This is no surprise. Privacy policies aren’t user-friendly documents. They’re often stuffed with legalese and go on forever. Even so, hitting “Accept” without ever reading what you’re agreeing to can be risky. We researched the worst, most difficult-to-read privacy policies of popular websites to see what these companies are asking of you. Would you rather get some direct tips on how to plow through those policies? Check out our guide on how to read privacy policies.
The Worst Privacy Policies: Key Findings
Some of the worst privacy policies might be ones you’ve already accepted. We’ve scoured the web for the worst offenders, specifically looking for the longest and most complex policies around. We also dove a little deeper into the text, searching for anything that set off alarm bells. The results might surprise you, as these are some of the biggest brands around. Disney, Zoom, Slack, Netflix, and many social media favorites made the list. From our research, we’ve drawn a few worrying conclusions:
A huge 60%+ of the policies we examined were almost unreadable, in the sense that most required at least a college-graduate reading level. This is down to the sheer amount of information, as well as the way it’s phrased. The average reading level in the U.K. is nine years old. The average reading level in the U.S. is fourteen years old. As a result, your average person would struggle to understand most of these policies. Most privacy policies are very vaguely worded, making it hard to determine what will happen to your data. Vague wording could also save a company from legal prosecution if data is leaked. Many companies gather data that seems irrelevant, such as Spotify gathering voice data.
Let’s take a closer look at the companies that are hiding behind difficult-to-understand and never-ending privacy statements. First off, here are 50 brands sorted by the readability score and reading time of their privacy policies. For our full findings, check out our data sheets. We’ll dive into the 20 worst policies one by one down below.
The Top 20 Worst Privacy Policies Detailed
Picking apart lengthy privacy policies full of legal speak is hard. We settled upon a readability extension to analyze their clarity and used that to analyze the reading level and difficulty of one hundred different websites’ privacy policies. This gave us a readability score between 0 (least readable) and 100 (most readable) for each. Then, we used a “words to time” conversion to work out how long it’d take to read each policy in-depth, based on its word count. Our results? We’ve narrowed those hundred websites down to fifty (as you saw above), and then to twenty. Below, we’ve ordered the twenty most difficult-to-read policies based on our research. Our full results spanned many industries, including gambling, weather, streaming, social media, shopping, payments, careers, and housing.
1. DISNEY: Short, yet the hardest to read
“Very difficult” readability score (2.83) 46 words per sentence in some cases Takes an average of 20 minutes to read
Disney is killing it with their new streaming service, not to mention their existing movie catalog, theme parks, and merchandise. However, theirs was the toughest policy to get through, despite being one of the shortest we found. You can scan through this policy in less than half the time it takes to watch an episode of Marvel’s Moon Knight, but you’d likely need a lot longer to understand what you’re reading. So, what are you missing if you don’t read Disney’s privacy policy? Disney says they’ll share your data with third parties. This is not necessarily concerning, until you read what happens next: “Please note that once we share your personal information with another company in the above circumstances, the information received by the other company is controlled by that company and becomes subject to the other company’s privacy practices.” You should always know where your data is and how it’s handled. The vague way in which this statement is worded makes that impossible. Who are these third parties? And what will they do with your data? Disney would likely tell you if you asked, but you really shouldn’t need to do that. It’s also concerning that you’re essentially forced to accept another company’s policy without having read it.
2. INSTAGRAM: Knows your exact location and may share it
Shares search history, location, and more with third parties An average readthrough will take you 1.5 hours Logs your IP address and exact location
Where do we start with Instagram’s privacy policy? This one ranked second-worst in terms of readability (6.19) and will set you back 87 minutes if you want to read it in its entirety. That’s longer than the average Instagram user spends on the app each day. Worse still, Instagram’s privacy policy contains some worrying stuff. According to the statement, the app may capture and share your data with third parties. This goes beyond your name and app usage and includes your IP address, exact location, search history, contacts list, and financial information. This is a lot of data to gather for any company, but it seems especially unnecessary for an app that started as a photo-sharing platform. Time to really tighten those privacy settings on Instagram if you want to keep using it!
