share
Meta Stack ExchangeUpdates to Privacy Policy (September 2021)
[+149] [18] Philippe
[2021-09-24 19:13:26]
[ discussion privacy policy announcements ]
[ https://meta.stackexchange.com/questions/370216/updates-to-privacy-policy-september-2021 ]

As you know, periodically we update our privacy policy. Today is one of those days: we've made a few changes to the privacy policy. The policy covers how we collect and use data on the entire network, including Stack Overflow for Teams and the public Q&A site.

Changes include:

The Privacy Policy [1] can be found in the footer of every page on the network, and - for visibility - we are using the site banner to direct users to this question.

(41) Thank you @pxeger. That's a horrific diff! Some things have jumped over 100 lines in the text - ben is uǝq backwards
(118) "we've made a few changes"..?!? Is there even a line in there, that's not been changed? - Unconsidered
(94) What is the justification for scraping ...contact list, and the profile pictures of your contacts... from linked social media? - grahamj42
(14) @grahamj42 they just state that We collect and process your personal information in order to offer the Network, and to offer you our Products and Services. That means, well, whatever they want to do as part of their work. Heh. - Alfabravo
(6) @TylerH there used to be 3 notices for 3 services (one each), there is now 1 notice covering all 3 services. - Mast
(82) "Changes include: The privacy notice was completely redrafted and updated..." This is an absurd and meaningless high-level takeaway. Yes, the changes include it was changed, but it's even worse than the simple tautology: the complete redrafting makes it extraordinarily difficult to determine the meaningful impacts. What are those meaningful impacts on users? - mbauman
(1) @grahamj42: the collection of contact information from linked social media accounts is not new. - mbauman
(2) Updates and Privacy Policy Overall gets an A-. (which is good) The - is for unnecessary verbosity ( 8411 words, 53634 characters ). Much of the excess verbiage comes in restating how users may use the network. But, the policy and updates are refreshingly clear and fair from an unpaid user account standpoint. (there is a bit of vagueness in the "How we may use ..." section, a large part of which can't be avoided) Kudos. - David C. Rankin
(3) Can I decline these changes? If so, how? - Andrew Grimm
(8) "The privacy notice was completely redrafted and updated <strike>to ensure it remains accurate, up to date, and effective</strike>." Oh for crimminy's sake. If you're not going to say anything useful, don't say anything at all. This might mean something to the editor. It means nothing to me. - ruffin
(5) I don't appreciate a popup saying that you changed my privacy. Where's the succinct, clear, elevator-pitch run-down of what you've done to my privacy? What differences in gathered data? What differences in how you use the data you gather? Why? Etc. - Drew
(11) I get that since the takeover a marketing ramp up was inevitable but this is worded rather losely. HOW WE USE YOUR PERSONAL DATA... Where it is in our legitimate interests, including our commercial interests or a third party’s legitimate interest in using the personal information. - akaBase
(3) Are "updates to Privacy Policy" accompanied with "rationale for updates to Privacy Policy"? - pmor
(4) Quick note - I've cleaned up the comments. If there's anything to say it should be on the topic of the privacy policy. Its also worth considering an answer if you have something substancial to say. - Journeyman Geek
@pxeger Thanks for the diff, but I’m wondering why it doesn’t highlight and technologists, which was added to line 9? Might more things be missed by the diff? - ᴠɪɴᴄᴇɴᴛ
(1) @ᴠɪɴᴄᴇɴᴛ it does highlight it, although the diff program thinks that line was removed entirely and replaced by a very similar one, rather than detecting that only "add technologists" was added - pxeger
(1) This is not a question - Michał Šrajer
(8) That is correct. However, there is a tradition that allows for some flexibility around announcements on meta. This is not new. - Philippe
(3) we've made a few changes != completely redrafted - Vaccano
(2) @Philippe Do you feel it is appropriate to remove the featured tag? I feel it should be there until the Community bot removes it. Considering the fact that no mail has been sent regarding updates to Privacy Policy, having the featured tag for the maximum amount of time is the least that SE can do to make people aware of the privacy policy changes. - Random Person
@Philippe meta.stackexchange.com/q/370707 - Random Person
@RandomPerson don't forget that topbar that announced this as well. - Luuklag
(2) @Luuklag meta.stackexchange.com/posts/comments/1237292 The top bar was just visible for few days I guess and it could be easily dismissed (probably by accident). - Random Person
[+314] [2021-09-24 20:57:27] ben is uǝq backwards

Note this answer was added before more information was added to the question or it was featured. I'm leaving it here as I believe that it's important.

So, here's the thing. Stack Exchange/Overflow cannot just change the privacy policy without telling people you're doing it or drawing their attention to what has been changed. I mean, it can. It just has, but I'm not sure that it counts.

So, a question; is every user, of each SE/O product, having read and agreed to the previous privacy policy:

  1. expected to have noticed this question and reread the policy? Or...
  2. deemed to have accepted the new privacy policy by continuing to use the site, implying that SE/O expects that each user will reread the privacy policy on every use of each SE/O product?

Both of these options are implausible. A more standard way of telling users that a privacy policy has changed would be to:

  • create a sensible, readable, diff that explains what's changed
  • email everyone telling them the privacy policy has changed
  • put up a network-wide notice telling everyone the privacy policy has changed

At that point, SE/O can reasonably assume that everyone has had a chance to accept the new policy.

A single question, on a single site, with a diff [1] put in a comment by a user [2] does not count as a reasonable attempt.

SE/O has an obligation under GDPR to at least tell EEA/UK users that "You must bring any new uses of an individual’s personal data to their attention before you start the processing." [3] ( Article 13(3) [4]).

There is a higher, moral, obligation to be as transparent as possible to all of us in explaining how our data is used.

I'm fairly sure that nothing nefarious has happened, but I can't see a reasonable way of validating that.

[1] https://gist.github.com/pxeger/f00bae9440f0c8bc5d88c389c84b9e47/revisions#diff-4e8eff6c864aa6ec56c1f7ae983cb7889a3349e48e60d19bf0bf5cb0fe5213bf
[2] https://meta.stackexchange.com/questions/370216/updates-to-privacy-policy-september-2021#comment1235547_370216
[3] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/
[4] https://eur-lex.europa.eu/eli/reg/2016/679/oj

