As you know, periodically we update our privacy policy. Today is one of those days: we've made a few changes to the privacy policy. The policy covers how we collect and use data on the entire network, including Stack Overflow for Teams and the public Q&A site.
Changes include:
The Privacy Policy [1] can be found in the footer of every page on the network, and - for visibility - we are using the site banner to direct users to this question.
Note this answer was added before more information was added to the question or it was featured. I'm leaving it here as I believe that it's important.
So, here's the thing. Stack Exchange/Overflow cannot just change the privacy policy without telling people you're doing it or drawing their attention to what has been changed. I mean, it can. It just has, but I'm not sure that it counts.
So, a question; is every user, of each SE/O product, having read and agreed to the previous privacy policy:
Both of these options are implausible. A more standard way of telling users that a privacy policy has changed would be to:
At that point, SE/O can reasonably assume that everyone has had a chance to accept the new policy.
A single question, on a single site, with a diff [1] put in a comment by a user [2] does not count as a reasonable attempt.
SE/O has an obligation under GDPR to at least tell EEA/UK users that "You must bring any new uses of an individual’s personal data to their attention before you start the processing." [3] ( Article 13(3) [4]).
There is a higher, moral, obligation to be as transparent as possible to all of us in explaining how our data is used.
I'm fairly sure that nothing nefarious has happened, but I can't see a reasonable way of validating that.
[1] https://gist.github.com/pxeger/f00bae9440f0c8bc5d88c389c84b9e47/revisions#diff-4e8eff6c864aa6ec56c1f7ae983cb7889a3349e48e60d19bf0bf5cb0fe5213bfThe previous privacy policy stated [1]:
We may amend or update this policy from time to time and will notify you of any material changes to this policy.
I see that the privacy policy has been updated, but I haven't been "notify"ed of the privacy policy changes, which seem to have already taken effect. The changes to the privacy policy seem decidedly material: where is my notification that changes have been made?
My understanding of the terms of service is that email, real mail, and personal delivery are the allowed ways that SE can "notify" users. I have not gotten any mail about this, electronic or otherwise. (And I definitely did not encounter an SE employee telling me about these changes IRL!)
[1] https://web.archive.org/web/20210602083702/https://stackoverflow.com/legal/privacy-policyHow can I revoke Stack Overflow's permission to collect my location information?
According to the new privacy policy:
Location information
When you use the Stack Overflow Network, and certain of our Products and Services, we collect location information about you, including your IP address, your location, browser information, and how you came to the Stack Overflow Network. ...
... You may revoke our permission to collect some of this data, including your location and browser information through your Account Settings, but this may limit functionality in some cases. Certain location information we collect is required for security and site functionality. We share this information with certain third-parties (e.g., talent recruiters, payment processors, and advertising providers) in order to provide you with our Products and Services.
But how can I actually do this? Looking through my Account Settings I don't see anything relevant:
Is it Use my on-site activity to show more relevant content (recommended)?
geo.enabled
to false
, or otherwise decline requests for exact location? - dbc
geo.enabled
a while back so if Stack Exchange had been requesting this I would not have noticed. - dbc
By making the privacy policy so generic, you've made it bind you a lot less. That's the opposite of what you want in a privacy policy.
- Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 [2](1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 [3](1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
- The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
¹: To be pedantic, Stack Overflow's actions aren't perfect: from looking at the GDPR subject access request data, it seems like Stack Overflow is associating a tiny bit more analytics data with users than is strictly necessary. However, it's little enough that I don't care, I don't see how it's abusable, and it's probably kept for recovering stolen accounts or something. Plus, it's exactly the data the old privacy policy said they kept.
There is some good stuff, though:
Information from Developer surveys, questionnaires, research and feedback programs
We collect information through questionnaires, surveys and feedback programs to help improve our products and give us insights. We may also conduct similar research for advertisers and our marketing partners. We ask you for your consent to use this information when you participate in these programs and events.
While “advertisers and our marketing partners” sets my hair on end, you're going to ask consent in-the-moment! This is how you should do it! That's the better-than-the-industry-standard Stack Overflow I know.
You should not include any financial information or other information that you do not wish to make public when using our Public Network, which is a public website. We do not collect such information. It is your responsibility to keep such information safe and secure.
You didn't need to include this, but it was relevant. Good job. (I think.)