3. CORAL: Stores your data for seven years or longer
Reasonable in length, but a college-level reading grade Retains your data for seven years after account closure Cagey about the exact data that may be gathered
Renowned betting app Coral offers both sports betting and casino games, and it also has the third-worst privacy policy for readability on our list. This company appears to be a data hog, holding onto your data for seven years from the point your account is closed. One key point in their policy stood out to us. Coral may suck up data from sources that include:
Their website and social media pages Any Coral surveys you’ve completed Any analyses of your interactions with the company Public sources, such as public records and social media postings Cookies and other trackers on your devices Customer lists lawfully acquired from third-party vendors
That’s a lot of places to track your information on, and shows just how invasive Coral can be, according to their privacy statement.
4. ZOOM: Shares your meeting data with third parties
Reasonable in length: reading time of 37 minutes College-level reading grade and overall readability score of 15 Shares “meeting and webinar” data with third parties
Zoom spiked in popularity thanks to the COVID pandemic and the subsequent lockdowns, but how many of you have read its privacy policy? Right now, it holds the fourth place in our most difficult privacy policy rankings. We encourage you to “zoom in” on what exactly the app is claiming to do with your data. Why? Have a look at this section from their privacy policy: “If an account owner licensed or purchased Zoom Products from a third-party reseller of Zoom Products, the reseller may be able to access personal data and content for users, including meetings, webinars, and messages hosted by the account owner.” Let’s reword that in plain English. If you got your Zoom software from someplace other than Zoom’s website, that third party can see a lot of your data. According to the statement above, this “may” include collecting personal and meeting data, which is alarmingly invasive. Not to mention, it could be a potential risk to organizational privacy. Unfortunately, if you use Zoom, you don’t have a choice in the matter.
5. RIGHTMOVE: May share your data internationally
Reading time of 105.2 minutes College-level reading grade and overall readability score of 15.5 User data may be sent to and stored at a destination outside the European Economic Area (“EEA”)
Rightmove are trailblazers in the housing sector, but not so much when it comes to all things privacy. It has a reading time of 105.2 minutes — just imagine how many moving boxes you could pack in that time! One key point of the privacy policy is that Rightmove allows itself to transfer user data outside of the country in which it was collected. Their privacy policy states: “The Personal Information that We collect from You may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for Us or for one of Our suppliers or contractors.” Not all countries will have laws to protect you, like the GDPR. As a result, you and your data could become more susceptible to phishing attacks and leaks. While this will not always be the case, it is important to understand the risks that could be involved with sharing your data internationally.
6. WAYFAIR: The least readable privacy policy in the shopping sector
Shortest privacy policy by a mile, with a reading time of 2.2 minutes! College-level reading grade and overall readability score of 19.3 Wants access to geolocation information, which doesn’t seem appropriate
Wayfair, known for its array of timeless homeware essentials, raises a few alarm bells with its privacy policy. It’s deliberately vague and collects data we wouldn’t consider essential for a shopping website. This includes access to”‘geo-location information.” Geo-location data could include things like your IP address, browser information, and mobile GPS information. Companies should always describe their data collection practices, which include how and why each aspect of users’ data is harvested, shared, and stored to avoid potential issues and leaks. Wayfair, however, doesn’t outrightly state why it is collecting location data. As a shopping website, we can surmise that it may be to signpost your closest brick-and-mortar stores, but that does not require storage of your IP.
7. WIKIPEDIA: Automatically logs the IP address of your browser
A scroll through Wikipedia’s privacy policy will take users around 23 minutes Readability score of 19.54 Requires access to users’ location settings even if they aren’t signed into an account
Wikipedia ranks seventh for readability, despite being a well-known information resource for many. Its articles are known for being quite complex, and its privacy policy appears to follow the same style. Although it has an average of 1.95 syllables per word, its sentences are long, at an average of 21.77 words per sentence. Wikipedia’s policy states: “When you visit any Wikipedia Site, we automatically receive the IP address of the device (or your proxy server) you are using to access the Internet, which could be used to infer your geographical location.” This means your location data can be accessed even if you’ve turned off your browser’s location settings! Wikipedia also claims that, while you’re not required to create an account, contributions made while anonymous will be publicly attributed to your IP address. This is particularly invasive for a company that’s widely considered to be a trustworthy source.
