I should have been a bit more clear. We should ban retention for any purposes where it is not explicitly required for the intended function and clearly agreed to by all parties. Think somethig like strava or asset tracking. You know it stores gps data, and why.

if it were up to me i’d require a hand signed contract that explicitly, up front and in plain english gives permission and is not transferable to any “partners”.

Right, privacy terms are written to be vague and permissive. Even if you read them you can’t usually understand how the data will be used or opt out.

Instead of “I accept”, you’re given a quiz