If we transfer any personal information in pursuing such a business transaction [e.g. audits], we will always ensure that strict confidentiality measures are in place to protect your privacy interests.
:-)
Developer Survey
This section is too big to quote, but it's great too. (Not sure how much it's changed from before, because the diff is useless.)
Advertising on our Network
It's nice to get insight into this. While I don't like everything here (I don't like the state of modern online advertising), you're actually explaining what's going on, so that I know what I'm agreeing to – and hence consent for this is valid… probably. I'm not a lawyer.
Employer Branding
I'm guessing this is Collectives? The privacy policy is okay (a little unclear, but it's practically non-normative), but I'm more impressed by the actual implementation-as-described.
It's not Collectives.
Well, impressed after going through this Privacy Policy. It's what I would normally expect from Stack Overflow; you do things properly, most of the time.
When Stack Overflow shares your personal information and other collected information with third party service providers, we require that they use your information only for the purpose of providing services to us and consistent with this privacy policy.
Not sure how consistent this is with third-party advertising, but I love the sentiment.
Event sponsors and partners – we may share your personal data with sponsors of Stack Overflow events and partners whom we hold events with for marketing purposes when you have given your permission for us to do so.
You've said who you're sharing it with, when, and why. All it needs is what “personal data” will be shared, and you're golden!
Technical Data: including internet protocol (IP) address, your login data, traffic data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system, and platform and other communication data which gives us information about how you accessed our website. Other account information and usage information including your IP address and browser data may be used for diagnosis, security, and Product and Service optimization.
To what extent are these associated with each other? If I'm reading this right, you store enough information to uniquely identify my browser, and my location, and my interaction times, and my login details; if they're in the same table row (or associated with the same timestamp, which is basically the same thing), that's far too much information! I can't think of any way that would help with technical support…
… so why's this called “technical data”? What, exactly, is it being used for?
Analytics information
Stack Overflow uses data analytics to ensure site functionality and to optimize our Product and Service offerings to you. We use web browser and mobile analytics to allow us to understand Network and Apps functionality. In doing so, we record information including, for example, how often you visit the Network, how often you contribute content, Network and Apps performance data, errors and debugging information, and the type of activity you engage in while on the Network or in your use of our Products and Services. We may on occasion share this information with third parties with whom we have contracts for products and services to assist Stack.
Marketing and sales information
We collect details of the services you receive and your preferences; information about your device or the software you use, e.g., its IP address, technical specification and uniquely identifying data; cookies and similar technologies we use to recognize you, remember your preferences and tailor the content we provide to you – our cookie policy [6] contains more details about how we use cookies.
Too vague, sorry. There are some issues, e.g., it's not concrete, technical specification and uniquely meaningful words; punctuation and similar problems so I can't actually follow the sentence properly – my profile [7] contains more details about how I'm interpreting the HTML.
Device and browser information received automatically
When you visit the Network or use our Apps, Stack Overflow automatically receives and records information from your browser or mobile device, such as your Internet Protocol (IP) address or unique device identifier.
What's a “unique device identifier”? A euphemism for browser configuration fingerprinting? A cookie you set? The serial number on the bottom of my laptop, learnt by asking the local unicorns really nicely?
Location information
When you use the Stack Overflow Network, and certain of our Products and Services, we collect location information about you, including your IP address, your location, browser information, and how you came to the Stack Overflow Network.
I am aware that location information includes “[my] location”. But you're not collecting my location; you're collecting some information that you're deducing my location from. (At least, I really hope that Stack Overflow isn't going to start requesting GPS traces…) What is that information?
I'm guessing it refers to the location field of the user profile, otherwise this doesn't make sense:
You may revoke our permission to collect some of this data, including your location and browser information through your Account Settings, but this may limit functionality in some cases.
Although I still don't know how to limit collection of my “browser information” (whatever that means); how can I do this?
We share this information with certain third-parties (e.g., talent recruiters, payment processors, and advertising providers) in order to provide you with our Products and Services.
Again with the “e.g.,”! I know at least one category not present: moderators have access to some of this information some of the time. Who else? GDPR says you need to give an exhaustive list of purposes, unless the ones not listed fall under one of the special exemptions (and even then you really should). “e.g.” is not generally sufficient for consent.