8. UPS: Claims to transfer your data to other countries
“Very difficult” readability score of 20.51 Unclear how long it retains user data May transfer users’ personal information to other countries
Just like their delivery service, the UPS privacy policy is pretty speedy, taking “only” 28 minutes to get through. However, with a college graduate reading level, it ranks 8th on our ranking of the worst privacy policies. That said, the readability or length isn’t what concerns us most here. Alarmingly, the UPS privacy policy states the following: “We may transfer the personal information we collect about you to countries other than the country in which the information originally was collected. Those countries may not have the same data protection laws as the country in which you initially provided the information.” That’s bad. Firstly, they don’t specify which countries they’re talking about. Secondly, they completely gloss over the level of protection potentially offered, or not offered, by those countries’ data protection laws. This is an extremely vague and alarming statement. It’s basically saying, “These guys might get their hands on your data, and we can’t tell you what they’re going to do with it.” There’s more: this privacy policy is also particularly vague about how long it claims to retain user data. “Your personal information will not be stored for longer than necessary for the purposes for which they were collected or as required under applicable retention policies and/or in accordance with applicable law.” This statement does not clarify exactly how long they’ll store your data. It’s pretty much up to UPS and the unknown “applicable law” to decide what qualifies as “necessary.”
9. ADIDAS: Could share your data with social media sites via plugins
Very difficult readability score of 21.54, complete with 1.99 syllables per word, and 17.07 words per sentence 111.1 minute reading time (particularly long for a sportswear brand) Automatically collects the IP addresses of its users
Adidas’ privacy policy may be long, but it does provide us with an insight into how you can tailor your data settings. For example, it explains how you can ask for your order and transactional information to be deleted. That said, Adidas collects data that includes IP addresses, browser types, device types, and operating systems, regardless of whether you’ve created an account or not. Adidas’ privacy policy also states: “We provide Social Media plug-ins on this website which link directly to the respective Social Media website. When you decide to interact with a social network, information will be transferred to the respective Social Media website about your activity on this website and that you were referred to the Social Media website from this website.” Social media platforms have notoriously bad data privacy habits, as we’ve seen time and time again in the past (Cambridge Analytica, anyone?). Adidas essentially exposes you to more risks with this policy. The privacy statement states that, if you do not want this information to be shared, you should log off from the respective social network before you enter one of the brand’s websites. In other words, Adidas doesn’t offer you a simple way to “opt out” save for by logging off of another company’s website.
10. UBER EATS: A worryingly vague privacy policy
“Very difficult” readability score of 22.73 Collects personal information and shares it with third parties Doesn’t inform users when their privacy policy changes
Beloved food takeaway app Uber Eats isn’t quite as great about data privacy. Despite the app’s speedy food delivery service, it will take you around 56 minutes to scroll through the privacy policy. If we had to wait an hour for our food, we certainly wouldn’t want to spend that time reading about what Uber Eats is doing with our data. Uber Eat’s privacy policy is worryingly vague — a major privacy policy red flag. Uber states that it collects personal information from users and shares it with third parties for advertising purposes. That’s bad in itself. Worse, the food delivery app doesn’t clarify whether it imposes contractual limits on how third parties can use your personal information. Uber Eats’ privacy policy also states that they “may occasionally update this notice [so] we encourage users to periodically review this notice for the latest information on our privacy practices.” It’s basically up to you to check their privacy policy for updates. Uber Eats is also incredibly vague about how often they update their policies, so changes to how they collect or handle user data could be made unknowingly.
