Skip to content   Skip to footer navigation 

Drowning in privacy policies: CHOICE calls for reform

On average, Australians are asked to read and consent to 116 privacy policies – or 467,000 words.

several sheets of paper falling on the floor
Last updated: 28 January 2022
Fact-checked

Fact-checked

Checked for accuracy by our qualified fact-checkers and verifiers. Find out more about fact-checking at CHOICE.

Need to know

  • A CHOICE survey finds respondents come across an average of 116 privacy policies, yet more than half haven't read these privacy policies in full 
  • Many say they're put off by lengthy policies full of complicated legalese 
  • CHOICE is pushing for urgent reform of the Privacy Act to ensure stronger consumer protections

Almost every time you visit a website, download or use an app, or sign up or use a loyalty program, digital subscription or streaming service, you've consented to your personal data being collected and stored.

Ideally, you've read the organisation's privacy policy in full to understand how they're handling your personal information. But you wouldn't be alone if you haven't – privacy policies are known for being lengthy and full of jargon, which is off-putting to many – however, you can't give informed consent without doing so. 

Thanks to the increasing range and capability of smart devices, the number of privacy policies we come across is sure to increase in the coming years. 

But just how many privacy policies do Australians currently have to contend with – and how many of those do they read in full? To find out, we surveyed over 1000 campaign supporters and members.

entering personal details for registration on webpage

Over half (52%) of our survey respondents said they've read none of the privacy policies in full.

Too many and too time-consuming

We asked our respondents how many: 

  • smart devices they have
  • apps are on their smartphone
  • websites they visited the day before
  • loyalty programs they belong to
  • digital subscriptions or streaming services they have (e.g. Spotify, Netflix, Foxtel, newspapers and magazines)

Based on their responses, we calculated that on average they have to contend with 116 privacy policies. They also owned an average of eight smart devices, such as smartphones and tablets, smart TVs, smart speakers and other internet of things (IoT) devices.

"I was surprised how many connections to the internet exist in my household," said one respondent.

Our survey also found that over half (52%) said they've read none of the privacy policies in full for their smartphone apps, websites they visited and the subscriptions and loyalty programs they're a member of.

I have given up trying to read privacy policies… they are gobbledegook, over legalistic and devoid of meaning

CHOICE survey respondent

Furthermore, most respondents never (41%) or rarely (31%) read privacy policies when they encountered a new product or service.

One person commented: "I have given up trying to read privacy policies. Despite being university educated, they are gobbledegook, over legalistic and devoid of meaning. Plus, how would you ever know if the issuer would abide by them?"

Another said: "I sometimes try to look at privacy policies, but usually give up quickly due to jargon and sheer length of time. I guess I (foolishly) trust that businesses will do the right thing by me to avoid problems later." 

Hours of reading

Many commented on how long privacy policies are and how it's not realistic to expect people to read them to give informed consent. 

They're not wrong. According to research conducted by CHOICE's consumer data team, the average privacy policy contains 4012 words and takes 16 minutes to read. 

So if Australians consent to 116 privacy policies, that equates to reading nearly 467,000 words over the span of 31 hours. No wonder so many people fail to read them either in part or in whole.

'Almost impossible' to give informed consent

The results of our survey show that many of us are consenting to hundreds of privacy policies that we're not actually reading. And that's a problem. 

"Privacy policies should explain, in simple language, what personal data is being collected and how those details are used or even shared with third parties such as data brokers," says CHOICE consumer data advocate Kate Bower.

"Instead, these statements are often lengthy and written in such impenetrable legal jargon that it's almost impossible for the average person to give their informed consent around the collection and use of their personal data.

"When it comes to data collection and privacy, It's clear this inform and consent model has reached its limits."

No option but to agree

For those who do read and comprehend the policy, there's often no real alternative but to accept it – even if you disagree – in order to access the product or service. 

There's often no real alternative but to accept it – even if you disagree – in order to access the product or service

Many survey respondents expressed their frustrations with this: "What can I do if I disagree anyway?" said one, while another commented: "If you don't 'agree' with the policy, you can't have the service, so you're over a barrel."

