Hi, I'm the Privacy Watchdog! My job is to see through the vague language in privacy policies and tell you exactly what data companies collect, who they share it with, and what rights you actually have. Most privacy policies are designed to be unreadable. I translate them into simple scores so you can make informed decisions before giving away your personal information.
Overview
The Privacy Fairness Index is a 0-100 scoring system designed to help you understand how protective (or invasive) a company's privacy practices are. Higher scores indicate more privacy-respecting policies with strong user rights.
Our Hybrid Evaluation Approach
Privacy Watchdog uses a hybrid methodology that evaluates privacy policies on two dimensions:
- Legal Compliance β Does the policy meet requirements under applicable US laws (CCPA, HIPAA, COPPA, GINA, etc.) and international standards (GDPR)?
- Consumer-Friendliness β Beyond legal minimums, how well does the policy actually protect user interests? We use GDPR principles as a "gold standard" benchmark.
Each review provides both a compliance assessment (which laws apply and whether requirements are met) and a Privacy Score (0-100) measuring overall consumer protection.
Data Sensitivity Tiers
Not all personal data carries the same risk. We apply stricter scoring thresholds for services handling high-sensitivity data:
Tier 1: Highest Sensitivity
Stricter standards apply. Same practices that earn a "C" in lower tiers may earn a "D" or "F" here.
- Genetic/DNA Data β Immutable, identifies relatives, insurance implications (GINA applies)
- Biometric Data β Fingerprints, face geometry, voiceprints (BIPA applies in IL)
- Health/Medical Data β Diagnoses, prescriptions, mental health (HIPAA may apply)
- Children's Data β Under 13 (COPPA applies), under 16 (GDPR special category)
Tier 2: High Sensitivity
Elevated standards. Data that can cause significant harm if misused.
- Financial Data β Bank accounts, income, credit scores (GLBA may apply)
- Location Data β Precise GPS, movement patterns, home address
- Sexual Orientation/Dating β Relationship status, preferences, matches
- Communications Content β Messages, emails, call recordings
Tier 3: Moderate Sensitivity
Standard evaluation. Personal data that warrants protection but poses lower inherent risk.
- Contact Information β Email, phone, address
- Purchase History β Transaction records, browsing behavior
- Device/Technical Data β IP addresses, device IDs, cookies
- Preferences/Interests β Content preferences, survey responses
Legal Framework & Standards
Privacy Watchdog reviews evaluate policies against established legal frameworks and industry standards. Here are the key laws and regulations we assess compliance with:
GDPR (General Data Protection Regulation)
The European Union's comprehensive data protection law, effective May 2018. Key requirements we evaluate:
- Lawful Basis (Art. 6) β Clear legal basis for processing (consent, contract, legitimate interest)
- Right to Access (Art. 15) β Ability to obtain copy of personal data
- Right to Erasure (Art. 17) β "Right to be forgotten" and data deletion
- Data Portability (Art. 20) β Ability to export data in machine-readable format
- Breach Notification (Art. 33-34) β 72-hour notification requirement
- Privacy by Design (Art. 25) β Data minimization and purpose limitation
- DPO Requirement (Art. 37-39) β Designated Data Protection Officer where required
CCPA/CPRA (California Consumer Privacy Act)
California's landmark privacy law (CCPA 2020, amended by CPRA 2023). Key requirements we evaluate:
- Right to Know (Β§1798.100) β Disclosure of data categories collected and purposes
- Right to Delete (Β§1798.105) β Consumer right to request deletion
- Right to Opt-Out (Β§1798.120) β "Do Not Sell My Personal Information" requirement
- Right to Correct (Β§1798.106, CPRA) β Ability to correct inaccurate information
- Sensitive Personal Information (CPRA) β Enhanced protections for sensitive data
- Non-Discrimination (Β§1798.125) β Cannot penalize consumers who exercise rights
- Financial Incentive Disclosure β Must disclose value of data in exchange for discounts
Sector-Specific Laws
For certain industries, additional regulations apply:
- HIPAA (Health Insurance Portability and Accountability Act) β Health data protections for covered entities and business associates
- GLBA (Gramm-Leach-Bliley Act) β Financial institution privacy requirements
- COPPA (Children's Online Privacy Protection Act) β Parental consent for data collection from children under 13
- FERPA (Family Educational Rights and Privacy Act) β Student education records
- GINA (Genetic Information Nondiscrimination Act) β Genetic information protections
- BIPA (Illinois Biometric Information Privacy Act) β Biometric data consent requirements
Other State & International Laws
We also note compliance with emerging privacy frameworks:
