It Would Take 42 Hours to Read the Privacy Policies of your Favourite Websites

NordVPN the most popular VPN and security company online, analyzed the top twenty websites in nineteen countries to check how long it would take to read the company privacy policies. The study showed that it would take a full workweek (41.3 hours) to read the privacy policies of the most popular websites Canadians typically visit monthly such as Facebook, Netflix and Google. The average privacy policy in Canada consists of 6,148 words.

Photo: NordVPN

“Even though we keep reminding users to read the privacy policy, one in three Canadians still don’t look at any legal information online. However, this is understandable. We would need to spend a quarter of a month visiting the websites we need. A minimum-wage worker in Canada would earn around  $479.46 during that time,” says Adrianus Warmenhoven, a cybersecurity expert at NordVPN.

“On the other hand, reading a privacy policy is as important as having one. That is why companies should work hard to make their privacy policies short and easy to understand. Meanwhile, users should choose trusted websites and know what to look for.”

The reading time of privacy policies was calculated by counting the number of words in the privacy policy and evaluating its readability with the FRES and Coleman-Liau readability tests. 

Screen Shot: Netflix

The study found that reading the privacy policy of the most visited Canadian websites would take almost nine hours. The longest in almost all countries was the privacy policy of Meta’s social media platforms (Facebook or Instagram) – 19,434 words. However, they scored better in terms of readability (“fairly difficult” with a score slightly over 50 on FRES and around the 12th-grade level on Coleman-Liau). The whole policy takes around 82 minutes to read.

X (previosly known as Twitter) has a much shorter privacy policy (4,175 words) with the same readability score as Facebook or Instagram. It takes around 17 minutes to read. In the past, X was trying to make its privacy policy as accessible as possible by presenting the Twitter Data Dash, a computer game that helps understand the company’s privacy policy better. 

In anglophone countries (US, Canada, Australia, and the UK), Zoom scored the worst on the FRES readability test (only 24.9), which is worrying given the privacy concerns surrounding the platform. It would take 30 minutes to read the privacy policy of Zoom.

Screen Shot: Meta

Netflix scored the worst on the Coleman-Liau test (14.98) in these countries, The privacy policy of Netflix would take 36 minutes to read. 

Privacy policies in Germany were found to be the longest, consisting of 10,485 words on average, and take around 44 minutes to read, almost double the global average is around 6,460 words and 27.14 minutes. Other European countries also had quite extensive privacy policies (Italy – 7,068 words, Poland – 7,314, France – 7,318).

“Countries with more detailed rights (such as EU countries with the GDPR) naturally have longer privacy policies to cover everything included in the laws. This trend also shows the ambivalence of the matter — the broader the rights for privacy, the bigger the responsibility for the consumer,” says Warmenhoven.

How do you spot red flags in the privacy policy?

Even though privacy policies take a long time to read, they help to make sure user privacy is secured. In order to save time while reading privacy policy, Adrianus Warmenhoven recommends to look for certain red flags.

  • See what data is collected. The first part of most privacy policies outlines what data the website collects from its users. If they ask for more data than seems relevant to their services, it could be a sign of potential misuse.
  • Search for “red flag” keywords. You can try searching for words such as “sell” or “sold” to make sure you find places in the privacy policy where it is mentioned that your data may be sold to third parties. Other good keywords could be “partners” or “affiliates.” Lastly, try searching for the words “may” or “for example.” These words are used to hide some malicious actions the company takes against its users, like “may sell data.”
  • Trust the verified websites. The fewer websites used by a person, the less information is at risk of being misused. Try to avoid new and sketchy-looking websites, especially those that don’t even have a privacy policy.

Methodology: NordVPN examined the privacy policies of 20 sites from 19 countries. These policies were either in English or machine-translated into English where English was not the original language. By calculating the number of words in a policy, we estimated how long it would take to read it. Then we evaluated the understandability of each policy using the FRES and Coleman-Liau readability tests. Full studyb

A more compelling question may be to ask why read privacy policies in the first place seeing that disagreeing to consent means that the company simply prevents you from using the service.  In other words it’s nice to read the policy to know how you are being sold, but it’s not like you can do anything about it.