Skip to main content

Redoing the Privacy Policy

After five years of "annual reviews" of the blog's privacy policy it is probably about time to do it properly and actually review the policy. Rather than thinking "doing it the first time was a PITA, let's just pretend it is still fit for purpose" then rolling over the review till next year. Even this year's review has been waiting three months for me to get a round tuit.

The last time I really expended any effort thinking about the privacy policy was when I wrote it in the first place. I have already covered that but the tldr is I made a franken-policy cobbled together from a variety of different sources. Mostly because there is zero budget for this and because the whole blog is run on Google Blogger. They take care of the cookie information and that they collect data is why the platform is free.

To properly review the policy, or as close to properly as I can achieve, I would need to; retread my path and collect a bunch of policies from different sources; read a slew of turgid web pages/blogs on the latest topics on privacy policy; try to work out if anything has changed in the intervening five years; and then update my policy accordingly. You can see why I have been dodging this particular task…

But, over the last five years something else has been happening. There is a new tool set available that has read every privacy policy on the planet as well as all the web pages/blogs on privacy and will happily analyse, correct and regurgitate a written policy at speed. Enter AI (fingers crossed) to "do the boring bit, so you don't have to." We have two options; either throw out the whole thing and ask for a full AI rewrite or use AI to analyse and correct/improve the current policy.

Starting with the second option, on the (possibly misguided) basis that I am not a complete idiot, I'll try and do some analysis and correction first and then use AI to construct some de novo policies. Both approaches, theoretically, should arrive at a similar end point. I hope they do, as I have no criteria to judge whether any particular policy is good or bad beyond what seems reasonable to me (and experience suggests that isn't always a good yardstick).

Before I let AI loose on the current policy let's get an expert to review it.

Iubenda offers a free analysis tool for policy pages, almost certainly using its own AI (probably fine-tuned to give an unclear and complicated enough response that you decide to throw your hands in the air and purchase their services). It came up with eighteen issues, eight marked Attention Required and a further eleven as Needs Your Input. The first four issues were to do with the Cookie banner that pops up when you first visit the site, as this is handled by Google we can ignore them. The next two are to do with something called the IAB Europe Transparency and Consent Framework, but again this is to do with Cookies and Google handles them. The biggest gaps were in the third party services that the blog uses: Google Domains has shut down and the domain was transferred to SquareSpace; Google has altered its Analytics service and added a reCAPTCHA and (bizarrely) a Fonts service; Blogger and AdSense remain. These all need to be updated. Next were two issues with the Cooke Policy, which I don't have but is included within the privacy policy. The next four were to do with the privacy policy, the first of which claimed that I didn't have one - plainly wrong. The other three were suggestions for adding in more information, some of which I'm pretty sure are included in the policy already. The next two issues concerned Consent records, also taken care of by the third party services, and the final two were to do with Terms & Conditions, which I don't have and don't plan to unless necessary.

So, let's throw the current policy into an AI (Google Gemini 3.5 Flash with Extended thinking) and see what comes out. Within 10 seconds it had identified three major compliance gaps (US state privacy law expansion beyond CCPA; the "Do Not Sell or Share" requirement; the advent of Global Privacy Control), a couple of technical issues (Google Analytics 4 alignment; data retention wording) and three typos. I then asked it to make corrections and another 10 secs later I had it in hand. Overall it was similar, as to be expected, but better, as anticipated. However it had missed some of the services that Iubenda had picked up so I manually added these in and passed the baton onto ChatGPT.

ChatGPT from Open AI looked at the updated text and found 14 more issues it didn't like. As with Gemini, I asked it to make the changes and output the text and, after three prompts, I got the entire policy rather than just the suggested alterations. It had radically cut down the policy from 2,455 to 944 words. Quite a bit of a change then.

But which one to choose? ChatGPT's reasoning had seemed quite a bit more in-depth than Gemini's, but Gemini's output was the easier of the two to obtain. However, as discussed above, which is better I am not placed to decide.