(47) Thanks for the reasoned, reasonable Answer. I've featured the post across the network to provide notice that way. As to providing a sensible readable diff, that's something we could have done better here (and I've started conversations to that end). I've also been updating this post as more info becomes available to me. I agree that we have an obligation to be transparent about data use - this policy is a step toward that, imo. However, the roll-out could have included a readable diff, for sure. - Philippe
(25) @Philippe You haven't addressed the GDPR issue. - DavidPostill
(10) @DavidPostill I'm afraid that's not something we have an immediate answer for - I don't think we're introducing any new use of personal data, though. Your best contact for that is the privacy@stackoverflow.com inbox. They'll be able to explain it. - Cesar M
(48) @CesarM Why not address that in the "Question" post? It only needs a single sentence to confirm that, and privacy@stackoverflow.com could assure you of it. Otherwise they may have to answer the question quite a few times. - Andrew Leach
(2) I agree that they need to actively notify users, when the policy is changed. That being said, they are perfectly within their rights to update the policy whenever they want. - TylerH
(1) If I've implied that SE/O wasn't within their rights to update the policy whenever they want, then that wasn't my intention @TylerH. I'm arguing that if there are legal and moral obligations when doing so, which weren't taken into account. It could be that there are no legal obligation this time, but there is no reasonable way of anyone verifying that. - ben is uǝq backwards
(1) @benisuǝqbackwards there certainly is a reasonable way to verify you have no legal obligations to do something: employ legal counsel. - TylerH
(33) We've got a network-wide banner up pointing people to this question, to heighten the visibility of the change. - Philippe
(9) Notice an explanation are two different things. "The policy now covers employer branding, which is an ad product." There is literally no explanation of what this is, so putting up a border to point to this one sentence doesn't mean anything. Clearly moving towards the Naspers model here. - Travis J
Privacy policy as it stated in it's name is just a text, so I'm not sure it's somehow put any obligations on it's publishers. - Kos
(1) I agree 100% in principal with the answer generally. But after reading all 8411 words that make up the base Privacy Policy, it's hard to see what would be objectionable from a use and policy standpoint. (there are many bad Privacy Policies out there -- this one is refreshingly benign) Now I have not read all the sub-policies applicable to Collectives, Teams or Enterprise -- so I can add no judgment there. - David C. Rankin
(3) @Philippe And that was necessary. I came here from that banner. Probably would have missed the changes if not for the banner... But what about the less active users of SE/O sites that visit the platform say once a month? Do we get any other sources of notifications other than the banner? - Muslimbek Abduganiev
(4) I logged into stackoverflow a week or so back, and suddenly my full name and job title had appeared in public in the profile etc. I didn't give my permission for this it just happened. When I sent a "support" question to Stackoverflow, it fell on deaf ears. - Colin Smith
(13) @Philippe why you not simply send an email notification, like literally all other companies do when their privacy policy changes? You have the technical and financial means to do so, the only reasons I can think of why you don't would be either some penny pinchers think it's too expensive, you actively do not want to call attention to the changes, or you think it's not important. Either option is not flattering for SO. From an EU perspective I also don't get the impression you hold the GDPR in high regard. Maybe it's time somebody pulls a Schrems on you... - l4mpi
(4) @Philippe how long will the banner be up? What about those that visit the site once a year when they have an urgent problem to solve, will they see it next Xmas? - T-Me
(4) Maximize your privacy by staying away from social media, or, at the least, not link to it here. - user3481644
(2) @CSmith That probably qualifies for a separate question. - wizzwizz4
1
[+116] [2021-09-25 01:23:37] smitop

The previous privacy policy stated [1]:

We may amend or update this policy from time to time and will notify you of any material changes to this policy.

I see that the privacy policy has been updated, but I haven't been "notify"ed of the privacy policy changes, which seem to have already taken effect. The changes to the privacy policy seem decidedly material: where is my notification that changes have been made?

My understanding of the terms of service is that email, real mail, and personal delivery are the allowed ways that SE can "notify" users. I have not gotten any mail about this, electronic or otherwise. (And I definitely did not encounter an SE employee telling me about these changes IRL!)

[1] https://web.archive.org/web/20210602083702/https://stackoverflow.com/legal/privacy-policy

(15) It seems a bit daft to complain about the lack of notification, on a post that may reasonably be considered notification itself. - Nij
(78) @Nij Not everyone logs in every day. I imagine some people even takes breaks or go on holiday. In about two weeks this post will no longer be featured. Do you think everyone that has an account on the network will have noticed this post? - Unconsidered
(75) @Nij It's not daft to complain that this notification is not the notification that the terms of service mandate. Since the terms of service are still in force, and the old privacy policy explicitly stated a notification, the new privacy policy may not be in force as it has not been announced correctly. - Andrew Leach
(50) FWIW it went live on 9/24, the post came 9/25 and I noticed this post only today, 9/26, totally accidentally. I wonder how many policy changes I missed... I think the complaint is quite justified. - skandigraun
(4) "Real mail" You think Stack Exchange has the time, staff, and money to send out notices to all registered users whenever their privacy policy has changed, especially considering 99.999% of users have never shared physical/mailing address information? Does any website in the world do this? I think not. - TylerH
(10) @TylerH Yeah, email is the only realistic way they could give out notices. It would also be very expensive to dispatch a Stack Exchange employee to personally tell every user about the changes (although it would be very cool). - smitop
(12) "Very cool" for you. I don't even wanna think about the time in the Air that would require ;) - Philippe
(1) "My understanding of the terms of service is that email, real mail, and personal delivery are the allowed ways that SE can "notify" users." Can you point to the part of the terms that state this? I see where the current privacy policy also states that notification will happen but I don't see anything there or in the terms that states that it has to be mail, email, or personal notification. - BSMP
(26) @BSMP Section 10.f: "Unless otherwise specified in these Public Network Terms, all notices under these Public Network Terms will be in writing and will be deemed to have been duly given when received, if personally delivered or sent by certified or registered mail, return receipt requested; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; or the day after it is sent, if sent for next day delivery by recognized overnight delivery service." - smitop
@Smitop Thank you! I was searching for the words "notify" and "notification" and missed it. - BSMP
(3) The ToS and Privacy Policy are two different documents, but please note that the "Notices" part you're referring to says "Unless otherwise specified", and it is specified above on the ToS that notice on the public Network is also an option. The language you see on "Notices" is a legally required way to notify stack exchange (the company) and is there for compliance reasons. - Cesar M
(1) @CesarM Doesn't 10.d only allow the Public Network Terms to be modified via "a notice on the public Network"? The Public Network Terms weren't changed: the Privacy Policy was, so I don't think 10.d would be relevant here? - smitop
(1) The privacy policy doesn't define how a notification under the policy should be delivered, so I think it's pretty reasonable to assume that it would be in the same manner as the Public Network Terms - smitop
(1) @skandigraun Only due to your comment I realised that this is already a month old. I just noticed it today (while visiting SO almost every day)... - luator
2
[+94] [2021-09-27 18:20:09] dbc

How can I revoke Stack Overflow's permission to collect my location information?

According to the new privacy policy:

Location information

When you use the Stack Overflow Network, and certain of our Products and Services, we collect location information about you, including your IP address, your location, browser information, and how you came to the Stack Overflow Network. ...

... You may revoke our permission to collect some of this data, including your location and browser information through your Account Settings, but this may limit functionality in some cases. Certain location information we collect is required for security and site functionality. We share this information with certain third-parties (e.g., talent recruiters, payment processors, and advertising providers) in order to provide you with our Products and Services.

But how can I actually do this? Looking through my Account Settings I don't see anything relevant:

The sections under Site Settings - Preferences are Interface, Advertisements, and Activity Data. The word 'location' does not appear.

Is it Use my on-site activity to show more relevant content (recommended)?