11. SAINSBURY’S: May retain your data for 12 years
Overall readability score of 33.97 Lengthy reading time of 111.1 minutes Could retain your data for up to 12 years after you stop using the app
Renowned supermarket Sainsbury’s has a privacy policy with an average of 33.97 words per sentence and 1.76 syllables per word. With sentences longer than a Christmas week supermarket queue, their food app likely has many users skipping past this document. What’s more, the delivery privacy policy (yes, there are multiple) has a reading time of a whopping 111.1 minutes. In that time, we could do three weekly shops and still have time for a coffee at the end! Despite Sainsbury’s claiming that they never retain users’ personal information for longer than necessary, its privacy policy disagrees: “Retention period will come to an end 7 years after the end of your relationship with us (…) in some instances we are required to hold your personal information for up to 12 years following the end of your relationship with us (e.g. for data relating to Sainsbury’s Bank mortgage products).” This is one of the longest data retention periods we’ve seen. It’s a great example of how closing an account does not mean websites and apps will no longer have access to your data.
12. NETFLIX: Shares user data with TV and internet providers
Ranks 12th with a poor readability score of 23.72 Average of 33.97 words per sentence and 1.83 syllables per word May share collected user data with TV and internet service providers
Known for its content-rich streaming service that got us all through lockdown, Netflix delivers its privacy policy in just over ten minutes. It makes for a refreshing change of pace. But just how in-depth is the Netflix privacy policy? How much damage can be done in ten minutes? The streaming app collects a wide range of invasive user data. This includes device identifiers, geo-location, and users’ browser types. Again, critically, Netflix is very vague on exactly why and how it collects said data. Netflix has been cracking down on account sharing with alarming accuracy, which should tell you how easily they’re using your information to their advantage. Netflix’s data policy also reveals that user data can be shared with suppliers, for example, users’ TV and internet service providers. This is worrying. While we know that Netflix collects user data to enhance user experience, we can’t be clear on what exactly TV and internet providers use it for.
13. SLACK: No control over how third parties share information
Readability score of 24.7 Complete with 19.8 words per sentence and 1.91 syllables per word on average Collects users’ IP addresses to determine an approximate location
Slack isn’t exactly slick when it comes to privacy policies. Slack’s business policy counts just 1398 words, which you might not expect from a renowned business app. Its super-short reading time of just over ten minutes makes it one of the shortest privacy policies in our top fifty rankings. That said, we noticed it’s vague when it comes to specifics. For example, it states that “Slack does not control how any third party chooses to share or disclose information.” This means you’ll need to check all the privacy policies of the third-party apps Slack shares data with. However, the privacy statement doesn’t tell you which third parties these are, making that an impossible task. Slack’s privacy policy also states: “We receive information from you, our Customers and other third parties that helps us to approximate your location. We may, for example, use a business address submitted by your employer (who is our Customer) or an IP address received from your browser or device to determine approximate location to assist with localisation or for security purposes.” Slack is just a simple communications app, yet it gathers your location data. This likely drives features such as the displaying of time zones alongside users. Still, while the feature is nice to have, you have to question whether it’s worth the invasion of privacy.
14. SPOTIFY: World-renowned music app captures and stores voice data
Readability score of 25 Average of 19.84 words per sentence and 1.91 syllables per word Logs and stores voice data
World-renowned music app Spotify isn’t quite as famous for its privacy policy, ranking 14th in our listings. You’d better get your favorite album queued up and find a good reading spot, because Spotify’s privacy policy will take you nearly 45 minutes to read. Alexa? Play Iggy Pop – I’m Bored. Spotify’s privacy policy is particularly worrying, as the music app claims it’ll log and store voice data, build up personal profiles of users, and make it basically impossible to opt out of targeted advertisements. Unless you’re a budding singer, Spotify does not need your voice data for any useful reasons we can think of. If you ask us, only virtual assistant technology should be able to listen to users in the background.
