How many times have you looked at a long privacy policy on a website or app and simply clicked accept straight away without reading?
You’re not alone. Every day in almost all settings we’re asked to accept long and confusing privacy policy statements that few of us will ever have the time or energy to read.
Here at CHOICE we analysed 75 of the privacy policies you’re most likely to come across in everyday life, from the top ecommerce websites, to the top banking apps and government service QR code check-in apps.
We ran the 75 privacy policies through the Grammarly app, a free online writing assistant. We found the policies ranged widely in reading lengths and readability scores. Some were reasonable and accessible, and others were far from it.
Privacy policy length
To read all 75 privacy policies would take you almost 20 hours in total.
The average length of a privacy policy was around 4000 words, with an average read time of 16 minutes.
But Kate Bower, consumer data advocate at CHOICE, says there was a huge range in read times, from one minute, to one hour.
“Privacy policies should be clear, concise and easy to read for most people. It is unreasonable and unrealistic to expect people to spend hours a week reading dense legal jargon just to use a product or service,” she says.
We took a look at the privacy policies you’d need to read for a weekend away in Melbourne, from booking flights on Qantas, to the Service Victoria app and buying tickets to a show through Ticketek.
Our analysis only scratched the surface, and didn’t include things like an Uber trip or a hotel booking, and yet we found that to read all the relevant privacy policies it would still take well over three hours of your time.
Privacy policy readability
We analysed the jargon and readability of the 75 privacy policies, asking Grammarly to give them a readability score out of 100. Anything above the 60–70 range should be easily understood by most people, but we found 80% of policies we compared scored below 50. A third scored below 40, meaning only people with university-level reading skills could easily read and understand it. Only one policy had a readability score above 70 (Torque Pro app).
The best and the worst privacy policies
The longest privacy policy out of the 75 we compared was Microsoft’s, coming in at a whopping 14,861 words and taking nearly an hour to read (59’15”). The shortest was from the popular public transport timing app, Tripview, taking just over a minute (1’08”) of your time to find out how your data is being used.
But shorter isn’t always better. Many of the shortest privacy policies were worryingly short on detail and would leave most consumers in the dark about how their data is being collected and used.
Special mention should be made of the messaging app Threema. It has a concise 348-word privacy policy for its product which is built using ‘privacy by design’ principles, and has no tracking or advertising. In general, smartphone apps had the shortest policies, with the top 10 shortest all belonging to apps from either the Google or Apple app stores.
The industry with the longest policies is the travel industry, with four of the 10 longest policies coming from travel providers such as airlines and booking sites. In particular, Air New Zealand’s policy takes almost an hour to read (57’17”), much longer than the 15 minutes you’re given to secure your flights when buying your tickets online.
Bower says it’s important that privacy policies are clearly and plainly written so as to be easily understood. A poorly written privacy policy can have real-world impacts for consumers.
For example, it may not make clear that the data captured from your use of a website or app will be used in machine-learning algorithms. And that this could lead to you being subject to price discrimination based on your age, for example, or an unfair and biased decision in your application for a loan.
“Privacy policies are part of what is called the notice and consent model of privacy, which heavily relies on individuals protecting their own privacy by actively engaging with the businesses directly,” she says.
“This comparison shows that that model has failed consumers and is not able to adequately protect them from both privacy and consumer harms. CHOICE supports the introduction of standardised privacy statements with uniform layouts to assist consumers in understanding their rights.”
Bower says that more needs to be done to protect consumers from harm caused by unreadable privacy policies, and that disclosure of a harmful practice alone is not enough.
“Notice and consent mechanisms, while useful, need to be supported by regulations where consumers are not put in a position where they must choose between accessing a product or service and forgoing their privacy or agency,” she says.
She adds that the government needs to urgently reform the Privacy Act to require ‘fair and reasonable’ processing of personal data by businesses and demand that businesses do the right thing by people in the first instance.