If you're unhappy with how an organisation handles personal information, contact them directly to raise the issue and, if possible, take your business elsewhere. However, if you think their privacy policy doesn't meet the legal requirements, contact the Office of the Australian Information Commissioner (OAIC).

person in front of laptop with sore eyes

Privacy policies are often lengthy and full of jargon, making it difficult for people to give informed consent.

Case study: It's really worrying

Western Australian mum Liz* has seven smart devices in her home, subscribes to two streaming services, and says that even though she spends a lot of time on the internet she only visits a handful of websites. 

Unlike the majority of our survey respondents, she actually overestimated the number of apps on her smartphone. 

"I guessed 20, as I assumed there were a lot more system apps that came with the phone. But when I checked, there were only eight," she says. "I suppose that's because I don't really use my phone much outside of our family group Whatsapp chat, and for the occasional phone call."

Liz also loves a bargain, collecting points and redeeming offers, and has signed up to multiple loyalty programs for the perceived benefits. But even she was surprised when she checked just how many she belongs to. 

"I couldn't believe it," says Liz. "I have 18 loyalty cards – 18! That's a real eye-opener. Especially as I've never read any of the privacy policies."

 I didn't realise the extent of information they could gather

Aside from skim-reading a privacy policy years ago ("I gave up, it was so long and it didn't make sense"), Liz admits she hasn't given much thought to the amount of personal consumer data these companies are collecting on her – and sharing. 

"To be honest I just sort of assumed they'd be tracking what I bought, and using that to market other products to me," she says. "I didn't realise the extent of information they could gather, and that they could share that data with third-parties. 

"It's really worrying, but as an individual it's hard to know what other option I have if I want to visit a specific website or accumulate points from my favourite store."

*Not her real name

Case study: I'd be more inclined to read them if it was based on generally agreed information

When Sydney-based professional George* checked the number of apps on his smartphone, he was surprised by the results. 

"I thought there were around 80, which is already pretty high, but the actual number was 107 – and I've only had my phone for a year," he says. 

George also has six paid streaming services and digital subscriptions, belongs to six loyalty programs and visited 20 websites. He reads part of the privacy policies associated with his loyalty programs, but has read none of the others. 

"They tend to be incredibly long, full of legalese and don't provide any useful information on how I might use the service," he says.

"I'd be more inclined to read a privacy policy if it was based on a standard form with some generally agreed information – a bit like the residential tenancy agreement.

"The company would then need to outline if and why they've deviated from that policy. That would make it a lot clearer in a shorter period of time how the company intends to handle your personal information – whether it's worse than the standard, or better." 

*Not his real name

Changes to privacy laws needed

CHOICE is calling on the government to strengthen consumer protections in the Privacy Act by moving away from the notice and consent model to a model that requires businesses to act responsibly in the first instance.  

"Notice and consent mechanisms, while useful, need to be supported by regulations where consumers are not put in a position where they must choose between accessing a product or service and forgoing their privacy or agency," says Bower. 

"The focus should be on businesses acting responsibly for how they collect and use our information, and a clear and simple privacy policy would be a good first step," says Bower.

Businesses should put people first and only collect and use the data needed to provide a service or product

Kate Bower, CHOICE consumer data advocate

A best practice policy is written in simple and easily understood language and clearly explains what information is collected and how it's stored and processed. 

"But a lot more can be done," adds Bower. "When it comes to information-handling, we need better regulation of businesses, stronger monitoring by regulators and tougher penalties for bad behaviour.

"Businesses should put people first and only collect and use the data needed to provide a service or product. Any reform to the Privacy Act needs to ensure that businesses do no harm rather than set requirements for how a consumer can choose not to be harmed."

Our survey

CHOICE surveyed 1027 campaign supporters and members between 17 December, 2021 and 10 January, 2022.

This survey was sent anonymously, meaning there's no identifier to track who has completed the survey.

For the questions about the number of devices, apps, websites, streaming services etc., that respondents use or visit, the respondents selected a number range. We then used the midpoint of each range to calculate an estimated average. 

We care about accuracy. See something that's not quite right in this article? Let us know or read more about fact-checking at CHOICE.