(1) It notes location in that fine print. So that would be the only option applicable here. - Luuklag
(63) @Luuklag - maybe? There's a statement Stack Overflow never sells or shares your activity data with third parties. but the privacy policy says We share this [Location] information with certain third-parties (e.g., talent recruiters, payment processors, and advertising providers)... so I'm still confused. - dbc
This isn't new and also appeared in the old policy. The only "location" changes I see in the new policy are the addition of a comma or two and the addition of a high level bullet point for collecting location data, with the added example "For example, with your consent, we may collect information about the specific location of your mobile device (for example, by using GPS or Bluetooth)" - mbauman
Most likely u cant, its just a way to saw screw u in a polite way, seems every good site nowadays it getting worse and worse in terms of privacy. THIS SHOULD STOP!!! - Rey
(6) This is not new, it was there before. It's is in regards to: the location field on your profile (which you can leave blank), and devices that share location data (such as GPS on mobile). It's meant to say that you can disable this on the account settings in your device - by disabling sharing of that data on a device level. - Cesar M
(2) @CesarM - thanks for the answer. This is not new, it was there before. -- I joined in 2014 and it was added since then; at that time the policy stated only "Other non-identifying information that we might have access to includes ... your approximate location...". This is the first time I have reviewed and noticed that paragraph; it seems like Stack Exchange may have increased the precision of their location tracking since then. - dbc
(1) @CesarM - by disabling sharing of that data on a device level. What does this mean on a desktop browser such as Firefox or SeaMonkey? Do I need to set geo.enabled to false, or otherwise decline requests for exact location? - dbc
(5) @dbc I'm pretty sure we don't request location data from browsers, so from Firefox/SeaMonkey there is no need to disable anything. I will confirm this is true and update so when I have a final answer - but to my knowledge, we do not. In any case, if we request that data, you should see a request for allowing location sharing on Firefox which you can deny. - Cesar M
(1) @CesarM - thanks, I look forward to your final reply. I did in fact disable geo.enabled a while back so if Stack Exchange had been requesting this I would not have noticed. - dbc
(13) @dbc We are not requesting geo-location from browsers, confirmed. We do have other things that may lead to a location, such as IP addresses (which can be used to roughly determine location). IP collection can't be disabled. We do also infer country from that and it can't be turned off either. - Cesar M
(4) @CesarM Location by IP is already too precise, and I disagree with SE sharing this information with anyone else. The only location you should be allowed to share with potential employers is the one given willingly in the "Where you live" input of the developer story. - ederag
3
[+83] [2021-09-28 02:54:33] wizzwizz4

By making the privacy policy so generic, you've made it bind you a lot less. That's the opposite of what you want in a privacy policy.

  • A privacy policy should describe your current practices: how you're currently using people's data.
  • A privacy policy allows us to give meaningful consent for your data processing, and therefore we need to know what you're doing with our data; therefore you can't add things to your privacy policy describing things we don't know about. If it's in the privacy policy before a product / feature announcement, that's not consent.

Principles relating to processing of personal data (Art. 5 GDPR) [1]:

  1. Personal data shall be:
    1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
    2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 [2](1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
    3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
    4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 [3](1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
    6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
  • The privacy policy is opaque, arguably violating 1(a) ('transparency').
  • I have no way of knowing whether Stack Overflow is compliant with 1(b) ('purpose limitation').
  • If the Privacy Policy is to believed, Stack Overflow is blatantly violating_ 1(c) ('data minimisation'), 1(e) ('storage limitation') and 1(f) ('confidentiality'); given the various inaccuracies elsewhere in the document, and my generally high opinion of Stack Overflow, I believe¹ the Privacy Policy is simply wrong about what Stack Overflow's real actions and policies are.

¹: To be pedantic, Stack Overflow's actions aren't perfect: from looking at the GDPR subject access request data, it seems like Stack Overflow is associating a tiny bit more analytics data with users than is strictly necessary. However, it's little enough that I don't care, I don't see how it's abusable, and it's probably kept for recovering stolen accounts or something. Plus, it's exactly the data the old privacy policy said they kept.

Major issues (summary)

  • Moderators aren't given permission to use some of the mod tools; neither is Stack Overflow, except with an excessively broad reading of the ambiguities. Since moderators have to adhere to the privacy policy, does that mean we can't use them any more?
  • What, why, when data is collected, what it's used for and who it's shared with are listed separately, so we can't know what's being used for what, shared with whom.
    • “Technical” data has an unknown scope, and an unknown purpose.
    • In “cookies and other technologies”, you never say what the other technologies are, nor what you use them for.
    • “Unique device identifier” could mean several of many things.
  • General vagueness; grammatical issues to the point of meaningless, in a couple of cases.
    • So much “for example” and “such as” and “e.g.”. You're not telling us what we need to know.
    • A blanket permission to perform all statistical analysis. (Later on, statistical analysis “for business purposes” ­– which seems more specific, but actually isn't.)
    • “Legitimate interest” examples that can't be justified under legitimate interest, like marketing personalisation.
  • Things in the privacy policy that don't apply to Stack Overflow:
    • GPS tracking
    • Following users
    • “Saving” and “hiding” content
    • Privacy controls described that don't actually exist, [4] regarding data that Stack Overflow does not collect (I hope!!).
    • Use of third-party data aggregators to profile users (I hope).
    • Connecting real-world individuals to their pseudonyms. (I have sent privacy@stackoverflow.com an email about this.)
  • Things that, by law, I can't even consent to.
  • A 16-years-old age limit (it's 13 elsewhere).
  • The GDPR “invoking your rights” procedure in the Privacy Policy (email privacy@stackoverflow.com for everything) is different to the real procedure (use https://stackoverflow.com/legal/gdpr/request for the three things on that form, and privacy@stackoverflow.com for everything else).

Good bits

There is some good stuff, though:

Information from Developer surveys, questionnaires, research and feedback programs

We collect information through questionnaires, surveys and feedback programs to help improve our products and give us insights. We may also conduct similar research for advertisers and our marketing partners. We ask you for your consent to use this information when you participate in these programs and events.

While “advertisers and our marketing partners” sets my hair on end, you're going to ask consent in-the-moment! This is how you should do it! That's the better-than-the-industry-standard Stack Overflow I know.

You should not include any financial information or other information that you do not wish to make public when using our Public Network, which is a public website. We do not collect such information. It is your responsibility to keep such information safe and secure.

You didn't need to include this, but it was relevant. Good job. (I think.)

If we transfer any personal information in pursuing such a business transaction [e.g. audits], we will always ensure that strict confidentiality measures are in place to protect your privacy interests.

:-)

Developer Survey

This section is too big to quote, but it's great too. (Not sure how much it's changed from before, because the diff is useless.)

Advertising on our Network

It's nice to get insight into this. While I don't like everything here (I don't like the state of modern online advertising), you're actually explaining what's going on, so that I know what I'm agreeing to – and hence consent for this is valid… probably. I'm not a lawyer.

Employer Branding

I'm guessing this is Collectives? The privacy policy is okay (a little unclear, but it's practically non-normative), but I'm more impressed by the actual implementation-as-described.

It's not Collectives.

Well, impressed after going through this Privacy Policy. It's what I would normally expect from Stack Overflow; you do things properly, most of the time.

When Stack Overflow shares your personal information and other collected information with third party service providers, we require that they use your information only for the purpose of providing services to us and consistent with this privacy policy.

Not sure how consistent this is with third-party advertising, but I love the sentiment.

Event sponsors and partners – we may share your personal data with sponsors of Stack Overflow events and partners whom we hold events with for marketing purposes when you have given your permission for us to do so.

You've said who you're sharing it with, when, and why. All it needs is what “personal data” will be shared, and you're golden!

Questions / critcisms

Technical Data: including internet protocol (IP) address, your login data, traffic data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system, and platform and other communication data which gives us information about how you accessed our website. Other account information and usage information including your IP address and browser data may be used for diagnosis, security, and Product and Service optimization.

To what extent are these associated with each other? If I'm reading this right, you store enough information to uniquely identify my browser, and my location, and my interaction times, and my login details; if they're in the same table row (or associated with the same timestamp, which is basically the same thing), that's far too much information! I can't think of any way that would help with technical support…

… so why's this called “technical data”? What, exactly, is it being used for?

Analytics information

Stack Overflow uses data analytics to ensure site functionality and to optimize our Product and Service offerings to you. We use web browser and mobile analytics to allow us to understand Network and Apps functionality. In doing so, we record information including, for example, how often you visit the Network, how often you contribute content, Network and Apps performance data, errors and debugging information, and the type of activity you engage in while on the Network or in your use of our Products and Services. We may on occasion share this information with third parties with whom we have contracts for products and services to assist Stack.

  • What is “the type of activity you engage in while on the Network”?
  • Who are these “third parties”?