We collect information about the actions you take when using the Services. This includes your interactions with content, like voting, saving, hiding, and reporting. It also includes your interactions with other users, such as following. We collect your interactions with communities, like your subscriptions or moderator status.
… What? This doesn't describe Stack Overflow at all. What is going on here? (Is it copied and pasted from Reddit?)
Pages you view or search for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), your engagement with certain variable/dynamic elements of a page, and methods used to browse away from the page.
If this is “technical data”, then I'd really like to know what it is being used for.
Information collected from cookies and similar technologies
This section provides no information about the “similar technologies”. What are they? How are you using them, and why?
We may receive and process information about your location. For example, with your consent, we may collect information about the specific location of your mobile device (for example, by using GPS or Bluetooth).
That's an example? I didn't know the Stack Exchange app was even getting updates. It's also a little troubling that “with your consent” is under the “for example” section; does consent apply to all of the location data processing?
If you choose to connect with us through a social media platform, we may, through the social media platform connection, collect additional information from you, such as your usernames, profile picture, contact information, contact list, and the profile pictures of your contacts.
Sorry. I cannot consent to this. Literally; the law does not permit me, even though I understand exactly what it says. Does that mean I have to leave?
Information from third parties to help us to combat fraud, provide Services or that relates to your interactions, including your communications between individuals, organizations, prospects and other stakeholders acquired from companies that collect combined information and share it with us.
Under what circumstances will you be communicating with other companies about me? This is seriously concerning me; I've given Stack Overflow information that I would not trust other companies with, and I don't know of any mechanisms to revoke your access to that information. (Come to think of it, I should know about those mechanisms, shouldn't I?)
We may combine the information we collect about you from the various sources described above.
Nope. No blanket “combine information”. How are you combining it? Some of this information, you're not allowed to combine without explicit consent! But it seems like you intend to do it anyway; why else would you (attempt to) give yourself the power to do so?
For statistical analysis (e.g., on the use of our websites).
Virtually everything you can do with data is statistical analysis. This is carte blanche to do whatever you want! I don't think I can even consent to that.
To operate and improve our websites and services.
What does this mean? (It probably has a legal meaning, given how many companies use it, but I don't know what that meaning is.)
To provide improved website and product experience and communications informed by your product subscriptions and/or data collected.
Again, what does this mean? “improved experience” is fairly vague.
Where it is in our legitimate interests, including our commercial interests or a third party’s legitimate interest in using the personal information. Examples include when we analyze what content has been viewed on our Network and apps, so that we can understand how they are used and improve our content; carrying out marketing analyses to better understand your interests and preferences so that we can make our marketing more relevant to your interests and preferences. This includes when we promote our own products and services.
That's not how this works. Legitimate interest only goes so far when talking about marketing analyses, and given the amount of data you wrote about collecting above? You aren't allowed to use all of it. So what data do you use under this basis?
We do not use your personal data on the basis of legitimate interest for activities where individuals’ interests override our interests.
How are you making this decision? (If you were clearer elsewhere, I wouldn't need to know this.) Do you even know what my interests are?
We use your information to provide and improve our Products and Services, for identification, verification, to provide support, for online and offline marketing, including through third party tools such as Google Analytics, and for general research and analytics reporting. We gain insights into which of our Products and Services you are using most, what you’re interested in, and to better enable you to use and access our Products and Services. For example, we provide an API with information that has already been made publicly available by users to enable users to more easily access and use our services. We have a legitimate interest in enabling and customizing your experience of our Product and Services offerings.
If “online and offline marketing” means what I think it means… No way do you have a legitimate interest in tying my online identity to a real-world one, or even to anything I do off the Stack Exchange network. I have formally objected via privacy@stackoverflow.com.
(Yes, I know you're not doing anything of the sort; I'm feigning outrage because you could. You're giving yourselves the power to do so, and who knows who'll be working at Stack Overflow in five years' time?)
Statistical analysis to help us manage our business, e.g., in relation to our financial performance, customer base, product range or other efficiency measures
Is this what the “statistical analysis” thing from earlier was? “Statistical analysis to help us manage our business” is narrower in scope, and while I still don't know what it means, it'd be good if you could tighten up the previous mention.
Also, is this statistical analysis just with non-identifying information (or, if analysing identifying information, such that the output of the statistical analysis cannot be interpreted in a way that includes identifying information)? If so (which I'm pretty sure it is in practice), please tighten that up too.