- Virginia VCDPA β Consumer Data Protection Act (effective 2023)
- Colorado CPA β Colorado Privacy Act (effective 2023)
- Connecticut CTDPA β Data Privacy Act (effective 2023)
- Utah UCPA β Consumer Privacy Act (effective 2023)
- Canada PIPEDA β Personal Information Protection and Electronic Documents Act
- UK Data Protection Act 2018 β Post-Brexit GDPR implementation
- Brazil LGPD β Lei Geral de Proteção de Dados
Citation & Source Requirements
To ensure accuracy and protect against defamation claims, every factual assertion in Privacy Watchdog reviews must meet these standards:
Citation Standards
- Verbatim Quotes: All claims about what a privacy policy says must include the exact quoted language in quotation marks
- Section References: Every quote must cite the specific section name/number (e.g., "Section 3: Information We Collect")
- Hyperlinks: Direct links to the source policy are provided where available, with anchor links to specific sections when possible
- Review Date: Each review states the date the policy was accessed (policies change over time)
- Version Tracking: Policy version or "Last Updated" date is noted when available
β οΈ Why This Matters
Unsupported negative claims about a company's practices could constitute defamation. By citing exact language with section references, we ensure our analysis is verifiable and defensible. If a company's policy changes, our review reflects what was stated at the time of review.
π Example of Proper Citation
"We may share your personal information with our advertising partners" β Section 4: How We Share Information, Accessed January 2026
What Each Review Contains
Every Privacy Watchdog review follows a standardized structure:
Review Components
- Policy Details Box β Source URL, date accessed, policy version/last updated date
- Legal Compliance Assessment
- CCPA Compliance: Yes / No / Partial / N/A (with specific findings)
- GDPR-Ready: Yes / No / Partial (even for US-only services, as a benchmark)
- Sector-Specific: HIPAA, GINA, COPPA, etc. where applicable
- Privacy Score (0-100) β Broken down by six categories with individual scores
- Key Findings β Each finding includes:
- Exact verbatim quote from the policy
- Section name/number where found
- Hyperlink to source (with anchor when possible)
- Our analysis of what it means for consumers
- Red Flags β Concerning practices, each supported by citations
- Positive Practices β Privacy-respecting features, also cited
- Analysis β Professional analysis and recommendations
Legal Disclaimers
β οΈ Important Disclaimers
- Not Legal Advice: These reviews are educational commentary, not legal advice. Consult an attorney for advice specific to your situation.
- Point-in-Time Analysis: Reviews reflect the privacy policy as of the stated access date. Companies may update policies at any time.
- Policy vs. Practice: We review what companies say in their policies, not necessarily what they do in practice. Actual data handling may differ.
- Subjective Elements: While we cite objective policy language, the scoring methodology involves professional judgment about consumer impact.
- No Endorsement: A high score does not constitute an endorsement. A low score is based on cited policy language, not defamatory opinion.
Our Commitment to Accuracy
Every negative claim in a Privacy Watchdog review is supported by:
- Direct quotation of the policy language in question
- Specific section reference enabling independent verification
- Link to the source document
If you believe any citation is inaccurate or a policy has been updated, please contact us with the specific concern and we will promptly review and update as appropriate.
Reviews are prepared using a standardized methodology that evaluates each privacy policy against the criteria below. Every score can be traced back to specific policy language with section citations.
🐕 Looking for Terms of Service Reviews?
Privacy policies and Terms of Service are different documents. See our ToS Watchdog Methodology →
How Privacy Policies Differ from Terms of Service
Key Differences
- Terms of Service (ToS) govern your relationship with the platform: what you can do, liability, disputes, and account control.
- Privacy Policies explain what personal data is collected, how it's used, who it's shared with, and your data rights.
- ToS protects the company's interests; privacy policies (ideally) disclose their data practices.
- A platform can have excellent ToS but terrible privacy practices, or vice versa. That's why we score them separately.
The Six Privacy Scoring Categories
I evaluate each privacy policy across six categories, weighted by their real-world impact on your personal data:
Data Collection Scope 25% weight
The most heavily weighted category because it determines how much of your personal information the company collects in the first place. Less collection means less risk of breaches, misuse, or unwanted profiling.
