Privacy policies: those small letters that protect my data… or not?

When creating a user to use an app or registering for a subscription to a website, we usually find ourselves with a final step: accepting the privacy policies with the typical legend, “I have read and accept the privacy policies.”

As users, we tend to go through this last step quickly, accepting the privacy policies so that we can –at last!– access what we were looking for, which is the use of the app or the content of the website. However, how often do we take the time to read the privacy policies we accept without hesitating? The answer will probably be in very few or even in no cases.

What do these privacy policies say? What are they for? What am I accepting?

The privacy policies are the rules that the person in charge of collecting the data must follow for its use. These policies will establish what information is obtained, retained, and handled; with whom; why; and for what, among other issues.

Any person or institution that collects data must request the prior consent of the owner of the data. This consent must be granted expressly, which users do when clicking on the option “I have read and accept the privacy policies” referred to at the beginning of this article.

Paraguayan legislation establishes that any person can collect, store, and process personal data strictly for private use. Therefore, publicizing or disseminating sensitive data of people who are explicitly individualized or can be individualized is prohibited. However, regulations on this matter lack a proper update.

Data protection is regulated more profoundly on an international level. The most recognized instrument on the subject is the “General Data Protection Regulation” (or GDPR, according to its English acronym). The GDPR is a European instrument on the protection of individuals with regard to the processing of personal data and its circulation, used not only in Europe but also in several other countries around the world.

The standards found in the GDPR are being replicated in modern legislation in Latin America legislation, seeking more ample protection of user data.  Further, legislative trends point to companies making their policies more user-friendly, so users can read and be aware of what is done with their data.

Taking into account these international standards, the questions that –as a minimum– any privacy policy should answer are:

– What data will be obtained?

– What will they do with my data?

– Where will they be stored?

– How do these policies affect me?

– Who has access to my data?

– What is the role of the person collecting this data?

– How long will they have access to my data?

The person who is collecting this data must include all this information in the respective privacy policies.

It is worth noting that once a user accepts the privacy policies, they consent to the use of their data according to the conditions of the respective privacy policies.

This is why it is essential to read the “small letters” since they will regulate the use of a right that is gaining increasing relevance and whose inadequate protection can be very damaging to its holders.

For more information on data protection and privacy policies, contact Gabriela Melgarejo (, from Altra Legal.