Where's the statistical analysis that moderators do? Unless “statistical analysis for business purposes” is ridiculously broad on a technicality (everything a business does is business purposes… maybe write “business administration purposes” or something?), mods aren't allowed to use some of the mod tools under this new privacy policy.
Updating and enhancing customer records
Updating, okay. Enhancing? What does that mean? (If this only applies to Teams etc. customers, I don't care.)
You haven't defined “customer”. Who is a customer?
Cookies and Similar Technologies
Still don't know what “Similar Technologies” are.
We will get consent through our online consent management portal, or via other consent mechanisms before we can use your personal data in this way.
As I (and others) have said before, your “online consent management portal” is not particularly consentful [8]. Is this a commitment to fixing it?
We also offer conversion pixels so advertisers can track conversions that happen within 30 days of an ad being served.
What is “track”, here? I can't work out how you would track this, so I can't work out how you're doing it, nor what data that entails.
We use Google Ads to display personalized ads to users. You can find out more or opt out by visiting Google's help center.
GDPR violation. Such things should be opt-in only. Unless this is part of the consent toaster, of course, but that only talks about cookies, so I assume not.
The way that Microsoft Advertising works is clearly described, and appears to be fine. They're right next to each other. This suggests that there is a problem with Google Ads.
WHO DO WE SHARE YOUR PERSONAL DATA WITH?
Which “personal data” are you sharing with which people? That's the important part, and it's missing.
Advertising partners – When you visit or interact with our websites, e.g., when you use the Public Network, we and authorized third parties will, with your permission, place certain cookies on your device and your account activity as described in more detail within our cookie policy.
You'll do what to my “account activity”? (I think you a word or two.)
We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with contractual obligations which ensure adequate protection for your personal data.
You haven't clearly specified all of these purposes in the privacy policy, despite the broad swathing permissions given to Stack Overflow (not third-parties) by other parts. For instance, you seem to be a bit contradictory (or maybe just unclear) about the purposes for which advertisers may use my personal data; what are they?
We may carry out interest-based advertising through third party services such as Microsoft or Google, as described under Advertising, above. You can opt out of such advertising in the following ways:
GDPR violation. (I know, the state of the advertising industry sucks. Still a GDPR violation, as written.)
Geolocation information based on your IP address, or more specific location information if you authorize your device to provide it to us.
What systems do you actually have that collect specific location information like this? (And does this count passive authorisation, i.e. if the device responds to your API requests without the user's knowledge / consent?)
Inferences we make based on other collected data, for purposes such as recommending content, advertising, and analytics.
What inferences do you make? You have enough information, and the carte blanche, to make a lot of inferences, and you have not tied your hands in any way about this.
The Stack Overflow platform is not intended for children. We do not knowingly offer this or any other Product or Service to anyone under the age of 16.
When did this go up? (Probably GDPR-related, as per Andrew Leach's comment [9].)
At present, I am unable to meaningfully consent to this change in privacy policy; much as I might like to, my hands are tied.
Yes, in case you were wondering, you have lost the benefit-of-the-doubt from me. It's nothing personal; those I know within the company would be among the first to object to some of the stuff this Privacy Policy lets Stack Overflow do. Nonetheless, you're a large, reasonably old company owned by a multinational conglomerate, and people who'd go to bat for us have been fired before.
[1] https://gdpr-info.eu/art-5-gdpr/We will use your personal data in the following circumstances:
Where it is in our legitimate interests, including our commercial interests or a third party’s legitimate interest in using the personal information.
So, basically, whenever?
It kind of feels like the update went in this direction:
By viewing this page, you implicitly agree to have this page examine your browsing history, including a visitation graph coordinated by Google analytics which has also been collecting information on your person via any third party profiles, and on your location via any positional meta data available; moreover, you also implicitly agree that the data, or generated graph which intersects here, may be sold or used to corporate advantage whenever that opportunity presents itself.
Children
The Stack Overflow platform is not intended for children. We do not knowingly offer this or any other Product or Service to anyone under the age of 16.
Why did the lower age limit get raised from 13 to 16?
WE DO NOT AND WILL NOT SELL YOUR PERSONAL INFORMATION.
Well, that's good.
