Privacy Washing

Companies have mastered the art of sounding privacy-first while quietly doing the opposite. It's time we learn.

"We respect your privacy."

The same sentence appears on the homepage of companies that sell behavioural data to hundreds of ad-tech partners. That sell your inferences — your health, your politics, your financial stress — without ever mentioning inference exists. That design consent flows to exhaust you into clicking accept.

This is privacy washing. Not always malice in most of the cases. Often just the gap between what legal approved, what marketing published, and what engineering actually built.

Here are fourteen ways it happens — and what's actually behind the language.

1. Dark patterns in consent

Cookie banners where "Accept All" is a bright primary button and "Reject All" requires three clicks through a labyrinth of toggles. Pre-ticked boxes. Consent dialogs that reappear until you click accept. Consent fatigue is not a bug — it is the feature. The goal is a liability shield, not an informed choice.

2. Vague claims that are technically true

"We never sell your data" — technically accurate. The data is freely shared with advertising partners under a commercial arrangement that is not called a sale. Data clean rooms, "aggregate insights," and "service providers who process on our behalf" all transfer the same value without triggering the same scrutiny.

3. Policy theatre

A 47-page privacy policy written to satisfy regulators, not inform users — paired with a sleek "privacy first" campaign on social media. Carnegie Mellon estimated that reading every privacy policy a person encounters in a year would take 76 work days. Complexity IS the privacy policy.

4. Selective scope

Announcing end-to-end encryption on messages while collecting extensive metadata — who you talk to, when, how often, from where. The content is protected. The pattern is not. In most cases, the pattern is more revealing than the content.

5. Certification signalling

ISO 27001, SOC 2, and GDPR compliance badges signal the minimum legal bar — not genuine respect for user rights. These are security frameworks. They certify data is protected from external threats. They say nothing about whether collecting that data in the first place was appropriate.

6. The anonymization fiction

De Montjoye (2015) demonstrated that four transaction records uniquely identify 90% of people — without any direct identifiers. The word "anonymized" has been stretched so far from its technical definition that it is functionally meaningless. Most data labelled anonymous is pseudonymous at best: the name is removed, but the fingerprint remains.

7. The inference gap

Privacy policies disclose what data is collected. They rarely disclose what is inferred from it. You consent to your transaction history being collected. You did not consent to your religion, health conditions, reproductive status, or financial stress being inferred from basket composition. These inferences are personal data under GDPR. Most policies don't mention them.

8. Security ≠ privacy

A company can have perfect security — nobody hacks in — and zero privacy: it collects everything, infers everything, shares everything. Being GDPR compliant and being privacy-respecting are not the same thing.

9. The AI training data problem

"We use your data to improve our services" used to mean A/B testing. In the AI era it means your conversations, disclosures, and behavioral patterns train models sold to enterprise customers. You were a training example. That is a fundamentally different relationship to your data than "improve your experience" implies.

10. Model-based exfiltration — the threat nobody is watching for

Enterprise DLP tools watch for data movement. There is a newer vector !

11. Geographic arbitrage

A company with strong privacy practices in the EU (legally required) and weak practices everywhere else (legally permitted) is not a privacy-respecting company — it is a compliance-minimizing one.

12. Privacy commitments don't survive acquisition

WhatsApp 2014: "Respect for your privacy is coded into our DNA." WhatsApp 2016: data sharing with Facebook enabled. Privacy policies bind a company at a point in time. They do not bind the company's successor.

13. Remediation theatre

The standard breach response addresses the symptoms of a privacy incident while leaving the underlying data collection intact. What is almost never said: why we collected this data in the first place, and what we are changing about collection — not just security.

14. The incentive structure

Privacy washing persists because the incentive to perform privacy is stronger than the incentive to practice it. Problems prevented are invisible. Problems discovered post-launch are not. Until the cost of the gap becomes visible — through enforcement, informed users, or engineers who know what the pipeline actually does — the performance will continue.

The common thread across all fourteen points: the gap between privacy as marketed and privacy as practiced. None of this requires malice. It requires only that the incentive to perform privacy is stronger than the incentive to practice it.

When you do, what you find is instructive.

#Privacy #DataPrivacy #AIPrivacy #PrivacyEngineering #DataGovernance #GDPR #Cybersecurity

Why should professionals care?

If you work in product, marketing, legal, or tech — you are either perpetuating privacy washing or actively preventing it. There's rarely a neutral position.

Regulators are sharpening their tools. The EU's GDPR enforcement is maturing, the UK's ICO is becoming bolder, and US state-level privacy laws are multiplying. Privacy washing is no longer just a reputational risk — it's increasingly a legal one. Fines in the hundreds of millions are now a real outcome, not a hypothetical.

Beyond compliance: trust, once broken, is extraordinarily expensive to rebuild. A single investigative article exposing the gap between a company's privacy claims and its actual practices can undo years of brand investment.

What does genuine privacy look like ?

I am a big fan of Apple's privacy posture.

Real privacy commitment has a few telltale characteristics. It shows up in product decisions that cost something — where the privacy-respecting option required saying no to a revenue stream. It's expressed in plain, honest language that a non-lawyer can read and understand. It involves meaningful user control: defaults set in users' favour, not the company's.

It also involves accountability. Organizations serious about privacy publish transparency reports, conduct independent audits, and give their data protection officers genuine authority — not just a title.

Real privacy shows up when it costs the company something. Marketing privacy when it's free is easy. Protecting it when it isn't — that's the test.

A challenge for all of us

Ask the uncomfortable questions. When your company launches a privacy campaign — who wrote the privacy policy and was it reviewed for plain language? When you add a new analytics tool — did anyone ask what data it collects and where it goes? When your cookie banner was designed — was consent genuinely the goal, or compliance theatre?

Privacy washing thrives in the space between marketing and engineering, between legal and product. The professionals who close that gap — who insist on coherence between what companies say and what they build — are the ones driving real change.

The question isn't whether privacy matters. Everyone agrees it does. The question is whether you're willing to make it matter when it's inconvenient.