Privacy 101: Understanding Privacy Policies, Cookies & More

What is a privacy policy?

The document that explains what companies do with your data

A privacy policy is a legal document that tells you how a company collects, uses, and shares your personal information. By law, any company that collects data has to have one. That doesn't mean they're easy to read.

The average policy is 2,400 words. Most people skip them entirely. We do too. That's why bndries reads them for you and tells you what actually matters in seconds.

What they're required to disclose

Under regulations like the CCPA (effective January 2026), companies must tell you:

What categories of data they collect (name, email, location, browsing history, etc.)
Where it comes from (directly from you, data brokers, other companies)
Why they're collecting it (advertising, analytics, fraud prevention, product improvement)
Who can access it (advertisers, service providers, partners)
How long they keep it before deleting
Your rights (you can ask them what they have, delete it, or opt out of selling)

Why they're hard to read

Privacy policies are written for legal compliance, not clarity. They use technical terms like "share with partners for advertising purposes" instead of plain language. Important details often appear in subsections or footnotes. The length and structure make it hard to find what actually matters to you.

What changed in 2026

The CCPA updated on January 1, 2026 with stricter rules on "sensitive" data like biometric information and health data. Companies now need explicit consent to use sensitive data for anything beyond providing their core service. The bar for what counts as sensitive also got higher, which is good for you.

What is terms of service?

The contract you accept when you use a service

Terms of Service (ToS) is the legal agreement that kicks in when you click "I agree." It's a binding contract between you and the company that sets the rules for how you can use their service.

Unlike privacy policies, which are about your data, terms cover your behavior and the company's rights. They're equally important and equally legally binding once you accept them.

What's usually in there

Rules for how you can use the service (and what'll get you banned)
Your responsibilities (keeping your password safe, not posting illegal content)
What the company can do to you (suspend your account, change the service, update the terms whenever they want)
Limits on their liability (they're not responsible if something goes wrong)
How disputes get resolved (arbitration clauses, class action waivers, where you can sue)

Why they matter

Most ToS include arbitration clauses, which means if something goes wrong, you can't sue them in court. You have to go through private arbitration instead, which is usually faster and cheaper for companies but slower and more expensive for you. Some also have class action waivers, meaning you can't join lawsuits with other users.

What are cookies?

Tiny files that track what you do online

Cookies are small text files that websites store on your device. Some are essential, like remembering you're logged in. Others exist solely to track you across the web and sell that information to advertisers.

You've probably seen cookie banners asking for permission. Most people click "Accept all" without reading. That's the point. Sites design these banners to make accepting easier than declining.

Types of cookies

Essential cookies are required for the site to work (keeping you logged in, processing payments). You can't opt out without breaking the site.

Analytics cookies track your behavior to help companies understand how people use their site. Google Analytics is the most common. They're aggregated but still build a profile of you.

Advertising cookies follow you across different sites to build a profile of your interests. Advertisers use these to show you targeted ads based on everything you've viewed or bought.

Third-party cookies are set by companies other than the one running the website. Google, Meta, and other ad networks set these on thousands of sites simultaneously to track you globally.

The 2026 landscape

In April 2025, Google reversed its plan to remove third-party cookies from Chrome, the browser 63% of people use. That means tracking cookies are still going strong. Safari and Firefox block them by default, protecting about 30% of users. Everyone else sees cookie banners on nearly every site.

Companies have also moved beyond cookies to harder-to-block tracking methods like localStorage and browser fingerprinting. bndries watches for when the services you use add new tracking, so you don't have to.

What is a tracking pixel?

An invisible tracker that watches your actions

A tracking pixel is a tiny, invisible 1x1 pixel image embedded in websites or emails. When it loads, it sends data about you to a tracking server. You can't see it. You'll never know it's there. But it's one of the most effective ways companies track you.

Pixels work by logging your IP address, browser info, and any cookies set by that tracking company. They can also capture what's in your shopping cart, the page you're on, or even your email address through JavaScript. Then that data gets matched across thousands of sites to build a complete profile of your browsing and buying habits.

Who's tracking you with pixels

Meta Pixel is on about 20% of websites. It tracks everything you do online and connects it to your Facebook profile so Meta can target you with ads.

