As someone who works in privacy I find it really funny and sad that all of the legal requirements to create and display privacy policies result only in this: conjecture about what a company might do based on its vague privacy policy language.
I respectfully disagree with your initial point regarding "can" versus "what they do."
Even if a company provides assurances and pledges never to mishandle your data or use it for nefarious purposes, there remains a risk that your data could still end up in the wrong hands.
Would you sign a paper saying I can come into your house unannounced if I suspect you stole something? If you do not steal you have nothing to worry about
It's crazy, almost like people don't trust corporations to be reasonable when they have such vague abuses of the law to escape into. Maybe we shouldn't have to trust corporations not to spy on us in spaces that carry reasonable expectations of privacy. Maybe we should regulate their greedy data-grubbing into the ground so we don't even have to speculate, and so the miserable people who work at these corporations are stymied from even attempting it. What a splendid utopian ideal.
But that's the point of the privacy policy. Why would you have a privacy policy that says you can do a thing if you have no intention of ever doing it. It's plausible that the lawyers were instructed to capture as much as possible with the intention of worrying about what was actually wanted later, but that's precisely the point. Later, they could decide to do anything covered by the policy and there's not only no recourse but no way of knowing what they are doing. That's why you have to take the privacy policy at face value.
