They Think Privacy Policies are a Game. Is it Time You Learned How to Play It?

Bad Privacy Blog by Claudiu Popa
4 min readApr 25, 2023

Consent grab is easier to spot than people think. Let’s learn by example.

Data grifters have learned to swindle their audiences out of mountains of data by hiding in plain sight and using verbose, often contradictory statements in their “privacy policies”. Their hope is to confuse, disarm and hopefully exhaust their reader… and it works most of the time, doesn’t it?

The problem is, that reader is often you or me… and I don’t know about you, but where I come from, there are penalties when a company lies and takes my stuff. Whether you skim policies (as you should) or diligently read them (you might need to detox afterwards), here are the Claudiu’s Top 5 hints that someone is trying to pull the wool over your eyes:

  1. Monetization? They claim they won’t sell your data, but they just might sell the whole company along with your data.

This so-called privacy promise isn’t worth the recycled electrons used to display it.

All quotes originate on their respective sites. I prefer not to provide them with backlinks, but appreciate the opportunity to use them as examples, as referred by Google.

2. Sharing? They will absolutely not share your data, except with the faceless people they choose to arbitrarily share it with.

…From the Department of Worthless Statements…
Really? Perhaps listing the parties you *do not* share my data with might save some time.

3. Control? You have full control over your data, just don’t test that statement, because you’ll be disappointed.

Wait! You’re NOT a California resident? So sorry, there’s nothing you can do to remove your data from our custody.
Yup. We hold data on your kids. Nope, we won’t delete it even if you ask nicely. Go kick sand and maybe read some other privacy policy instead, just to pass the time.

4. Surveillance? There are tracking cookies and third-party analytics you can totally control… as long as you don’t expect to turn them off, because — you know — things might not work as expected if you do. And that would be a pity.

Never mind that. Did you know that cookies are small? Well, now you know.

See? They’re tiny!
I mean.. who in their right mind *wouldn’t* want to be tracked across the interwebs? Don’t you want people to know where you are? I mean for your safety, of course!

5. Security? Your data is perfectly secure in their custody, but no system is secure so your data is as secure as a non-secure system. What’s not to like?

There you have it. Any questions?

Just a reminder that we really can’t secure your data, but if we believe it hard enough…

Ahh.. the power of belief! Particularly as it applies to children’s health information, it’s important not to spend too much on security. Just aim for that sweet spot.

Feeling a bit lightheaded? That’s just the cognitive dissonance kicking in.

Don’t worry, the feeling will pass just as soon as you report them to the Privacy Commissioner. Don’t worry, you’re not being a pest. It helps other people to protect their rights and it prompts companies to improve their privacy compliance with help from their friendly Privacy Commissioners.

If you do nothing else today, go ahead and take a load off by reporting your kids’ school’s edtech company, your bank, your telco or just about any website whose practices you’re dissatisfied with after making fair and good faith efforts to get satisfactory answers from their Privacy Officer (a responsible contact should always be readily listed at the bottom of every privacy notice).

Naturally, Canada’s Privacy Commissioner is not always the appropriate institution to contact. Use this handy downloadable guide on filing complaints with other agencies and…enjoy the process. It’s designed specifically to help you and your family get answers from the organizations that want to borrow and use your information.

End note: if you landed here because I may have quoted your site’s privacy policy and you would like me to remove it to prevent further embarrassment, all you need to do is ask. I’ll happily obscure your name, or remove your quote altogether. Failure to ask implies consent. Natch!

Claudiu Popa is a certified privacy professional with a particular set of skills. Skills that he uses to make presentations on data protection around the world, partner with Privacy Commissioners to publish books such as the Canadian Privacy and Data Security Toolkit, contribute to the profession with privacy frameworks on privacy engineering and privacy by design, and generally help organizations to fine-tune their privacy posture as the president of Canada’s most fascinating personal information protection compliance company: Managed Privacy Canada.

Why not reach out and say hello on LinkedIN, Facebook or Instagram?


  1. What does it actually mean when a company says “we do not sell your data”? The Markup, September 2021



Bad Privacy Blog by Claudiu Popa

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, written & edited by Claudiu Popa; author, educator, booknerd.