TikTok Pixel is growing fast on e-commerce sites. It collects your browsing and purchase data to build audiences for TikTok ads.

Google Ads conversion tags track when you complete actions (purchases, signups) across the web. Used for remarketing and conversion measurement.

Email tracking pixels tell senders exactly when you opened an email and from what device. Used by sales teams and marketers.

Analytics pixels track pageviews and behavior for the site's own analytics dashboard.

Why pixels are hard to block

Unlike cookies, pixels load automatically with page content. About 31% of people use ad blockers that can catch some pixels, but many still slip through. Companies have also moved to server-side tracking methods (using APIs instead of pixels) which are even harder to detect or block.

Gmail and Outlook block external images by default, so some email pixels don't fire. But website pixels run silently with no way to refuse them.

bndries watches for when the services you use add new tracking pixels, so you'll know if they start watching you.

What is data selling?

When companies trade your information for money

Data selling happens when a company exchanges your personal information with others for money or other benefits. Your email, browsing history, location, purchases, demographics, health interests. All of it has value to someone else.

Data brokers are companies whose entire business is collecting and reselling personal information. They buy from retailers, banks, apps, and websites. Then they repackage it and sell it to advertisers, insurers, employers, and others. In 2026, the industry remains largely unregulated at the federal level, though some states now require brokers to register and let you opt out.

How data selling actually works

Retail data sales: You buy something online or give your email at checkout. That retailer may sell your info to brokers, competitors, or advertisers.

Brokerage sales: Data brokers create targeted segments like "women 25-34 interested in fitness" and sell those lists to advertisers.

Aggregated data sales: Your data gets combined with millions of others and sold as population-level insights or behavioral patterns.

Credit data: Equifax, Experian, and TransUnion maintain files on nearly every adult and sell this data to lenders and employers.

The "sharing" vs "selling" game

Companies love to claim they don't "sell" your data. They say they "share with partners," "work with service providers," or "monetize through advertising." But the distinction is meaningless. Whether it's called selling, sharing, or partnering, your data ends up in the hands of third parties who use it to profile and target you. You don't get paid. You don't get a choice. And often you don't even know it's happening.

If a company receives money or value in exchange for sharing your data (even if it's just better ad revenue for them), they're benefiting from data sales. bndries watches for when services add data selling to their policies, so you'll know.

What is third-party data sharing?

When your data goes to other companies

Third-party sharing is when a company gives your data to other organizations. It's different from data selling because money doesn't always change hands. But your information still leaves and gets used by others, often without you knowing or agreeing.

When you use a service, you probably assume your data stays with that company. It doesn't. Your information flows to payment processors, analytics platforms, advertisers, and dozens of other companies. Some of this sharing is necessary. Most of it isn't.

Who gets access to your data

Service providers: Payment processors (Stripe), email platforms (Mailchimp), and cloud services (AWS) need your data to do their job. This sharing is usually necessary but expands who has access to your info.

Advertising networks: Your behavioral data goes to Google, Meta, and other ad networks so they can show you targeted ads and build profiles of you across thousands of sites.

Analytics providers: Google Analytics, Mixpanel, and Amplitude receive data about your behavior to help companies understand users. They also use that data across their entire customer base.

Parent companies: Meta shares data across Facebook, Instagram, WhatsApp, and Threads. Google shares across Gmail, YouTube, Drive, and Maps.

Business partners: Co-marketing partners, affiliates, and strategic partners get your data for cross-selling or joint projects.

Data enrichment services: Companies like Acxiom and Experian add your data to other sources to create more detailed profiles, which they sell to marketers.

Necessary vs optional sharing

Some sharing is genuinely necessary. A website can't process your payment without sharing your info with payment processors. But most third-party sharing is optional. Companies choose to share with advertisers and analytics providers because it helps their business, not because they have to.

The problem is there's no opt-out. You might decline non-essential cookies in a banner, but your data still goes to payment processors and analytics tools automatically. Companies bury the details in their privacy policies and don't clearly distinguish between necessary and optional sharing.

bndries tracks which third parties have access to your data and alerts you when new ones are added.

What is facial recognition?

