Identify a red flag in a vendor privacy policy and explain why it's concerning.

• A. Vague language like 'may try' to secure data.
• B. A detailed, explicit description of security measures.
• C. A clear statement of data retention periods.
• D. A specified penalty for data breaches.

Answer: (C)

A red flag in a vendor privacy policy shows up as vague or noncommittal language about how data is protected. If the policy says data “may be processed” or “may be stored” without specifics—like who can access it, where it’s stored, how long it’s kept, or what safeguards are in place—it signals uncertain protections. This lack of concrete commitments makes it hard to assess risk, undermines accountability, and can hide weak controls that might lead to breaches or misuse. By contrast, clear security details, explicit data retention timelines, and enforceable breach penalties are signs of a trustworthy policy, because they provide measurable protections and expectations. So the concerning red flag is the vague language about security and data handling, since it leaves critical protections ambiguous.