Marketing and sales information

We collect details of the services you receive and your preferences; information about your device or the software you use, e.g., its IP address, technical specification and uniquely identifying data; cookies and similar technologies we use to recognize you, remember your preferences and tailor the content we provide to you – our cookie policy [6] contains more details about how we use cookies.

Too vague, sorry. There are some issues, e.g., it's not concrete, technical specification and uniquely meaningful words; punctuation and similar problems so I can't actually follow the sentence properly – my profile [7] contains more details about how I'm interpreting the HTML.

Device and browser information received automatically

When you visit the Network or use our Apps, Stack Overflow automatically receives and records information from your browser or mobile device, such as your Internet Protocol (IP) address or unique device identifier.

What's a “unique device identifier”? A euphemism for browser configuration fingerprinting? A cookie you set? The serial number on the bottom of my laptop, learnt by asking the local unicorns really nicely?

Location information

When you use the Stack Overflow Network, and certain of our Products and Services, we collect location information about you, including your IP address, your location, browser information, and how you came to the Stack Overflow Network.

I am aware that location information includes “[my] location”. But you're not collecting my location; you're collecting some information that you're deducing my location from. (At least, I really hope that Stack Overflow isn't going to start requesting GPS traces…) What is that information?

I'm guessing it refers to the location field of the user profile, otherwise this doesn't make sense:

You may revoke our permission to collect some of this data, including your location and browser information through your Account Settings, but this may limit functionality in some cases.

Although I still don't know how to limit collection of my “browser information” (whatever that means); how can I do this?

We share this information with certain third-parties (e.g., talent recruiters, payment processors, and advertising providers) in order to provide you with our Products and Services.

Again with the “e.g.,”! I know at least one category not present: moderators have access to some of this information some of the time. Who else? GDPR says you need to give an exhaustive list of purposes, unless the ones not listed fall under one of the special exemptions (and even then you really should). “e.g.” is not generally sufficient for consent.

We collect information about the actions you take when using the Services. This includes your interactions with content, like voting, saving, hiding, and reporting. It also includes your interactions with other users, such as following. We collect your interactions with communities, like your subscriptions or moderator status.

… What? This doesn't describe Stack Overflow at all. What is going on here? (Is it copied and pasted from Reddit?)

Pages you view or search for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), your engagement with certain variable/dynamic elements of a page, and methods used to browse away from the page.

If this is “technical data”, then I'd really like to know what it is being used for.

Information collected from cookies and similar technologies

This section provides no information about the “similar technologies”. What are they? How are you using them, and why?

We may receive and process information about your location. For example, with your consent, we may collect information about the specific location of your mobile device (for example, by using GPS or Bluetooth).

That's an example? I didn't know the Stack Exchange app was even getting updates. It's also a little troubling that “with your consent” is under the “for example” section; does consent apply to all of the location data processing?

If you choose to connect with us through a social media platform, we may, through the social media platform connection, collect additional information from you, such as your usernames, profile picture, contact information, contact list, and the profile pictures of your contacts.

Sorry. I cannot consent to this. Literally; the law does not permit me, even though I understand exactly what it says. Does that mean I have to leave?

Information from third parties to help us to combat fraud, provide Services or that relates to your interactions, including your communications between individuals, organizations, prospects and other stakeholders acquired from companies that collect combined information and share it with us.

Under what circumstances will you be communicating with other companies about me? This is seriously concerning me; I've given Stack Overflow information that I would not trust other companies with, and I don't know of any mechanisms to revoke your access to that information. (Come to think of it, I should know about those mechanisms, shouldn't I?)

We may combine the information we collect about you from the various sources described above.

Nope. No blanket “combine information”. How are you combining it? Some of this information, you're not allowed to combine without explicit consent! But it seems like you intend to do it anyway; why else would you (attempt to) give yourself the power to do so?

For statistical analysis (e.g., on the use of our websites).

Virtually everything you can do with data is statistical analysis. This is carte blanche to do whatever you want! I don't think I can even consent to that.

To operate and improve our websites and services.

What does this mean? (It probably has a legal meaning, given how many companies use it, but I don't know what that meaning is.)

To provide improved website and product experience and communications informed by your product subscriptions and/or data collected.

Again, what does this mean? “improved experience” is fairly vague.

Where it is in our legitimate interests, including our commercial interests or a third party’s legitimate interest in using the personal information. Examples include when we analyze what content has been viewed on our Network and apps, so that we can understand how they are used and improve our content; carrying out marketing analyses to better understand your interests and preferences so that we can make our marketing more relevant to your interests and preferences. This includes when we promote our own products and services.

That's not how this works. Legitimate interest only goes so far when talking about marketing analyses, and given the amount of data you wrote about collecting above? You aren't allowed to use all of it. So what data do you use under this basis?

We do not use your personal data on the basis of legitimate interest for activities where individuals’ interests override our interests.

How are you making this decision? (If you were clearer elsewhere, I wouldn't need to know this.) Do you even know what my interests are?

We use your information to provide and improve our Products and Services, for identification, verification, to provide support, for online and offline marketing, including through third party tools such as Google Analytics, and for general research and analytics reporting. We gain insights into which of our Products and Services you are using most, what you’re interested in, and to better enable you to use and access our Products and Services. For example, we provide an API with information that has already been made publicly available by users to enable users to more easily access and use our services. We have a legitimate interest in enabling and customizing your experience of our Product and Services offerings.

If “online and offline marketing” means what I think it means… No way do you have a legitimate interest in tying my online identity to a real-world one, or even to anything I do off the Stack Exchange network. I have formally objected via privacy@stackoverflow.com.

(Yes, I know you're not doing anything of the sort; I'm feigning outrage because you could. You're giving yourselves the power to do so, and who knows who'll be working at Stack Overflow in five years' time?)

Statistical analysis to help us manage our business, e.g., in relation to our financial performance, customer base, product range or other efficiency measures

Is this what the “statistical analysis” thing from earlier was? “Statistical analysis to help us manage our business” is narrower in scope, and while I still don't know what it means, it'd be good if you could tighten up the previous mention.

Also, is this statistical analysis just with non-identifying information (or, if analysing identifying information, such that the output of the statistical analysis cannot be interpreted in a way that includes identifying information)? If so (which I'm pretty sure it is in practice), please tighten that up too.

Where's the statistical analysis that moderators do? Unless “statistical analysis for business purposes” is ridiculously broad on a technicality (everything a business does is business purposes… maybe write “business administration purposes” or something?), mods aren't allowed to use some of the mod tools under this new privacy policy.

Updating and enhancing customer records

Updating, okay. Enhancing? What does that mean? (If this only applies to Teams etc. customers, I don't care.)

You haven't defined “customer”. Who is a customer?

Cookies and Similar Technologies

Still don't know what “Similar Technologies” are.

We will get consent through our online consent management portal, or via other consent mechanisms before we can use your personal data in this way.

As I (and others) have said before, your “online consent management portal” is not particularly consentful [8]. Is this a commitment to fixing it?

We also offer conversion pixels so advertisers can track conversions that happen within 30 days of an ad being served.

What is “track”, here? I can't work out how you would track this, so I can't work out how you're doing it, nor what data that entails.

We use Google Ads to display personalized ads to users. You can find out more or opt out by visiting Google's help center.

GDPR violation. Such things should be opt-in only. Unless this is part of the consent toaster, of course, but that only talks about cookies, so I assume not.

The way that Microsoft Advertising works is clearly described, and appears to be fine. They're right next to each other. This suggests that there is a problem with Google Ads.

WHO DO WE SHARE YOUR PERSONAL DATA WITH?

Which “personal data” are you sharing with which people? That's the important part, and it's missing.

