Need to know
- A CHOICE survey finds respondents come across an average of 116 privacy policies, yet more than half haven't read these privacy policies in full
- Many say they're put off by lengthy policies full of complicated legalese
- CHOICE is pushing for urgent reform of the Privacy Act to ensure stronger consumer protections
Almost every time you visit a website, download or use an app, or sign up or use a loyalty program, digital subscription or streaming service, you've consented to your personal data being collected and stored.
Thanks to the increasing range and capability of smart devices, the number of privacy policies we come across is sure to increase in the coming years.
But just how many privacy policies do Australians currently have to contend with – and how many of those do they read in full? To find out, we surveyed over 1000 campaign supporters and members.
Over half (52%) of our survey respondents said they've read none of the privacy policies in full.
Too many and too time-consuming
We asked our respondents how many:
- smart devices they have
- apps are on their smartphone
- websites they visited the day before
- loyalty programs they belong to
- digital subscriptions or streaming services they have (e.g. Spotify, Netflix, Foxtel, newspapers and magazines)
Based on their responses, we calculated that on average they have to contend with 116 privacy policies. They also owned an average of eight smart devices, such as smartphones and tablets, smart TVs, smart speakers and other internet of things (IoT) devices.
"I was surprised how many connections to the internet exist in my household," said one respondent.
Our survey also found that over half (52%) said they've read none of the privacy policies in full for their smartphone apps, websites they visited and the subscriptions and loyalty programs they're a member of.
I have given up trying to read privacy policies… they are gobbledegook, over legalistic and devoid of meaningCHOICE survey respondent
Furthermore, most respondents never (41%) or rarely (31%) read privacy policies when they encountered a new product or service.
One person commented: "I have given up trying to read privacy policies. Despite being university educated, they are gobbledegook, over legalistic and devoid of meaning. Plus, how would you ever know if the issuer would abide by them?"
Another said: "I sometimes try to look at privacy policies, but usually give up quickly due to jargon and sheer length of time. I guess I (foolishly) trust that businesses will do the right thing by me to avoid problems later."
Hours of reading
Many commented on how long privacy policies are and how it's not realistic to expect people to read them to give informed consent.
So if Australians consent to 116 privacy policies, that equates to reading nearly 467,000 words over the span of 31 hours. No wonder so many people fail to read them either in part or in whole.
'Almost impossible' to give informed consent
The results of our survey show that many of us are consenting to hundreds of privacy policies that we're not actually reading. And that's a problem.
"Privacy policies should explain, in simple language, what personal data is being collected and how those details are used or even shared with third parties such as data brokers," says CHOICE consumer data advocate Kate Bower.
"Instead, these statements are often lengthy and written in such impenetrable legal jargon that it's almost impossible for the average person to give their informed consent around the collection and use of their personal data.
"When it comes to data collection and privacy, It's clear this inform and consent model has reached its limits."
No option but to agree
For those who do read and comprehend the policy, there's often no real alternative but to accept it – even if you disagree – in order to access the product or service.
There's often no real alternative but to accept it – even if you disagree – in order to access the product or service
Many survey respondents expressed their frustrations with this: "What can I do if I disagree anyway?" said one, while another commented: "If you don't 'agree' with the policy, you can't have the service, so you're over a barrel."
Privacy policies are often lengthy and full of jargon, making it difficult for people to give informed consent.
Case study: It's really worrying
Western Australian mum Liz* has seven smart devices in her home, subscribes to two streaming services, and says that even though she spends a lot of time on the internet she only visits a handful of websites.
Unlike the majority of our survey respondents, she actually overestimated the number of apps on her smartphone.
"I guessed 20, as I assumed there were a lot more system apps that came with the phone. But when I checked, there were only eight," she says. "I suppose that's because I don't really use my phone much outside of our family group Whatsapp chat, and for the occasional phone call."
Liz also loves a bargain, collecting points and redeeming offers, and has signed up to multiple loyalty programs for the perceived benefits. But even she was surprised when she checked just how many she belongs to.
"I couldn't believe it," says Liz. "I have 18 loyalty cards – 18! That's a real eye-opener. Especially as I've never read any of the privacy policies."
I didn't realise the extent of information they could gather
"To be honest I just sort of assumed they'd be tracking what I bought, and using that to market other products to me," she says. "I didn't realise the extent of information they could gather, and that they could share that data with third-parties.
"It's really worrying, but as an individual it's hard to know what other option I have if I want to visit a specific website or accumulate points from my favourite store."
*Not her real name
Case study: I'd be more inclined to read them if it was based on generally agreed information
When Sydney-based professional George* checked the number of apps on his smartphone, he was surprised by the results.
"I thought there were around 80, which is already pretty high, but the actual number was 107 – and I've only had my phone for a year," he says.
George also has six paid streaming services and digital subscriptions, belongs to six loyalty programs and visited 20 websites. He reads part of the privacy policies associated with his loyalty programs, but has read none of the others.
"They tend to be incredibly long, full of legalese and don't provide any useful information on how I might use the service," he says.
"The company would then need to outline if and why they've deviated from that policy. That would make it a lot clearer in a shorter period of time how the company intends to handle your personal information – whether it's worse than the standard, or better."
*Not his real name
Changes to privacy laws needed
CHOICE is calling on the government to strengthen consumer protections in the Privacy Act by moving away from the notice and consent model to a model that requires businesses to act responsibly in the first instance.
"Notice and consent mechanisms, while useful, need to be supported by regulations where consumers are not put in a position where they must choose between accessing a product or service and forgoing their privacy or agency," says Bower.
Businesses should put people first and only collect and use the data needed to provide a service or productKate Bower, CHOICE consumer data advocate
A best practice policy is written in simple and easily understood language and clearly explains what information is collected and how it's stored and processed.
"But a lot more can be done," adds Bower. "When it comes to information-handling, we need better regulation of businesses, stronger monitoring by regulators and tougher penalties for bad behaviour.
"Businesses should put people first and only collect and use the data needed to provide a service or product. Any reform to the Privacy Act needs to ensure that businesses do no harm rather than set requirements for how a consumer can choose not to be harmed."
CHOICE surveyed 1027 campaign supporters and members between 17 December, 2021 and 10 January, 2022.
This survey was sent anonymously, meaning there's no identifier to track who has completed the survey.
For the questions about the number of devices, apps, websites, streaming services etc., that respondents use or visit, the respondents selected a number range. We then used the midpoint of each range to calculate an estimated average.