[WireWrap]

You really can't create a matrix of how different companies handle the information, because there is no practical way for you to determine that. You could, however, create a matrix of what different companies claim they do with the information. While this might be helpful to those who are inclined to believe that companies always do exactly what they say, it isn't going to be very helpful to those who want to protect information in a reliable way.

If you want reliable protection, you eliminate or block those mechanisms which expose information to others. You could create a matrix which identifies different types of exposures and shows which can be avoided when using a given product or service. It would be a major task though, because technical details that are often not well documented can have a big impact on exposures. You couldn't afford to miss something like a user identifier that accompanies phoned home data.

[kbenson]

Of course, the available information is what's presented. But what I outlined isn't any less effective because the specific actions are unknown. You have to assume if they say they can/may do something with regard to your data, it's being done (or can/will be done in the future). Privacy policy violations are actionable, so what they say they are allowed to do is what should be started with. If there's specific credible information that they do otherwise, them you use that.

The whole point is making it easy to judge how companies interact with their customers in regard to data and privacy so market pressure can do it's thing.