Stack Overflow uses data analytics to ensure site functionality and to optimize our Product and Service offerings to you. We use web browser and mobile analytics to allow us to understand Network and Apps functionality. In doing so, we record information including, for example, how often you visit the Network, how often you contribute content, Network and Apps performance data, errors and debugging information, and the type of activity you engage in while on the Network or in your use of our Products and Services. We may on occasion share this information with third parties with whom we have contracts for products and services to assist Stack.
Oh, but you can "on occasion share" my personal information. Which means...?
You may or may not have intended this interpretation, but you left the door wide open for exchanges of personal information that do not involve money changing hands. For a realistic example of this, nonprofits often trade mailing lists. Not "selling", but nonetheless, trading personal information (names, addresses, telephone numbers, email addresses) from one entity to another.
At a bare minimum, you should specify
The true purpose of a privacy policy is not to give corporations carte blanche to do whatever they want, and not to perform regulatory CYA. It's to give users a clear and accurate idea of what a corporation will and will not do with their personal information. This policy does not do that. I have more questions and concerns about what Stack will do with my personal information after reading it than I did before.
I've specific concerns with this part of things. As a moderator, and as a fairly active community member -
Children
The Stack Overflow platform is not intended for children. We do not knowingly offer this or any other Product or Service to anyone under the age of 16.
In its current form has a few things that has me uncomfortable. While I realise the lower floor for age is legally mandated, SE's always been clear that's the reason - and the TOS refects that. Historically - and currently in the US (and as per our terms of service - that's 13, with 16 reflecting the upper bound/standard in the EU). As such - saying that "we don't knowingly..." might be a contradiction, and I'd rather have the wording here clarified to reflect this than lift the limit networkwide to fit whichever legal standard is the hardest to reach.
We also have many communities where younger folks might find a natural fit - say arqade or bricks and the current wording essentially is a legal go-away. I'd also suspect its entirely possible say, a 15 year old might be mature enough to benefit from SO or SU (I built my first PC at 13), and live in a jurisdiction where using SO or other SE sites would be legal.
Rewording this to reflect that these limits reflect the local legal environment would be a positive step. If this is for the paid/commercial products primarily - it might be helpful to adjust the general privacy policy to reflect this - and leave the higher age limit in place there
WE DO NOT AND WILL NOT SELL YOUR PERSONAL INFORMATION.
First, you don't need to shout at your users.
Second, you may elaborate on this statement. How do you imagine "will not sell" anything in future? Is this privacy policy version is rock solid and final?
Third, there is more detailed explanation in policy text, which is happened to be the opposite of a "WE DO NOT AND WILL NOT" statement:
If we choose to sell, transfer, or merge parts of our business or our assets, your personal data would be shared with such third parties as part of such a transaction.
Without any option to opt-out from such transaction, I would say privacy policy tells us that SE/SO will sell everyone's personal data as soon as such transaction happens, which is not so bad, but actually opposite of such a generous claim of not selling anything written in caps.
Correct me if I'm wrong (since there is no diff view as ben is uǝq backwards pointed out), but wasn't the EU privacy contact address in England only? Is this Netherlands address new and somehow connected to the acquisition by Prosus [1]?
[1] https://stackoverflow.blog/2021/06/02/prosus-acquires-stack-overflow/EU Representative
The MD Stack Overflow GMBH HRB 234500
3 Frieslandstraat, Amsterdam,
privacy@stackoverflow.com, phone: +44 (0) 20 3349 1000
The "INTRODUCTION TO OUR PRIVACY POLICY" section defines
Personal data is any information about you by which you can be identified or be identifiable (either on its own or when combined with other information). This can include information such as: your name, email address and username; information about your device (e.g., IP address); and information relating to how you use and interact with our sites, apps and services.
Later, in the "Microsoft Advertising" section, there's (with the emphasis being mine):
We use Microsoft services (e.g., Bing) for personalized advertising purposes, including Match lists, user event tracking (UET) and retargeting. When we do this, Microsoft collects or receives Personal Data from us to provide Microsoft advertising. Your data can only be used by Stack Overflow and will not be shared with other parties. Where applicable, (for example, if you reside in the EEA or where EEA law applies), we will get your consent before we can share your personal data with Microsoft. You can find out more by visiting Microsoft Privacy Statements [1].