Advertising partners – When you visit or interact with our websites, e.g., when you use the Public Network, we and authorized third parties will, with your permission, place certain cookies on your device and your account activity as described in more detail within our cookie policy.

You'll do what to my “account activity”? (I think you a word or two.)

We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with contractual obligations which ensure adequate protection for your personal data.

You haven't clearly specified all of these purposes in the privacy policy, despite the broad swathing permissions given to Stack Overflow (not third-parties) by other parts. For instance, you seem to be a bit contradictory (or maybe just unclear) about the purposes for which advertisers may use my personal data; what are they?

We may carry out interest-based advertising through third party services such as Microsoft or Google, as described under Advertising, above. You can opt out of such advertising in the following ways:

GDPR violation. (I know, the state of the advertising industry sucks. Still a GDPR violation, as written.)

Geolocation information based on your IP address, or more specific location information if you authorize your device to provide it to us.

What systems do you actually have that collect specific location information like this? (And does this count passive authorisation, i.e. if the device responds to your API requests without the user's knowledge / consent?)

Inferences we make based on other collected data, for purposes such as recommending content, advertising, and analytics.

What inferences do you make? You have enough information, and the carte blanche, to make a lot of inferences, and you have not tied your hands in any way about this.

The Stack Overflow platform is not intended for children. We do not knowingly offer this or any other Product or Service to anyone under the age of 16.

When did this go up? (Probably GDPR-related, as per Andrew Leach's comment [9].)


At present, I am unable to meaningfully consent to this change in privacy policy; much as I might like to, my hands are tied.


Yes, in case you were wondering, you have lost the benefit-of-the-doubt from me. It's nothing personal; those I know within the company would be among the first to object to some of the stuff this Privacy Policy lets Stack Overflow do. Nonetheless, you're a large, reasonably old company owned by a multinational conglomerate, and people who'd go to bat for us have been fired before.

[1] https://gdpr-info.eu/art-5-gdpr/
[2] https://gdpr-info.eu/art-89-gdpr/
[3] https://gdpr-info.eu/art-89-gdpr/
[4] https://meta.stackexchange.com/a/370322/308065
[5] https://meta.stackexchange.com/posts/comments/1235651?noredirect=1
[6] https://stackoverflow.com/legal/cookie-policy
[7] https://retrocomputing.stackexchange.com/users/278/wizzwizz4
[8] https://meta.stackexchange.com/a/359493/308065
[9] https://meta.stackexchange.com/questions/posts/comments/1236066

(8) Sorry for any egregious mistakes; I've been at this for over two hours, and I'm beyond proof-reading at the moment. I think I got everything, though. (Sorry I plagiarised some points from the other answers too.) - wizzwizz4
(4) The change from 13 to 16 is because of GDPR. The Regulation allows countries to choose an age limit below 16 (but not below 13), but 16 is the common limit across the EU and UK. That said, @JourneymanGeek's answer is a reasonable compromise. - Andrew Leach
(5) wizzwizz, thanks for the detailed answer - however, for this much detail and points, I'm afraid we'll be terribly inefficient to the point of frustration if we were to try and act as a middleman here. Can you please email privacy@stackoverflow.com directly? - Cesar M
(5) @CesarM Sure. Then I'll report back here with my findings (though probably not in a timely manner). - wizzwizz4
(7) Ticket PRIVACY-2351. I somehow managed to take longer writing that email than I took writing this answer, and it's of a lower quality. (Oh well.) - wizzwizz4
It's technical data because it's data about your browser and machine. (Information like your name or gender would be personal information.) I'm not sure if you were serious when you said you can't imagine how that information would be used by the developers. - BSMP
(2) @BSMP “that” = “associating everything with everything else”; each of the individual pieces of information is useful for the developers, and several are useful in combination – but I'm not confident that associating location data with login details is any use. Which I'm not claiming SO is doing; the problem is that the Privacy Policy isn't clear about what SO is doing, and (in places) says they're doing stuff they're clearly not. - wizzwizz4
(2) Employer Branding = Reach and Relevance. Its what's replacing the SE careers/job boards product - Journeyman Geek
@JourneymanGeek Interesting. Has that been announced anywhere? - wizzwizz4
(1) stackoverflow.blog/2021/04/07/… is the original announcement. Not really recalling where there's more details of what this entails - Journeyman Geek
@AndrewLeach Across the EU only. The UK has its limit set at 13 in its version of GDPR. (There was one UK user who was over 13 but under 16 in late 2019 who had their account removed, but were allowed to return once Brexit took place even though they weren't 16 yet.) - Sonic the Anonymous Hedgehog
(1) @SonictheAnonymousHedgehog It doesn't. The original Section 9 of DPA2018 was altered on exiting the EU. legislation.gov.uk/ukpga/2018/12/section/9/2020-12-31 - Andrew Leach
Have they gotten back to you about your ticket yet? Not asking for findings yet, as you're presumably busy and that's why you haven't updated, but just wanting to know whether you've received a response. - willuwontu
(3) @willuwontu I was busy when I posted this. Reviewing Stack Exchange's legal documents is, for some bizarre reason, one of the highest things on my de facto list of priorities. But no, they haven't got back to me yet. I only sent them around 35+ questions (mostly about things the legal team would have no way of knowing) so I can't think why could possibly be taking this long. :-P - wizzwizz4
(1) @willuwontu They replied a while ago, and I missed the email. I don't have answers to my questions yet, so I've cut the list down to 5. Hopefully my improved second email is actually actionable this time. - wizzwizz4
4
[+58] [2021-09-27 20:33:05] Travis J

We will use your personal data in the following circumstances:

Where it is in our legitimate interests, including our commercial interests or a third party’s legitimate interest in using the personal information.

So, basically, whenever?

It kind of feels like the update went in this direction:

By viewing this page, you implicitly agree to have this page examine your browsing history, including a visitation graph coordinated by Google analytics which has also been collecting information on your person via any third party profiles, and on your location via any positional meta data available; moreover, you also implicitly agree that the data, or generated graph which intersects here, may be sold or used to corporate advantage whenever that opportunity presents itself.


(4) That's not new. - mbauman
(18) I don't think "our legitimate interest" includes "third party interests", when the GDPR applies. Also, the EU doesn't consider all commercial interests legitimate. You should be specific. The GDPR already states that legitimate interests are a valid reason, as a general rule, but the point of a privacy policy under the GDPR is to explain how the GDPR applies to a particular company. So you can't rehash the GDPR's general rules; you have to explain your legitimate interests - MSalters - reinstate Monica
(1) OK, what about non-GDPR countries ? - Rey
(3) @RajmondBurgaj In the past, Stack Overflow has been taking the “restrict ourselves to the most restrictive international legislation” approach. - wizzwizz4
5
[+30] [2021-09-27 22:50:40] Vikki

Children

The Stack Overflow platform is not intended for children. We do not knowingly offer this or any other Product or Service to anyone under the age of 16.

Why did the lower age limit get raised from 13 to 16?