Then it struck me. If I started with a gold-plated privacy policy, say the one from Iubenda's own website, then it stood to reason that the one suggesting the least changes would probably be doing better. So I submitted the 16,293 word Iubenda privacy policy to Gemini for suggestions, garnering six issues (actually more than my policy). I also gave it to ChatGPT who gave it 8.5/10 (I got 7.5/10) and like Gemini found issues with AI compliance, UK-specific wording and child privacy statements. So no-one is perfect I guess. If I were feeling like stirring the pot I might contact Iubenda and inquire about the issues raised, but I can't gather much enthusiasm for this topic as a whole.

Ultimately there wasn't much difference between the two AIs as to the number and range of problems identified. So, after some rumination on the principle that less is more, I decided to go with the ChatGPT draft after putting it through Gemini again just to be on the safe side.

To complete my trial I tried asking for a Privacy Policy from the AIs. Simply giving them the type of site and the names of the services used on the website. But found the outputs that they gave were very dependent on the initial prompt that I used and were a bit thin. They could probably have been improved by a few rounds of polishing with more information and prompts. But as my main goal was not to have to develop any expertise in this topic that would have defeated the point of this exercise.

Overall instead of a week the policy review took about a day and some of that was deciding how to approach the task with the AI tools. Next time I think it should only take a couple of hours (plus the AI will have got exponentially smarter by then).

Is the policy perfect? Definitely not.
Is this approach suitable for a commercial enterprise or a profitable site? No.
It is useful for a tiny, badly-run blog? Well, it is going to have to do.

Comments

Post a Comment

Popular posts from this blog

Grocy and its Home Assistant Add-on

The next layer of the Virtual Bean Counter software stack is the meat in the sandwich, Grocy (see Grocy system install ). As with the Home Assistant (HA) Operating System that was reviewed previously the aim of this article is to consider the support and backup options for the Grocy system as installed onto our HA virtual machine . But first a little history. Whither Grocy ? It sprang from the desire of a software developer, Bernd Bestel , to progress beyond using Excel (as we know a great spreadsheet and data analysis tool but with a limited UI) to something more fully featured by exploiting his experience with commercial inventory management. The first version of Grocy was released in 2017 and after seven years is now on its fourth full point release . However, unlike HA, it is essentially a one-man band with a single developer responsible for pretty much the entirety of the content all without stable funding (currently). That said the package is quite mature and " does wha...
Post a Comment
Read more

Further adventures in household paper products

As the toilet rolls are up and running I couldn't resist adding the rest of the loft stocks into the mix. The next two items are kitchen roll and facial tissues . Following the same process described for toilet rolls; kitchen roll comes in a multipack, but this time a case has four packs of three rolls and we already have the storage location, shop and quantity units set up. Again, I think we'll have to set up a generic item (Parent product) as well as a specific one for the Kirkland brand rolls (Child product). So I gave it a name, Kitchen roll and a description; default storage location and shop, Loft / Costco ; a min stock amount, 3 rolls ; all the quantity units are Roll . Job done. Now for the specific product, as previously, pulling images and descriptions off the Costco website, setting up case and pack barcodes and quantity conversions between them, buying in Cases and using in Packs . But hang on, do we really want to track in packs of three? We only need a sin...
Post a Comment
Read more

Man Down! - HA-Grocy goes off the rails

Problems, problems. As part of an HA-Grocy update to v0.24.0, released on the 16 th Feb 2025, a point version upgrade of Grocy was included from v4.3.0 to v4.4.1. Unfortunately it was found that the update had dismasted parts of the HA-Grocy app (see 1 / 2 ), preventing users from opening pop-up windows in the Grocy iframe ; for instance, when clicking the " Add " button in tasks no action is taken. The root cause was a bug in the Grocy version released on the 31 st January (v4.4.1). Although to be fair, Grocy is not specifically aimed at supporting Home Assistant (HA) and as a standalone installation the Grocy program continued to function normally. Happily, the bug was patched by Bernd in v4.4.2, released on 28 th Feb. Unhappily, the HA-Grocy Add-on is still missing the patch as of the 20 th June. So if you are installing from the Add-on Store in Home Assistant it simply won't be fully functional (this is tested and confirmed). If you've already install...
Post a Comment
Read more