The second emphasized sentence appears to contradict the first one, in particular the first one states "Microsoft collects or receives Personal Data from us" and the second one states our data "... will not be shared with other parties". Also, I'm not sure why "Personal Data" is capitalized in the first emphasized sentence, unless perhaps it's meant to refer to the "official" definition I mentioned earlier. Regardless, this section of text seems to be first stating that Microsoft gets data from Stack Overflow to provide advertising, but then says the data can only be used by Stack Overflow and will not be shared with any others (note that Merriam-Webster's definition for shared [2] states "computing: accessible by more than one user or process", so Microsoft's access to the data means that data is being shared with Microsoft)! In addition to this possible contradiction, I'm also uncertain regarding what the purpose of that second sentence even is.
Note that further down, in the "WHO DO WE SHARE YOUR PERSONAL DATA WITH?" section's seventh bullet point, starting with "Advertising partners", it states
When we use Google Ads or Microsoft Bing Customer Match for advertising campaigns, your personal data will be protected using hashed codes.
Is the purpose of the second sentence I referred to earlier being to imply that your data is not really shared or used by others, including Microsoft, due to it being "protected using hashed codes"? If so, I suggest this be made clear there. In any case, that part of the "Microsoft Advertising" section should be better explained, such as with adding a few appropriate adjectives (e.g., use "hashed Personal Data" and "Your unencrypted data"), possibly even completely removing that second sentence if it doesn't serve any useful purpose, etc.
[1] https://privacy.microsoft.com/en-gb/privacystatementI really wish the "changes include" in the Question would list the meaningful changes. I've really only examined one section — WHO DO WE SHARE YOUR PERSONAL DATA WITH? — and it has some very significant changes. It's significantly more understandable and readable, but a number of bullets are completely new or substantially different. My commentary follows the quoted sections from the new policy.
We share personal data with:
- Companies within the Stack Exchange network.
This is new and is not defined anywhere that I can see. What's a company within the Stack Exchange network? Are there examples beyond Stack Exchange, Inc.?
- Third parties who provide professional services, including but not limited to accountants; banking, insurance and insurance broking services for us.
- Third parties we use to help deliver our products and services to you, e.g., payment service providers, payment processors, warehouses and delivery companies; cloud service providers, e.g., Microsoft Azure, service providers that help us carry out certain tasks, including order fulfilment, customer service providers, maintaining technology and related infrastructure, serving and targeting ads, measuring performance, managing and analysing research, email distribution, managing marketing e.g., Marketo and promotions and surveys.
Possibly covered in previous policy as the catchall "third parties who provide services to Stack Overflow, such as payment processors, email delivery services, software providers, advertising providers and when we enter into product integrations with Software providers."
- Third parties that we partner with to deliver products and services, including certain marketing and features to you, such as Employer Branding; and Collectives on Stack Overflow (please read the Collectives Privacy Notice).
Completely new (and actually called out in the Question by Philippe above, so bravo on that).
- Advertising partners – When you visit or interact with our websites, e.g., when you use the Public Network, we and authorized third parties will, with your permission, place certain cookies on your device and your account activity as described in more detail within our cookie policy. We use this information to serve you certain advertising content. We also partner with other third parties, such as Google Ads and Microsoft Bing, to serve advertising content and manage advertising campaigns. When we use Google Ads or Microsoft Bing Customer Match for advertising campaigns, your personal data will be protected using hashed codes. Google users can control the ads that they see on Google services, including Customer Match ads, in their Google Ads Settings. More information on how to control your account settings or to opt out of direct marketing campaigns can be found under Your Choices section. You can also opt out in your Profile Settings.
The latter half specifically naming Google Ads and Microsoft Bing is new, as is the "data will be protected using hashed codes"... unclear what that actually means.
- Event sponsors and partners – we may share your personal data with sponsors of Stack Overflow events and partners whom we hold events with for marketing purposes when you have given your permission for us to do so. Other third parties approved by you, e.g., third parties that run our Developer Survey, social media sites you choose to link your account to or third party payment providers. We may make available APIs to enable users to download publicly available information from our websites.
While the developer survey was named before, this now expands it to an example of a general case. Events do not exist in the old privacy policy.
The way this is written, it seems to imply the policy change has taken place right away (as it mentions September and that month is almost over). However, the standard way of handling a change in these sorts of policies is to give notice days ahead, and to tell people they can opt out of the change by closing their account (or some other method).
I agree with others that email is the standard means to inform people of such policy changes. I would suggest having it be a notification. Those will automatically be sent to email if the person doesn't read them within a certain period of time.