(6) Doesn't say that in the ToS. - Ollie
(9) And if the ToS hasn't been updated, then I'm really sorry for all those under-16s who've worked hard to get anywhere near 20K on any SE site. - Ollie
(8) That's in line with the EU but not American requirements.... Also would be a bit of a shame since a lot of younger folks grew up with and benefitted from the network - Journeyman Geek
(6) "We do not knowingly offer this or any other Product or Service to anyone under the age of 16." Well that's just flatly untrue. The ToS says "You must be at least 13 years old to access or use the Network or Services". - mbauman
(2) @JourneymanGeek Ah, thanks. And yeah, it definitely would be. - Ollie
(7) I've requested clarification on this, for now, there are no changes to the ToS or our policy for moderators. I'll update when I know more. - Cesar M
(5) @CesarM is correct. I spoke with counsel about this yesterday. Although we will be doing some work on the TOS next year sometime, it's in the VERY early planning stages and I'm not sure that anyone knows what will be included there. They used the number 16 here to avoid using different numbers in different jurisdiction but there is no impact on the TOS. The two document are complementary but they do not perfectly reflect each other. That's what the work next year will do, and I have no idea what the eventual content of that will be. I will push for an early opportunity for comm. review. - Philippe
(1) @Philippe Thanks; it's great to hear we might get community review before the next one goes live. - wizzwizz4
(2) I will caution that I'm not the decision maker there, and I can't promise anything. I said that I would push for an opportunity. I could very well be overruled (though, tbh, I kinda doubt it). - Philippe
(3) @Philippe How are we to trust anything that's written in this document when there are such obviously incorrect statements? - mbauman
6
[+26] [2021-09-28 22:36:35] Clement Cherlin

WE DO NOT AND WILL NOT SELL YOUR PERSONAL INFORMATION.

Well, that's good.

Stack Overflow uses data analytics to ensure site functionality and to optimize our Product and Service offerings to you. We use web browser and mobile analytics to allow us to understand Network and Apps functionality. In doing so, we record information including, for example, how often you visit the Network, how often you contribute content, Network and Apps performance data, errors and debugging information, and the type of activity you engage in while on the Network or in your use of our Products and Services. We may on occasion share this information with third parties with whom we have contracts for products and services to assist Stack.

Oh, but you can "on occasion share" my personal information. Which means...?

You may or may not have intended this interpretation, but you left the door wide open for exchanges of personal information that do not involve money changing hands. For a realistic example of this, nonprofits often trade mailing lists. Not "selling", but nonetheless, trading personal information (names, addresses, telephone numbers, email addresses) from one entity to another.

At a bare minimum, you should specify

  1. Whether "this information" is "shared" in personally identifiable form, or non-personally-identifiable aggregate form, or both.
  2. The nature of these "third parties" and the products and/or services they provide. Are they advertisers, marketers, cloud service providers, technical consultants, contract workers, government agencies...? "To assist Stack" is vague to the point of meaninglessness.
  3. Whether the third parties you share "this information" with are permitted to "share" (or sell) "this information" to other parties. If not, you should first ensure, and second state in this privacy policy, that these third parties are contractually obligated to not "share" my information any further.
  4. Significantly clarify the nature of "this information". Analytics covers an awful lot of ground, all the way from anonymous aggregated usage stats to timestamped individual cursor/touch and keystroke logging. Have you ever accidentally pasted a password or other secret into a random web page when meaning to paste something else? Are you OK with having webpages log things you write and then delete? I'm not. I'm OK with anonymous aggregated usage stats. I'm not OK with individually identifiable cursor/touch or keystroke logging, and "the type of activity [I] engage in while on the Network" is vague enough to cover both. We know you can (and did) log copying and pasting, so individual input event trail logging is entirely feasible for you. Are you doing that? I don't know, because your privacy policy doesn't say. And if you don't say you're not, it's reasonable to assume you are (or will).

The true purpose of a privacy policy is not to give corporations carte blanche to do whatever they want, and not to perform regulatory CYA. It's to give users a clear and accurate idea of what a corporation will and will not do with their personal information. This policy does not do that. I have more questions and concerns about what Stack will do with my personal information after reading it than I did before.


(8) Right. "We don't sell personal information" might be true in a very narrow sense ("we don't sell whole packages of data about users with their most confidential details, in a direct exchange for cash") but not true in the way most people would understand it ("other companies do not have access to any information about me"). - Steve Bennett
7
[+23] [2021-09-28 11:08:41] Journeyman Geek

I've specific concerns with this part of things. As a moderator, and as a fairly active community member -

Children

The Stack Overflow platform is not intended for children. We do not knowingly offer this or any other Product or Service to anyone under the age of 16.

In its current form has a few things that has me uncomfortable. While I realise the lower floor for age is legally mandated, SE's always been clear that's the reason - and the TOS refects that. Historically - and currently in the US (and as per our terms of service - that's 13, with 16 reflecting the upper bound/standard in the EU). As such - saying that "we don't knowingly..." might be a contradiction, and I'd rather have the wording here clarified to reflect this than lift the limit networkwide to fit whichever legal standard is the hardest to reach.

We also have many communities where younger folks might find a natural fit - say arqade or bricks and the current wording essentially is a legal go-away. I'd also suspect its entirely possible say, a 15 year old might be mature enough to benefit from SO or SU (I built my first PC at 13), and live in a jurisdiction where using SO or other SE sites would be legal.

Rewording this to reflect that these limits reflect the local legal environment would be a positive step. If this is for the paid/commercial products primarily - it might be helpful to adjust the general privacy policy to reflect this - and leave the higher age limit in place there


(22) I would also argue the second sentence in the quoted paragraph is flat-out bullshit. "We do not knowingly offer this or any other Product or Service to anyone under the age of 16"? Well, SE did exactly that until the release of the new policy because the old cutoff was at 13. They did not adequately notify users of the new privacy policy, and the change is buried deep in the document and not even mentioned in the meta post, which in my opinion means they very knowingly chose not to inform these users that they are no longer welcome here. - l4mpi
8
[+22] [2021-09-28 13:54:02] Kos

WE DO NOT AND WILL NOT SELL YOUR PERSONAL INFORMATION.

First, you don't need to shout at your users.

enter image description here

Second, you may elaborate on this statement. How do you imagine "will not sell" anything in future? Is this privacy policy version is rock solid and final?

Third, there is more detailed explanation in policy text, which is happened to be the opposite of a "WE DO NOT AND WILL NOT" statement:

If we choose to sell, transfer, or merge parts of our business or our assets, your personal data would be shared with such third parties as part of such a transaction.

Without any option to opt-out from such transaction, I would say privacy policy tells us that SE/SO will sell everyone's personal data as soon as such transaction happens, which is not so bad, but actually opposite of such a generous claim of not selling anything written in caps.


Perhaps the shouting part is some legalese thingy? - This_is_NOT_a_forum
9
[+20] [2021-09-24 22:15:19] bad_coder

Correct me if I'm wrong (since there is no diff view as ben is uǝq backwards pointed out), but wasn't the EU privacy contact address in England only? Is this Netherlands address new and somehow connected to the acquisition by Prosus [1]?

EU Representative

The MD Stack Overflow GMBH HRB 234500
3 Frieslandstraat, Amsterdam,
privacy@stackoverflow.com, phone: +44 (0) 20 3349 1000

