What you really agree to when you click 'accept'

May 19, 2014: 9:15 AM ET
apps privacy security
NEW YORK (CNNMoney)

You can spot the words "privacy policy" at the bottom of nearly every website. Don't be fooled. Those policies are more about data collection than privacy.

Companies use these policies to alert you to how they track your location, read your emails, spy on your Web browsing -- and sell some of that to advertisers.

It doesn't help that these disclaimers are close to unintelligible.

The policy at Facebook (FB) is 9,110 words long. LinkedIn (LNKD) comes in at 7,895 words. You'd need to be a sophomore in college to fully understand the disclaimers at Netflix (NFLX) and WhatsApp, according to a Flesch-Kincaid readability test.

With the help of several legal experts, CNN has reviewed policies at many top websites and apps. The conclusion: Most privacy policies are basically useless.

Related story: 8 worst terms of service

privacy policy instory
CNN reviewed privacy policies of top websites and services. The average policy is 3,545 words long and has a "13th grade" (college freshman) reading level.

They're too vague. Unclear language isn't just annoying. It arms companies with more legal muscle. Having ambiguous language in privacy policies lessens a consumer's ability to fight back if their personal information is ever mishandled.

"In many cases, companies don't want to be specifically transparent about what they're doing, so the policies are written in general terms with a lot of 'cover yourself' built in," attorney Joel Reidenberg said.

The music-streaming service Pandora (P), for instance, says it collects "transactional information" on devices. CNN consulted five of the nation's top privacy attorneys, and none knew what that meant. Is Pandora tracking your spending habits on shopping sites? Online banking? Pandora later explained that refers only to activities -- such as listening to music -- within the Pandora app.

That definition wasn't clear to Reidenberg or N. Cameron Russell, law school professors at Fordham University who specialize in this very subject.

"I would interpret that like a nonlawyer would," Russell said. "'Transactional information' is not a term of art that I've heard. That's up for grabs."

Terms are open-ended. When companies collect your information, they provide a list of what they take -- typically without any real limits. For example, King (KING), the maker of the wildly popular smartphone game Candy Crush, says it collects personally identifiable information "such as your name, address, telephone number or email address." But using the words "such as" means the list doesn't necessarily end there.

Aleecia McDonald is the director of privacy at the Stanford Law School's Center for Internet and Society. She notes that "such as" opens the gates for just about anything.

"It's not an exhaustive list," she said. "I read this as, 'We take everything we can get.'"

Policies change all the time. Companies revise the rules so often that advocates have launched a service called TOSBack to track updates.

For example, LinkedIn's (LNKD) privacy policy has been updated six times since March 27. Among the many tweaks: LinkedIn's privacy policy previously applied only to those with LinkedIn accounts. Now it applies to visitors too. And the service now uses cookies to recognize you "across different services."

"Companies reserve the right to change them. The ones they have today won't be the ones they have tomorrow," said Khaliah Barnes, who directs the student privacy project at the Electronic Privacy Information Center.

Sometimes they don't even exist. Mobile app developers are increasingly relying on even more nebulous "permissions" instead of privacy policies. These pop-ups list all the features an app can access on your phone. It's worth paying attention to them, because they're starting to get weird.

The Google (GOOG) Play Store's top free app, "Don't Tap the White Tile," has no privacy policy either -- even though it has been downloaded to more than 5 million smartphones worldwide. There's no information about Umoni Studio or what it does with your information.

Meanwhile, the app can tap into other programs and access whatever computer you plug into your phone.

Umoni Studio told CNN it's a team of two dedicated developers in Guangzhou, China who mean well. They admit the app collects all this data, but they promise they'll only give advertisers "aggregated or anonymous information."

"We focused on improving our games so... we got little time to add the privacy policy," the company wrote.


Search for Jobs