How to Efficiently Read a Privacy Policy

You may be concerned about your online privacy — and should be — but chances are you don’t read website privacy policies.

Few people regularly do, and no surprise. The typical privacy policy is about 2,500 words, or roughly a 10-minute read, with enough legalese to make Perry Mason wince.

Considering the typical American visits nearly 1,500 websites a year (each with a different privacy policy), it would take about 250 hours to completely read them all, Carnegie Mellon researchers estimate. Just skimming all those privacy policies would take about 154 hours, nearly a full week of nonstop reading.

Maybe that’s why a slight majority — 52 percent of those surveyed by the Pew Research Center — mistakenly believe as true this statement: “When a company posts a privacy policy, it ensures that the company keeps confidential all the information it collects on users.”

Not necessarily. A privacy policy is a statement or legal disclosure that details how the website gathers, uses, manages and shares its customers’ information: what personal or financial data is collected, why it’s collected and what is done with it. This information could be your name and email address, credit card account, shopping or searching habits, even a complete dossier of your smartphone use.

The privacy policy should explain if your information is kept confidential or sold/bartered/traded to others — clients or partners that could possibly (if unknowingly) include spammers, scammers and future hacker targets in data breaches.

While reading those privacy policies may not be fun, they can be important. Here are some tips to tackle them without overtaxing your brain or time, according to the Center for Identity at the University of Texas at Austin.

1. A privacy policy should answer these six questions, says Center for Identity researcher Rachel German:

  • Is your data used for secondary purposes, meaning other than that for which you are explicitly providing it?
  • Is your data shared with third parties? If so, does the policy specify for what purposes? (For example, it’s often a red flag if the policy states that data sent to third parties is used to deliver ads; that could equal a lot of spam in your inbox.)
  • What are the terms for sharing your data with the government and law enforcement?
  • Is your data protected in all phases of collection and storage?
  • Does the service allow you to delete your data?
  • Does the service use your data to build and save a profile for nonprimary use?


2. To get answers to those specific questions, German recommends using the manual search or “find” option on your browser to locate key words or phrases. She suggests terms such as “email,” “marketing,” “arbitration,” “waive” or “waiver,” “third-party,” “affiliate(s)” and “opt-out.” Also scan the policy for any words or phrases in boldface or all UPPERCASE. Those tend to be important disclosures.

3. Consider an add-on to do the legwork. Released by the Center for Identity, PrivacyCheck is a free extension for Google Chrome that uses a data mining algorithm to provide a graphical, “at-a-glance” look at the ways in which companies use their customers’ personal data. Other companies offer enrollment-based services that search privacy policies and highlight pertinent information.

For information about scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud. Keep tabs on scams and law enforcement alerts in your area at our Scam-Tracking Map.

 Photo: iStock/justock

Also of Interest


See the AARP home page for deals, savings tips, trivia and more.

Search AARP Blogs