[1] https://stackoverflow.blog/2021/06/02/prosus-acquires-stack-overflow/

BTW, I just checked and the diff linked in the comments didn't have this new address. - bad_coder
(28) Also note that due to Brexit, "EU" no longer applies to England. Would be weird to have a EU contact in a non-EU country, perhaps. - Tinkeringbell
(12) @Tinkeringbell "The GDPR data protection rules introduced by the EU in May 2018 are part of UK law even after Brexit, under the Data Protection Act." - DavidPostill
(13) @DavidPostill The EU contact should not be in the UK, because the UK Information Commissioner has no jurisdiction in the EU. However, a UK contact is still required, as you point out. - Andrew Leach
(25) I asked our legal team. @AndrewLeach is it right. It is new, and not related to the Prosus acquisition. Rather, there's a regulatory requirement that we have a Representative Officer in the EU, and a separate one in the UK, post-Brexit. Prior to Brexit, our UK office served as our Rep Office for the EU as well. - Philippe
@Philippe that's good to know, ty for asking. EU/UK citizens were likely going to wonder about this. - bad_coder
(1) @Philippe Thanks for checking. The phone number given in the quote above is a London number, though, not Amsterdam. Is that right? - Andrew Leach
(2) Oooh, good catch. I dunno, let me check. - Philippe
(3) Yeah +44 is UK and 020 is london :D - Journeyman Geek
(35) @AndrewLeach the perfect legal department, they avoid complaints by giving people the wrong number. - bad_coder
(1) Dutch phone numbers start with +31, not +44. A UK phone number on an NLD address definitely looks odd. Will the contact person be having standing in UK, EU or (somehow) both? - Mast
(1) @Mast it doesn't look odd to me at all. Usually adresses like this are only used for legal reasons in NL. For example using tax (evasion) strategies, or compliance issues. IIRC SO does have a London office, not an Amsterdam office. So probably the phone number is accurate, as well as the adres... - Luuklag
(2) @Philippe, are you sure on the adress though, as it appears to be just a regular appartment. - Luuklag
(3) I'll ask again. :-) - Philippe
BTW if you read the entire privacy policy, the phone number is the same as the phone number of the UK rep. So it obviously is the same person, but they need a legal adres in the EU as well. - Luuklag
(4) @Luuklag Sometimes I forget we're a tax Walhalla. If having an address is the only requirement, no wonder companies keep doing it. - Mast
A proper Dutch addres would read Frieslandstraat 3, Amsterdam, or better Frieslandstraat 3, 1082 TK Amsterdam - Jan Doggen
The "gmbh HRB 234500" part is also a bit weird - that's a German SO subsidiary with a business address in München, Germany. - MSalters - reinstate Monica
(1) @MSalters-reinstateMonica yep, "GMBH HRB" immediately spelled German in my mind, which adds to the strangeness of an English phone number with a Dutch address... - bad_coder
(2) GMBH HRB 234500 is StackOverflow business registration in Germany with an address in Munich. The Amsterdam address is not correct. - fpiette
Nitpick: The entities behind GDPR are more generally EEA and UK. (The EU is included in the EEA together with Norway, Iceland, and Lichtenstein.) - kubanczyk
10
[+17] [2021-09-27 21:18:49] John Omielan

The "INTRODUCTION TO OUR PRIVACY POLICY" section defines

Personal data is any information about you by which you can be identified or be identifiable (either on its own or when combined with other information). This can include information such as: your name, email address and username; information about your device (e.g., IP address); and information relating to how you use and interact with our sites, apps and services.

Later, in the "Microsoft Advertising" section, there's (with the emphasis being mine):

We use Microsoft services (e.g., Bing) for personalized advertising purposes, including Match lists, user event tracking (UET) and retargeting. When we do this, Microsoft collects or receives Personal Data from us to provide Microsoft advertising. Your data can only be used by Stack Overflow and will not be shared with other parties. Where applicable, (for example, if you reside in the EEA or where EEA law applies), we will get your consent before we can share your personal data with Microsoft. You can find out more by visiting Microsoft Privacy Statements [1].

The second emphasized sentence appears to contradict the first one, in particular the first one states "Microsoft collects or receives Personal Data from us" and the second one states our data "... will not be shared with other parties". Also, I'm not sure why "Personal Data" is capitalized in the first emphasized sentence, unless perhaps it's meant to refer to the "official" definition I mentioned earlier. Regardless, this section of text seems to be first stating that Microsoft gets data from Stack Overflow to provide advertising, but then says the data can only be used by Stack Overflow and will not be shared with any others (note that Merriam-Webster's definition for shared [2] states "computing: accessible by more than one user or process", so Microsoft's access to the data means that data is being shared with Microsoft)! In addition to this possible contradiction, I'm also uncertain regarding what the purpose of that second sentence even is.

Note that further down, in the "WHO DO WE SHARE YOUR PERSONAL DATA WITH?" section's seventh bullet point, starting with "Advertising partners", it states

When we use Google Ads or Microsoft Bing Customer Match for advertising campaigns, your personal data will be protected using hashed codes.

Is the purpose of the second sentence I referred to earlier being to imply that your data is not really shared or used by others, including Microsoft, due to it being "protected using hashed codes"? If so, I suggest this be made clear there. In any case, that part of the "Microsoft Advertising" section should be better explained, such as with adding a few appropriate adjectives (e.g., use "hashed Personal Data" and "Your unencrypted data"), possibly even completely removing that second sentence if it doesn't serve any useful purpose, etc.

[1] https://privacy.microsoft.com/en-gb/privacystatement
[2] https://www.merriam-webster.com/dictionary/shared

(3) This is not a contradiction, what this means is that Only Stack will be able to use the Customer Match lists created within MS Bing. Microsoft will not be able to use it for their own purposes and will not be able to share it with third parties. - Cesar M
(1) @CesarM Thank you for your feedback. I agree the intended meaning is something like what you wrote. However, using standard definitions of words, like Merriam-Webster's for "shared" that I included in my updated answer, and reading it objectively without any additional meaning that is not explicitly stated, indicates those sentences as currently written are contradictory. I made a suggestion that just adding a couple of appropriate adjectives would better explain what they are trying to state but, regardless, I believe that part should be reworded to make their intent clear & unambiguous. - John Omielan
11
[+15] [2021-09-27 21:28:32] mbauman

I really wish the "changes include" in the Question would list the meaningful changes. I've really only examined one section — WHO DO WE SHARE YOUR PERSONAL DATA WITH? — and it has some very significant changes. It's significantly more understandable and readable, but a number of bullets are completely new or substantially different. My commentary follows the quoted sections from the new policy.

We share personal data with:

  • Companies within the Stack Exchange network.

This is new and is not defined anywhere that I can see. What's a company within the Stack Exchange network? Are there examples beyond Stack Exchange, Inc.?

  • Third parties who provide professional services, including but not limited to accountants; banking, insurance and insurance broking services for us.
  • Third parties we use to help deliver our products and services to you, e.g., payment service providers, payment processors, warehouses and delivery companies; cloud service providers, e.g., Microsoft Azure, service providers that help us carry out certain tasks, including order fulfilment, customer service providers, maintaining technology and related infrastructure, serving and targeting ads, measuring performance, managing and analysing research, email distribution, managing marketing e.g., Marketo and promotions and surveys.

Possibly covered in previous policy as the catchall "third parties who provide services to Stack Overflow, such as payment processors, email delivery services, software providers, advertising providers and when we enter into product integrations with Software providers."

  • Third parties that we partner with to deliver products and services, including certain marketing and features to you, such as Employer Branding; and Collectives on Stack Overflow (please read the Collectives Privacy Notice).

Completely new (and actually called out in the Question by Philippe above, so bravo on that).

  • Advertising partners – When you visit or interact with our websites, e.g., when you use the Public Network, we and authorized third parties will, with your permission, place certain cookies on your device and your account activity as described in more detail within our cookie policy. We use this information to serve you certain advertising content. We also partner with other third parties, such as Google Ads and Microsoft Bing, to serve advertising content and manage advertising campaigns. When we use Google Ads or Microsoft Bing Customer Match for advertising campaigns, your personal data will be protected using hashed codes. Google users can control the ads that they see on Google services, including Customer Match ads, in their Google Ads Settings. More information on how to control your account settings or to opt out of direct marketing campaigns can be found under Your Choices section. You can also opt out in your Profile Settings.

The latter half specifically naming Google Ads and Microsoft Bing is new, as is the "data will be protected using hashed codes"... unclear what that actually means.

