It's happened countless times. You're subscribing to a new online service and, to make things faster, you quickly press the big button reading Submit or Agree when you're presented with the website's terms, conditions and privacy policies.
If you are guilty of never reading these important documents, you are certainly not alone. Thousands of words are presented more often than not in knotty language which discourages everyday users from actually reading how websites treat their data before accepting the conditions. This makes it very difficult for individuals to really exercise their rights over their data, even when strong data protection laws are enforced.
But how long would it take users if they were to actually read privacy policies? Well, a lot of time. A popular VPN service estimates that Americans would take almost 47 hours every month to read those of the most visited websites. Let's dig into NordVPN's findings as we explore what should be done to make these policies more accessible.
The best and worst user-friendly privacy policies
As mentioned, while digital privacy has become mainstream and the use of security software like VPN and antivirus services has never been so prevalent, there are still far too many people ignoring expert recommendations of reading websites' policies before clicking 'agree'.
Despite being the wrong way to approach online privacy, "this is understandable," said NordVPN's cybersecurity expert Adrianus Warmenhoven.
He and his team reviewed the top 20 websites in 19 countries across the globe, including the US, Canada, Australia, and the UK. The experts counted the number of words in the privacy policies, while evaluating their readability levels. The countries chosen have some of the most privacy-aware citizens, yet companies appear to make staying fully informed a very daunting task.
Commenting on the findings, Warmenhoven was astonished by the amount of time Americans would need to spend every month if they decided to read all the privacy policies on the websites they visit. With an average of 6,938 words and 29-minute reading time for each policy, it would take around nine hours to read the policies of the top 20 most visited American websites.
The estimation considerably increases if US users would read those of the 96 websites a person typically visits in a month. "That would take around a workweek (5 days) every month," he said. "A minimum-wage worker in the US would earn around $338.14 during that time."
US policies are certainly awfully long to read, but they aren't actually the longest. This accolade goes to Germany, boasting an average 10,485 words and about 44 minutes reading time. That's quite an achievement considering that the global average is around 6,460 words and 27.14 minutes. Other countries with the longest policies also include the UK, Italy, Poland, and France.
According to Warmenhoven, this is mainly due to the fact that digital companies operating across the EU and UK need to comply with GDPR rules and be more detailed about consumer rights. However, "this trend also shows the ambivalence of the matter—the broader the rights for privacy, the bigger the responsibility for the consumer," he said.
Among all the companies analyzed, Meta’s social media platforms (Facebook or Instagram) were the longest with 19,434 words. X (formerly known as Twitter) is much shorter, counting a total of 4,175 words . However, the latter received the same "fairly difficult" score on the FRES and Coleman-Liau readability tests.
Length is just one factor determining the accessibility of a privacy policy. The policies need to be easily readable to allow users making informed decisions about the data they want to share and with who. "A clear privacy policy helps to build trust between businesses and their customers," Warmenhoven told me.
On this front, the worst were Zoom (scoring the lowest FRES readability test at 24.9, within the analyzed anglophone countries) and Netflix (FRES score 14.98). The latter is probably even more concerning considering there are many children also using the platform.
As we have seen, despite data protection laws giving consumers more rights over the information they share online, they aren't necessarily making things easy for those people who want to take some agency back over their privacy.
However, you often don't need to read the whole thing to determine if a service is worth your data. "There are a number of ways that can help users to get acquainted with privacy policies easier. Consumers themselves should get educated and updated with the most recent digital privacy practices, including the 'red flags' that users should be able to recognize while reading privacy policies online," Warmenhoven says.
As a rule of thumb, he said you should avoid those websites lacking a privacy policy. He also suggests looking at what data is collected and avoiding, whenever possible, those companies asking information that looks irrelevant for the offered services. He then recommends scanning the text for certain keywords that could be problematic, including "sell/sold," "partners/affiliates," "may" or "for example."
Disclaimer
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