15. MICROSOFT: Collects vast logs of data from users
Readability score of “very difficult” at 26.81 22.6 minutes of reading time Microsoft Business requires a lot of data from its users
It’s one of the biggest brands in the world, but Microsoft’s privacy policy is a chore to get through. Did you know that Microsoft stores detailed logs of user data? Your name and contact details, password credentials, demographic data, payment data, information about your subscriptions, browser history, and interactions are all captured, to name a few. Aside from your personal data, the business app also collects information about your devices. This includes data about your operating system, your IP address, other installed software (including product keys), device identifiers (such as the IMEI number for phones), regional and language settings, and information about WLAN access points near you. You might trust Microsoft with all of this data, but that doesn’t mean it’s safe. Fun fact: in a recent hacking competition, Microsoft was successfully hacked six times in three days. While all of these vulnerabilities were communicated to the company to give it a chance to patch them, this doesn’t bode well for Microsoft’s security. The problem is, with Microsoft’s dominance of the business and home computing market, what other choice do you have?
16. XBOX: Claims to collect users’ social interaction data
College graduate reading level with a readability score of 27 Has a second privacy policy specifically targeted at “young people” Collects content users add, upload, and share
Although Xbox is part of Microsoft and has the same general privacy policy, we still wanted to highlight it here separately. After all, not every Xbox user might be aware of the data they sign away with one press of a button. Reading Xbox’s/Microsoft’s privacy policy won’t take you away from the gaming world for too long: it’ll take you just 22 minutes to read. Interestingly, the Xbox website also offers a refined privacy policy for “young people.” We wonder why they don’t just make one easy-to-understand policy that outlines everything users need to know. Wouldn’t that be easier for everyone? If you haven’t read the privacy policy, you’re likely unaware that Xbox collects the content you add, upload, and share through the Xbox network. This includes text, pictures, and videos that you capture in games and apps. It also extends to social activity, such as chat data and interactions with other gamers, as well as social connections you make on the Xbox network. Xbox probably does so to moderate abuse between community members, but that doesn’t change the fact that they’re tracking your every step on the platform.
17. WISH: Collects IP address and location, even if you’re not registered
Readability score of 26.5 19.13 words per sentence and 1.9 syllables per word May collect IP address and location data before you’ve even registered an account
An in-depth read of Wish’s privacy policy will take you a full 43 minutes. That’s quicker than the wait for your Wish delivery, but it’s not exactly easily digestible. Wish’s privacy policy worryingly states that they’ll automatically collect your IP address, location information, country and language information, unique device and network identifiers, and usage data when you visit their website. This is all before you’ve even registered an account or downloaded the Wish app. Privacy-minded users should keep this in mind before shopping on the platform.
18. NINTENDO: May collect health information
Overall readability score of 26.7 Short reading time, yet Nintendo’s privacy policy is still very vague Nintendo “may collect certain health information” or any content you may choose to upload
Gaming giant Nintendo also isn’t our favorite when it comes to privacy policies. It does do well in terms of reading time. If you want to read Nintendo’s privacy statement from cover to cover, you’ll need to take just 15.1 minutes away from your gaming session. This makes it one of the shortest policies among the domains we analyzed. Unfortunately, a quick scan through the text raises alarm bells. The entire policy is incredibly vague. For example, the gaming app states: “We may collect certain health information such as the number of steps taken or distance walked.” To an extent, we understand why they do this. After all, the company produces fitness games. However, Nintendo doesn’t specify what data is collected exactly (save from giving two examples), nor how long it’ll be stored.
19. GITHUB: Doesn’t clarify how long it retains user data
Very difficult readability rating with a score of 27 Takes around 45 minutes on average to read Vague about how long it stores user data
If you’re a software developer, you’re probably familiar with GitHub. You might not be as familiar with its privacy policy, however. GitHub might have security and administrative systems built into its internet hosting software, but its difficult and lengthy privacy policy raises a few alarms. Most importantly, GitHub doesn’t specify a data retention timeframe. They simply state that they’ll keep your information for “as long as necessary.” This is quite vague. Although they don’t appear to collect excessive amounts of data, the way they talk about this data is just as vague: “GitHub may also collect personal data from third parties. We only collect the minimum amount of personal data necessary from you, unless you choose to provide more.” The lack of clarity is concerning. Statements such as “as long as necessary” essentially give companies carte blanche to retain data for as long as they see fit. There’s no information suggesting who those third parties are either, nor why the data is collected.
