Need to know
- Our analysis of 75 privacy policies found they average 4000 words and take 16 minutes to read
- Most have poor readability, with a third requiring university-level reading skills to easily understand
- CHOICE is pushing for urgent reform to the Privacy Act to ensure stronger consumer protections and protect people from harm
Here at CHOICE we analysed 75 of the privacy policies you're most likely to come across in everyday life, from the top ecommerce websites, to the top banking apps and government service QR code check-in apps.
We ran the 75 privacy policies through the Grammarly app, a free online writing assistant. We found the policies ranged widely in reading lengths and readability scores. Some were reasonable and accessible, and others were far from it.
To read all 75 privacy policies would take you almost 20 hours in total.
But Kate Bower, consumer data advocate at CHOICE, says there was a huge range in read times, from one minute, to one hour.
"Privacy policies should be clear, concise and easy to read for most people. It is unreasonable and unrealistic to expect people to spend hours a week reading dense legal jargon just to use a product or service," she says.
We took a look at the privacy policies you'd need to read for a weekend away in Melbourne, from booking flights on Qantas, to the Service Victoria app and buying tickets to a show through Ticketek.
Our analysis only scratched the surface, and didn't include things like an Uber trip or a hotel booking, and yet we found that to read all the relevant privacy policies it would still take well over three hours of your time.
We analysed the jargon and readability of the 75 privacy policies, asking Grammarly to give them a readability score out of 100. Anything above the 60–70 range should be easily understood by most people, but we found 80% of policies we compared scored below 50. A third scored below 40, meaning only people with university-level reading skills could easily read and understand it. Only one policy had a readability score above 70 (Torque Pro app).
The best and the worst privacy policies
But shorter isn't always better. Many of the shortest privacy policies were worryingly short on detail and would leave most consumers in the dark about how their data is being collected and used.
Shorter isn't always better. Many of the shortest privacy policies were worryingly short on detail
The industry with the longest policies is the travel industry, with four of the 10 longest policies coming from travel providers such as airlines and booking sites. In particular, Air New Zealand's policy takes almost an hour to read (57:17), much longer than the 15 minutes you're given to secure your flights when buying your tickets online.
For example, it may not make clear that the data captured from your use of a website or app will be used in machine-learning algorithms. And that this could lead to you being subject to price discrimination based on your age, for example, or an unfair and biased decision in your application for a loan.
"Privacy policies are part of what is called the notice and consent model of privacy, which heavily relies on individuals protecting their own privacy by actively engaging with the businesses directly," she says.
"This comparison shows that that model has failed consumers and is not able to adequately protect them from both privacy and consumer harms. CHOICE supports the introduction of standardised privacy statements with uniform layouts to assist consumers in understanding their rights."
Bower says that more needs to be done to protect consumers from harm caused by unreadable privacy policies, and that disclosure of a harmful practice alone is not enough.
"Notice and consent mechanisms, while useful, need to be supported by regulations where consumers are not put in a position where they must choose between accessing a product or service and forgoing their privacy or agency," she says.
She adds that the government needs to urgently reform the Privacy Act to require 'fair and reasonable' processing of personal data by businesses and demand that businesses do the right thing by people in the first instance.