Technology that identifies you by your face

Facial recognition analyzes your unique facial features to identify or verify who you are. It's one of the most sensitive types of biometric data because your face is something you can't change. And it can be captured without you knowing.

Once your face is captured and analyzed, it can be matched across platforms and physical locations to track you. Unlike cookies or email addresses, you can't change your face. This data is permanently identifiable.

How it's being used in 2026

Photo auto-tagging: Facebook, Google Photos, and Apple use facial recognition to tag faces in your photos and suggest who to tag in posts. This builds your digital identity within their platforms.

Device security: iPhone Face ID, Windows Hello, and Android face unlock use facial recognition to authenticate you. These systems usually process data locally on your device, not on servers.

Age verification: Retailers and online services estimate your age for age-gated content (alcohol, tobacco, gambling). The accuracy is controversial and often fails for certain demographics.

Retail tracking: Stores use facial recognition to identify repeat customers, track shopping patterns, and send targeted offers. You get a detailed profile without knowing it.

Law enforcement: Police match faces against driver's license and mugshot databases. Private databases like Clearview AI have scraped billions of photos from the internet to build surveillance tools.

Ad targeting: Some ad networks experiment with facial recognition to estimate demographics and emotional state from device cameras to improve ad targeting.

Where the data comes from

Social media is a massive source of facial recognition training data. Viral trends like "2016 vs 2026" photo comparisons and fitness transformation posts gave tech companies millions of labeled facial images across different angles, lighting, and ages. These datasets train facial recognition models. Once trained, these models can identify faces in real-world settings with increasing accuracy.

What regulations exist

Facial recognition is classified as biometric data in many states, which means stricter rules apply. Illinois, Texas, and Washington all require explicit consent before companies collect facial data. But federal regulation is fragmented, and enforcement varies. Many companies collect facial data claiming it's for photo organization, while actually using it for ads or law enforcement. bndries alerts you when a service adds facial recognition to their features or policies.

What is AI training on user data?

When your content teaches AI systems

AI training on user data means using your posts, photos, messages, and behavior to teach artificial intelligence systems. Your content becomes training material for language models, image generators, and recommendation algorithms. Companies develop these models, improve them, and sometimes sell them to others. You get nothing.

This is one of the fastest-growing and least-understood forms of data use. Most people don't realize their content is being used this way. And most platforms don't make it easy to understand or opt out.

What data gets used for training

Public posts: Everything you write publicly trains language models to generate human-like responses.

Photos and videos: Your visual content trains image recognition and generative AI systems. Even metadata (faces, locations, objects in your photos) is used.

Interactions and behavior: How long you read posts, what you like, what you click trains recommendation algorithms that predict what you'll engage with.

Voice and audio: Voice features in apps train speech recognition and voice synthesis models.

Private messages: Most major platforms claim private messages are excluded. Some smaller services and older policies do include them.

Meta's December 2025 expansion

On December 16, 2025, Meta announced they're now using all public posts and interactions on Facebook, Instagram, and Threads to train their AI models. This includes language models and includes both new content and historical posts.

Here's the important part: you can't opt out if you want to use the platform. Meta made it mandatory. If you post publicly on Meta's platforms, your content is automatically used for AI training. Private messages are excluded, but anything marked "public" is fair game.

Meta uses this AI for features like AI assistants and content generation. They also license AI capabilities to other businesses, so your content might indirectly contribute to systems you never interacted with.

What other platforms do

Meta: No opt-out for public content.

X (Twitter): Some opt-outs available, but control is limited.

YouTube: Limited opt-out options. Most public videos are used for training.

OpenAI (ChatGPT): Not trained on private data. Some opt-outs available for websites.

Claude (Anthropic): Explicitly excludes social media content from training.

TikTok, Google, and others have their own policies. The opt-out options vary widely.

Why this matters

When your content trains AI, you lose control. Your writing style might be replicated for spam or misinformation. Your photos might train image generators. Your behavior patterns might train systems that manipulate others. You get no compensation, even when companies commercialize the AI trained on your content. And you'll never know exactly how your data was used.

The only way to completely avoid this is to not post on platforms with AI training policies. If you do post, check the platform's current policy and understand what's in scope (public vs. private). bndries monitors when services add AI training clauses, so you'll know before you post anything else.

Privacy 101.