✅ What Earns High Scores (70-100)
- Collects only data necessary for core service
- No tracking across other websites/apps
- Optional data clearly labeled as optional
- No collection of sensitive data (health, finances) without explicit need
- Device/location data collection is opt-in
❌ What Earns Low Scores (0-40)
- Collects data "that may be useful in the future"
- Cross-site/cross-app tracking
- Collects sensitive data without clear justification
- Always-on location tracking
- Audio/video recording without clear consent
🚨 Common Gotcha: "To Improve Our Services"
Nearly every company claims they collect data "to improve our services" or "enhance your experience." This vague language can justify collecting almost anything. Watch for specific limits on what data and how it's used.
Third-Party Sharing 20% weight
Who gets access to your data beyond the company you signed up with? This category measures how freely your information flows to advertisers, data brokers, affiliates, and "partners."
✅ What Earns High Scores (70-100)
- Shares only with service providers (hosting, payment)
- No selling or renting of personal data
- Third parties are named or categories are specific
- Contractual limits on what third parties can do
- No ad-tech or data broker sharing
❌ What Earns Low Scores (0-40)
- Sells or "shares for valuable consideration"
- Shares with undefined "partners" or "affiliates"
- Shares with ad networks and data brokers
- No limits on third-party data use
- Data shared can be re-sold by third parties
🌟 Best Practice: Named Third Parties
Companies with strong privacy practices list exactly which third parties receive data (e.g., "Stripe for payments, AWS for hosting") rather than vague categories like "business partners."
Retention & Deletion 20% weight
How long does the company keep your data, and can you actually delete it? Indefinite retention means indefinite risk.
✅ What Earns High Scores (70-100)
- Specific retention periods stated (e.g., "2 years after account closure")
- Self-service deletion available
- Deletion request honored within 30 days
- Deletion includes backups (with stated timeline)
- Automatic purging of old data
❌ What Earns Low Scores (0-40)
- "We retain data as long as necessary"
- No deletion mechanism or "contact us to request"
- Deletion doesn't apply to backups or "aggregated data"
- Data retained "for legal purposes" without limit
- No automatic data purging
🚨 Common Gotcha: "Aggregated or Anonymized Data"
Many policies say they can keep "aggregated or anonymized" data forever. But research shows that "anonymized" data can often be re-identified. True anonymization is harder than companies claim.
User Control & Consent 15% weight
How much control do you have over your data? Can you opt out of data collection, change your preferences, and exercise your GDPR/CCPA rights?
✅ What Earns High Scores (70-100)
- Granular privacy controls in settings
- Opt-out of non-essential data collection
- CCPA/GDPR rights clearly explained
- Global Privacy Control (GPC) honored
- Changes to preferences take effect immediately
❌ What Earns Low Scores (0-40)
- All-or-nothing consent (accept everything or don't use)
- No privacy settings or buried deep in menus
- Opt-outs require contacting support
- Dark patterns to discourage opting out
- Rights only for certain jurisdictions
Security & Breach Notification 10% weight
How does the company protect your data, and what happens if there's a breach? While technical security is hard to verify from policies alone, breach notification commitments are clear indicators.
✅ What Earns High Scores (70-100)
- Encryption in transit and at rest mentioned
- Breach notification within 72 hours
- Details specific security measures
- Regular security audits mentioned
- Bug bounty or responsible disclosure program
❌ What Earns Low Scores (0-40)
- "We use industry-standard security" (vague)
- No breach notification commitment
- Breach notification "as required by law" only
- No specific security measures mentioned
- Disclaims liability for breaches entirely
Transparency & Access 10% weight
How clear is the privacy policy itself, and can you access a copy of your data? Transparency is the foundation of informed consent.
✅ What Earns High Scores (70-100)
- Policy written in plain language
- Clear table of contents or summary
- Self-service data export available
- Version history with change summaries
- Contact for privacy questions clearly listed
❌ What Earns Low Scores (0-40)
- Dense legal jargon throughout
- No summary or highlights
- Data access requires formal legal request
- Policy changes without notice
- No DPO or privacy contact listed
Grade Scale
Scores translate to letter grades for quick reference:
| Grade | Score Range | What It Means |
|---|---|---|
| A | 80-100 | Privacy-respecting. Minimal data collection, strong user rights, transparent practices. |
| B | 60-79 | Above average. Good practices with some areas for improvement. |
| C | 40-59 | Industry standard. Typical data practices, some concerns to note. |
| D | 20-39 | Below average. Extensive data collection, limited user rights, concerning sharing practices. |
| F | 0-19 | Privacy nightmare. Avoid if possible. Extensive collection, unrestricted sharing, no meaningful user rights. |
🐕 Compare with Terms of Service
Want to see how these same platforms treat your contractual rights? Visit ToS Watchdog →