  • Event sponsors and partners – we may share your personal data with sponsors of Stack Overflow events and partners whom we hold events with for marketing purposes when you have given your permission for us to do so. Other third parties approved by you, e.g., third parties that run our Developer Survey, social media sites you choose to link your account to or third party payment providers. We may make available APIs to enable users to download publicly available information from our websites.

While the developer survey was named before, this now expands it to an example of a general case. Events do not exist in the old privacy policy.


(2) The "Companies within the Stack Exchange network" line refers to other offices of Stack Exchange, such as ones we have in Europe. - Cesar M
(1) @CesarM: That seems to be in conflict with the first paragraph of the policy, which defines the "Network" as "a set of related Internet sites and other applications for asynchronous collaboration and sharing knowledge, owned and operated by Stack Exchange, Inc. (“Stack Overflow”, “we” or “us”), a Delaware corporation." The terminology all seems very confused and jumbled. - mbauman
(2) I suspect that these two usages of the word "network" are not the same thing - the first is the network of sites. The second means the "network" of companies/offices we have that are legal entities of Stack Exchange in other countries. - Cesar M
(4) Yes, it seems to be the case that the uses of the word network are different, but the more important part is that there's no way to detangle these things. The company Stack Exchange, Inc is defined as synonymous with Stack Overflow. The set of sites and applications is the Stack Overflow Network and is defined as synonymous with Stack Overflow. What is the company? What is the set of sites? What is "Stack Exchange" or the "Stack Exchange network" and how is that different from the Stack Overflow Network? Completely and totally confused. - mbauman
12
[+11] [2021-09-30 08:43:19] trlkly

The way this is written, it seems to imply the policy change has taken place right away (as it mentions September and that month is almost over). However, the standard way of handling a change in these sorts of policies is to give notice days ahead, and to tell people they can opt out of the change by closing their account (or some other method).

I agree with others that email is the standard means to inform people of such policy changes. I would suggest having it be a notification. Those will automatically be sent to email if the person doesn't read them within a certain period of time.


(8) Stack Exchange does not work in standard ways. They make major/breaking changes first, then sometimes they announce them later. Sometimes not even this. - Shadow Wizard Love Zelda
13
[+10] [2021-10-06 15:01:44] Makoto

I never dismissed the notice for the Privacy Policy. It seems to be gone now. How long is a notice like this meant to be up for, and what would be considered a "reasonable" amount of notice?


14
[+8] [2021-09-28 12:00:12] cherryblossom

Some stuff I noticed (emphasis mine):

  • They clarified that content you post is public and often can't be removed even if removed from Stack Overflow
  • If you choose to connect with us through a social media platform, we may, through the social media platform connection, collect additional information from you, such as your usernames, profile picture, contact information, contact list, and the profile pictures of your contacts. Similarly, the social media platforms may collect information about your interaction with our Products and Services.

  • Their emails use JavaScript to track opens, clicks, and unsubscribes. They also may contain a tracking pixel that lets them know when the email is opened or forwarded.
  • They use Microsoft services for ads (as well as Google’s) and they’ll get our consent ‘where applicable’.

    We use Microsoft services (e.g., Bing) for personalized advertising purposes, including Match lists, user event tracking (UET) and retargeting. When we do this, Microsoft collects or receives Personal Data from us to provide Microsoft advertising. Your data can only be used by Stack Overflow and will not be shared with other parties. Where applicable, (for example, if you reside in the EEA or where EEA law applies), we will get your consent before we can share your personal data with Microsoft.

The part about the legitimate interests for using our data has been changed from

Where it is in our legitimate interests, or that of a third party to carry out the processing.

to

Where it is in our legitimate interests, including our commercial interests or a third party’s legitimate interest in using the personal information. Examples include when we analyze what content has been viewed on our Network and apps, so that we can understand how they are used and improve our content; carrying out marketing analyses to better understand your interests and preferences so that we can make our marketing more relevant to your interests and preferences. This includes when we promote our own products and services.


15
[+6] [2021-10-06 09:37:41] Qwertiy

Some users have provided more information to the company than the site usually accepts. For example phone number and home address are needed to receive gifts from SO.

Is it possible that such information will be used outside of its initial purpose?

For example can it be shared with advertising partners?

Currently I see no restrictions on it. So if I'm not missing something, it would be nice to add a limitation.


It was never official, all the swag events were just for fun. It's common sense that someone who prefer to keep their privacy won't take part, or at least won't share actual info if winning, but I do agree this common sense better get official stamp. - Shadow Wizard Love Zelda
(6) @ShadowWizardIsVaccinatedV3, currently there is "Contact Data: including delivery address, email address, and telephone numbers for operational purposes, including providing Services and Products." in the policy. - Qwertiy
16
[+4] [2021-10-01 01:03:25] bad_coder

One thing I didn't understand reading the previous nor current version of the Privacy Policy is if the access to some functionalities that don't have an explicit URL are logged.

I even asked about this twice, on separate occasions to staff members. And I think the description and explanations they gave were clearer than the way it's currently described in the Privacy Policy.

  1. In the A deeper dive into the May 2019 security incident: blog post feedback [1]

    I asked:

    Can you explain more clearly what "publicly accessible properties" means in the below quote?

    To which Dean Ward answered:

    Any website or service that is routable from the public internet

  2. In the We’re adding more user controls for cookie consent [2] I asked:

    What cookies are necessary for the red dot to work on Custom Filters?

    To which Des answered:

    Custom filters don’t use cookies. For a given filter, we store the "last viewed" timestamp as well as the timestamp of the most recent post activity in Redis. We compare the two to determine whether to show the red dot.

Because of the way the Privacy Policy is written it only focuses on URLs but in some cases (and for some users) it isn't obvious there's an address behind a specific functionality. So you're left wondering...

Examples of actions that are probably logged where it isn't obvious you are using an URL:

  • Clicking the achievements or inbox icons in the top bar.
  • Clicking the Next badge cog in the User Profile to check my badge progression.
  • Clicking the choose which badge to track cog.
  • The red dots on the costum filters, etc...

The Privacy Policy seems to describe these only as URLs without being more explicit.

Information that you give to us

Actions you take We collect information about the actions you take when using the Services. This includes your interactions with content, like voting, saving, hiding, and reporting. It also includes your interactions with other users, such as following. We collect your interactions with communities, like your subscriptions or moderator status.

Information we generate or collect automatically through your use of our services or via our IT systems

Log and usage data Information about your visits to our sites, including the full URL clickstream to, through and from the sites (including date and time);

So I think the Privacy Policy should be rephrased to be explicit about the logging, or not, of these less obvious functionalities.

[1] https://meta.stackexchange.com/q/359989
[2] https://meta.stackexchange.com/q/359358

On a different note, when did Dean Ward leave the company? - Random Person
(1) @V2Blast Thanks for the info. Also, please don't forget to tag me if you reply to my comments. - Random Person
17
[+1] [2021-10-01 20:45:04] Loofer

Many great criticisms in the answers here... the change that makes me feel ill... and shows the corruption of this network is the simple change from

Internet sites and other applications for questions and answers,

to

Internet sites and other applications for asynchronous collaboration and sharing knowledge,

I do love a good 'asynchronous collaboration' when looking to 'share knowledge'. A good old AC&SK session I call it!


What are you talking about? What is an "AC&SK session"? Corruption in what sense? - This_is_NOT_a_forum
@P.Mort.-forgotClayShirky_q “AC&SK” sounds like a persiflage of “Q&A” and means “Asynchronous Collaboration & Sharing Knowledge”, which supposedly is “the new Q&A”. - Sebastian Simon
(7) Why use 2 simple clear English words on an site used by many international users when 4, much more complex words would do? - Zhaph - Ben Duguid
18