I never dismissed the notice for the Privacy Policy. It seems to be gone now. How long is a notice like this meant to be up for, and what would be considered a "reasonable" amount of notice?
Some stuff I noticed (emphasis mine):
If you choose to connect with us through a social media platform, we may, through the social media platform connection, collect additional information from you, such as your usernames, profile picture, contact information, contact list, and the profile pictures of your contacts. Similarly, the social media platforms may collect information about your interaction with our Products and Services.
We use Microsoft services (e.g., Bing) for personalized advertising purposes, including Match lists, user event tracking (UET) and retargeting. When we do this, Microsoft collects or receives Personal Data from us to provide Microsoft advertising. Your data can only be used by Stack Overflow and will not be shared with other parties. Where applicable, (for example, if you reside in the EEA or where EEA law applies), we will get your consent before we can share your personal data with Microsoft.
The part about the legitimate interests for using our data has been changed from
Where it is in our legitimate interests, or that of a third party to carry out the processing.
to
Where it is in our legitimate interests, including our commercial interests or a third party’s legitimate interest in using the personal information. Examples include when we analyze what content has been viewed on our Network and apps, so that we can understand how they are used and improve our content; carrying out marketing analyses to better understand your interests and preferences so that we can make our marketing more relevant to your interests and preferences. This includes when we promote our own products and services.
Some users have provided more information to the company than the site usually accepts. For example phone number and home address are needed to receive gifts from SO.
Is it possible that such information will be used outside of its initial purpose?
For example can it be shared with advertising partners?
Currently I see no restrictions on it. So if I'm not missing something, it would be nice to add a limitation.
One thing I didn't understand reading the previous nor current version of the Privacy Policy is if the access to some functionalities that don't have an explicit URL are logged.
I even asked about this twice, on separate occasions to staff members. And I think the description and explanations they gave were clearer than the way it's currently described in the Privacy Policy.
In the A deeper dive into the May 2019 security incident: blog post feedback [1]
I asked:
Can you explain more clearly what "publicly accessible properties" means in the below quote?
To which Dean Ward answered:
Any website or service that is routable from the public internet
In the We’re adding more user controls for cookie consent [2] I asked:
What cookies are necessary for the red dot to work on Custom Filters?
To which Des answered:
Custom filters don’t use cookies. For a given filter, we store the "last viewed" timestamp as well as the timestamp of the most recent post activity in Redis. We compare the two to determine whether to show the red dot.
Because of the way the Privacy Policy is written it only focuses on URLs but in some cases (and for some users) it isn't obvious there's an address behind a specific functionality. So you're left wondering...
Examples of actions that are probably logged where it isn't obvious you are using an URL:
The Privacy Policy seems to describe these only as URLs without being more explicit.
Information that you give to us
Actions you take | We collect information about the actions you take when using the Services. This includes your interactions with content, like voting, saving, hiding, and reporting. It also includes your interactions with other users, such as following. We collect your interactions with communities, like your subscriptions or moderator status. |
Information we generate or collect automatically through your use of our services or via our IT systems
Log and usage data | Information about your visits to our sites, including the full URL clickstream to, through and from the sites (including date and time); |
So I think the Privacy Policy should be rephrased to be explicit about the logging, or not, of these less obvious functionalities.
[1] https://meta.stackexchange.com/q/359989Many great criticisms in the answers here... the change that makes me feel ill... and shows the corruption of this network is the simple change from
Internet sites and other applications for questions and answers,
to
Internet sites and other applications for asynchronous collaboration and sharing knowledge,
I do love a good 'asynchronous collaboration' when looking to 'share knowledge'. A good old AC&SK session I call it!
-
is for unnecessary verbosity ( 8411 words, 53634 characters ). Much of the excess verbiage comes in restating how users may use the network. But, the policy and updates are refreshingly clear and fair from an unpaid user account standpoint. (there is a bit of vagueness in the "How we may use ..." section, a large part of which can't be avoided) Kudos. - David C. RankinHOW WE USE YOUR PERSONAL DATA... Where it is in our legitimate interests, including our commercial interests or a third party’s legitimate interest in using the personal information.
- akaBaseand technologists
, which was added to line 9? Might more things be missed by the diff? - ᴠɪɴᴄᴇɴᴛ