Reform needed as Australians are drowning in privacy policies

Our recent survey indicates that Australians are asked to read and consent to 116 privacy policies – or 467,000 words - as we go about using common products and services. The volume of the often confusing policies mean that it’s almost impossible for people to give ‘informed consent’ when agreeing to a policy, and CHOICE thinks it’s time for this to change:


The average privacy policy was 4000 words. Are they this way because the lawyers who write them like to charge by the word or are they padded out with the intention of discouraging the user from reading them? I can’t believe that saying what data you collect and what you are going to do or not do with the data would take more than 500 words if the author intended to be concise.

Obviously there is a spread around that average. @BrendanMays could you say what the maximum and minimum are? My guess is that some are much longer, so they are saying much the rest are not, or just using more words. Some are much shorter, so why can’t the rest be like that?


So how did the privacy policy of the Choice websites go when tested? You did test them?


May I generalise this and say that there should be a push to reduce legalese relating to everyday issues.

Last week we had the thread with the lady in a retirement home, and her lawyer had trouble understanding the contract. We have policies we have to agree to every-time we want to do just about anything new online, every-time we join a discount group, etc. We are drowning in words that most people don’t even read.

There should be a push to make all legal agreements and contracts in plain English, simple, and brief.


I’ll have to double check with the data team about the upper and lower limits. UK consumer group Which? put together this table of combined privacy and T&C document wordcounts:

The CHOICE Privacy policy is 2264 words, it is a focus for CHOICE to be following the best practices in this as well. Having a clear and concise policy is a big part of the suggested solution, but so are effective privacy laws. With so many services online now, it would be good to have a baseline of what privacy practices we should be able to rely on.

EDIIT: Here is a bit more detail in the numbers from our survey. Microsoft was the longest at 14,861 words, and the Tripview app was the shortest with just 284 words. Shorter isn’t necessarily better as important details might be lacking, there is an interactive table in the article here with more details:


We don’t really have any privacy rights anyway. Our date of birth, phone number and address are given to thousands of people in India, the Philippines and Indonesia, and these countries have huge markets in identity theft.
I think people should have more rights… The privacy policies are a problem, as are the terms and conditions… Hopelessly long winded and contorted. Designed to make you give up. I have, in the past, returned computers and other devices because I don’t agree with the terms and conditions. I wish millions of other people would do the same. That might change things.


The only way to achieve that is with blanket legislation of rights and obligations. Unfortunately, nothing can prevent a company unilaterally adding constraining terms with legalese such as “to the maximum extent permitted by statutory rights and obligations …” prefacing the terms they wish to drown you in anyway. The worst of all terms is along the lines of “These terms and conditions are updated from time to time, and published on our website. Your continuing use of the products and services shall be under the latest terms and conditions, as amended…”

…Which makes reading them a waste of time in the first place, because they can change them without informing you - and with your implied agreement by default…

The other joy is needing to create an account before ordering a product, only to find that the company doesn’t have the product, or some other reason for the transaction to not proceed. They still have your data, and you’ve already been forced to agree they can keep it and use it for all of the vague purposes stated in the privacy “agreement”. It would be more appropriate if the “agreement” was called “The terms and conditions describing the extent to which we can abuse your data…”


I’d like to nominate the Meta (Facebook) privacy policy as the worst one I’ve ever seen. I went to read the latest version and gone are the days of simple headings (What We Collect, How We Use It). Instead we have this jumble of tables, infographics, sub-menus and endless links.

Forget an overwhelming number of privacy policies, this is overwhelming on its own.