20. YAHOO: Can update its privacy policy without notifying you
“Very difficult” readability rating with a score of 27 20.78 words per sentence and 1.88 syllables per word A short reading time of 21.6 minutes
Yahoo treads similar ground to other companies we’ve outlined above. For starters, they claim to automatically collect your device and location information. Moreover, they can also update their privacy policy without notifying you. Much like other companies listed in this top 20, they don’t specify when this might happen. You’re probably seeing a pattern here; unless you make a point to routinely check various policies, things might change across the board. This is an example of unrealistic expectations being placed on consumers. Nobody is going to schedule regular days to read privacy policies for every single one of their services.
Why You Should Read Privacy Policies
After having a look at our top 20, you might wonder why you should even take the time to dive into these unnecessarily long and vague texts. If a company can’t explain in normal language how they’ll treat you as a customer, why bother? Unfortunately, the privacy policy remains one of the most important statements on a company’s website. Skip over one, and you could be putting your personally identifiable information (PII) at risk of being exposed and resold. Social media apps, for example, often state that they “cannot guarantee information can be deleted” or that your data may be “transferred to third-party providers.” Many of these applications share data extensively, which can be harmless, if a little annoying. However, some might sell your data to marketing agencies. In a worst-case scenario, a data breach of a company could even result in your information being sold on the dark web. This makes you vulnerable to anything from annoying, unwanted spam calls, to having your identity stolen. In short, hitting “Accept” without reading a privacy policy can have unintended consequences for your data privacy. Don’t assume companies are doing the right thing: countless have failed users and their data in the past.
How to Read a Privacy Policy
So, we’ve established that you should always read the privacy policy when signing up for a website or service. But what should you look out for? First off, let’s cover some key questions you should ask yourself when skimming the policy: Most of us won’t spend hours reading every single privacy policy we come across. However, we do recommend looking at the points above, particularly the first five. After a while, you get used to spotting the worst privacy policy terms, which speeds things up. We’ve covered these in more detail below.
The Worst Privacy Policy Terms to Look Out For
When skimming a policy, it can help to pay attention to the worst privacy policy terms that are often used. These could indicate an untrustworthy company that’s collecting more data than necessary. Even if they have no malicious intentions, a data breach could result in a lot of your data being accessed by cybercriminals. Below, we’ve detailed the most concerning privacy policy terms you might come across. Any of these could be a risk to your privacy. Need a pro tip? To save yourself from reading the full privacy policy, you can use CTRL+F to scan the document for the below worst privacy terms. Would you like to know more about the pitfalls of privacy policies and the risks they can pose? Have a look at our list of the worst privacy risks in user agreements and privacy policies.
Companies Need to Improve
If there’s one conclusion we can draw from our research, it’s that companies need to improve their privacy policies to offer clarity to their customers. Currently, a company’s privacy policy can feel like a visit from Rumpelstiltskin: they tell you riddles and make beautiful promises in exchange for a small payment, only for you to realize you may have just signed away your firstborn. Don’t get us wrong. We like a good fairy tale, but we love our privacy more. To an extent, we understand why these documents are phrased the way they are. Privacy policies are legal documents required by law, and they help protect the companies responsible for handling your data. However, in their current form, they’re not fit for anything else. If they’re meant to inform users, they do a very bad job of it. While most privacy policies are vague and unreadable, they’re also a necessary evil. Unless you want to avoid pretty much every major brand out there, you’re going to have to accept some level of data sharing and retention policies. If you ask us, however, companies could be a lot more forward in these policies. Understandable language and fair agreements on data collection would be a great start. What can you, as a customer or user, do in the meantime? Here’s our advice:
Keep an eye out for worrying phrases in privacy policies. Research the companies you create accounts with and study their policies. Look up reviews of services online, especially those focusing on privacy. Use cybersecurity software to ensure that your online presence is secure in every other way.