ToS documents – in order to truly understand all of their rights.

Reading a privacy policy

As we mentioned above, a privacy policy is a document that is usually distinct from a company’s or service’s ToS. Nonetheless, it’s probably the most important document you can read, especially for online services that collect your data. When reading a privacy policy, you should keep the following questions in mind:

  • What information is collected from me?
  • How is that information used?
  • What parties will have access to my information, and is that subject to change at the whims of the developer? (For example, what happens to your data if the developer is purchased by another company or goes out of business?)
  • What control do I have over my data and do I have rights that protect me from abuse of that data?

After the GDPR, a few companies – notably Facebook – revamped their privacy policies to be more readable, but these documents are still very long. Sometimes, searching for keywords like “require,” “store,” “share,” “process,” “collect,” “control” and “party” can help you answer the questions listed above. If you’re curious about the practices and controls around specific types of data or metadata, you can try searching for it as well, using search terms like “IP address” or “contacts” to find out if they are called out in the document. This is a non-exhaustive list, so be creative with the terms you use when searching within a privacy policy to ensure you find all the information that is pertinent to you.

Identifying rules and responsibilities in a ToS document

While privacy policies are important, when it comes to protecting your rights, the terms and conditions are also worth reading. Terms of service documents and user agreements usually detail the conditions under which a company will provide services to you, as well as the obligations a particular company has to its users. Understanding a ToS will help you understand what you can do if you experience grievances as a customer.

To identify any clauses spelling out expectations for user behavior, you should search for sentences beginning with phrases like “You may” or “You must” as these will generally define what you can and cannot do as a user with the risk of penalties for breaking any listed terms. Other phrases worth noting are those beginning with “You understand ” or “You acknowledge,” as these often state what conditions you agree to by using the service.

Because every terms of service uses different language, there’s no guarantee that these exact phrases will appear in the document, so, as is the case with privacy policies, be creative if you don’t find these keywords. Similar words like “accept,” “agree,” or “authorize” might appear instead. Phrases that start with “the right” might also dictate rights that the company has, as well as those granted to users. Companies might disclose their obligations and responsibilities to you, as well as what they’re permitted to do by using language like: “[Company] can,” “We may,” “We will,” “[Company] will,” as well as “reserve,” “reserves,” “discretion,” “sole discretion,” “at any time” and similar words and phrases.

Finding special terms and translating legal language

Legalese can be hard to read, but luckily a number of companies provide a translator. Some ToS documents might have a section devoted to defining specific terms used in the text, like a lexicon of sorts. However, even if a document doesn’t contain a formal section dedicated to defining terms, sometimes you can find special terms by searching for an individual double quotation mark (“).

Things that might be hidden in “the fine print”

When it comes to the gotchas buried in the legalese of terms of service documents, you’ll want to look out for the terms we highlighted above. Below, we go over each in more detail:

  • Arbitration clauses. If you have a genuine grievance, then these clauses can be an absolute hindrance when seeking relief, as they might prevent you from taking legal action. You can learn more about these types of clauses here.
  • Retroactive changes. Some companies state that continued use of a service after changes are introduced to a user agreement means that users agree to these changes. While many companies might have policies like these in place, a growing number of companies are beginning to give consumers time to either comply or leave a service after changes are made to agreements. Some of the keywords we mentioned above, like “discretion,” “sole discretion” or “at any time,” can help you sniff out clauses about retroactive changes.
  • Jurisdiction clauses. The jurisdictions under which companies reside might be worth considering, as legal requests made of the company might have to comply with local laws. Jurisdiction clauses may also specify which laws and courts might be favored in a legal dispute, assuming you have a grievance that you take to court. Searching for the word “jurisdiction” should be enough to find these clauses.

Important Points to Remember

  • Companies often provide several documents that serve as contracts with users. The two most important are the privacy policy and the terms of service.
  • Large companies, like Google, Apple and Amazon, might have terms of services for both the parent entity and the services under their brands – such as YouTube, iTunes and Kindle, respectively.
  • Privacy policies generally detail what information is collected from you as a user, who has access to that information, when that information is disclosed or shared, how it’s used and how you can control it.
  • Keywords like “require,” “store,” “share,” “process,” “collect,” “control” and “party” can help you search a privacy (or data) policy. If you’re curious about how a company handles specific pieces of metadata, search a privacy policy for the relevant term. For example, if you’re using a VPN, you might specifically choose to search for the term “IP Address” to determine what the service does with that type of metadata.
  • User agreements contain many types of clauses, some of which detail the rules for using the service and the responsibilities the company has to you a user.
  • Within a user agreement or terms of service document, you can search for terms establishing acceptable user behavior, as well as the conditions you agree to as a user with the following keywords: “You may ,” “You must ,” “You understand ,” or “You acknowledge .” Related clauses might include words like “accept,” “agree” or “authorize.”
  • Within a terms of service document, you can search for clauses establishing the company’s obligation to users with the following keywords: “[Company] can ,” “We may ,” “[Company] will ” and “the right,” as well as “reserve,” “reserves,” “discretion,” “sole discretion,” “at any time” and similar words and phrases.
  • Searching for an individual quotation mark can help you find important terms or a lexicon of special terms which are used throughout the document and have a meaning specific to its context within the text.
  • “Gotcha” clauses might include things like arbitration clauses, retroactive clauses and jurisdiction clauses. You can search for these by looking for terms like: “arbitration,” “discretion,” “sole discretion,” “at any time” and “jurisdiction.”

To keep reading in-depth articles on privacy and security issues, follow our privacy blog.