The Evolution of Online Privacy Policies: Trends and Insights

Adrian Vicol avatar
Adrian Vicol
Published on May 22

Find out how privacy policies evolve over time, increasing both in terms on length and complexity.

Logo

AgainstData

Clean your inbox forever in under 5 minutes ⏱️

Try it Free
The evolution of online privacy policies: Trends and insights

In the intricate digital landscape where personal data is both currency and commodity, online privacy policies stand as the guardians of user rights and data protection.

Yet, amidst their crucial role, the evolution of these policies reveals a complex narrative of change, challenging readability, and corporate responsibility.

We recently delved into over 50 leading online companies, scrutinizing their privacy policies to unearth trends and insights. The findings paint a vivid picture of the state of privacy documentation in the online sphere, shedding light on both promising improvements and concerning patterns.

One striking revelation is the temporal cadence of policy updates. More than 40% of privacy policies undergo revision between November and January, perhaps reflecting a concerted effort to align with the evolving legal frameworks or address emerging privacy concerns.

However, despite this periodic refreshment, the study unearthed the disquieting presence of outdated policies, with the oldest unrevised document dating back 3.6 years, a relic of a bygone digital era belonging to India Times.

The Readability (Flesch-Kincaid) Grade Level is a measure of text readability.

Amongst the vast sea of privacy policies, Facebook's stands as a “off the scale” outlier, boasting the title of the longest document (by far). Clocking in at over two hours for thorough reading, it underscores the daunting task users face in navigating the intricate web of data usage and privacy regulations.

Yet, mere length is not the sole barrier; complexity poses an equally formidable challenge. Yelp's privacy policy emerges as a paragon of intricacy, with a staggering Flesch-Kincaid Grade Level of 16.1, surpassing the readability of many scholarly works and leaving the average reader grappling for comprehension.

However, amidst the complexity and length, glimmers of progress shine through. Giants like Microsoft and Apple have embarked on a journey of simplification and streamlining, actively reducing both the reading time and complexity of their privacy policies. Their efforts underscore a commitment to enhancing user understanding and transparency, setting a commendable precedent for the industry.

Nevertheless, the overarching trend reveals a concerning trajectory towards lengthier and more convoluted privacy policies.

Take Google, for instance, whose document has ballooned in both length and complexity over the past three years, increasing by a staggering 58% and 61%, respectively. This annual growth of 20% in both dimensions underscores a worrying divergence from user-friendly documentation.


On average, a privacy policy spans approximately a year in age, with a Flesch-Kincaid Grade Level of 10.34 (kind of like reading A Brief History of Time by Stephen Hawking), with to a reading time of around 34 minutes.

Now all you need to do is multiply this with the number of services you are currently using and sites you are visiting to understand the utter futility in trying to make sense of them.

These metrics serve as a barometer of the evolving landscape of digital privacy, where the intersection of legal jargon and user comprehension remains a pivotal battleground.

While browsing trough these documents we also identified another worrying trend, that has to do with “Data Partners”.

From a privacy perspective, data partners are entities or organizations with whom a company (For example a website you are visiting) shares or exchanges user data for various purposes, such as marketing, analytics, or research.

These partnerships can take different forms, ranging from data sharing agreements to collaborative projects. Privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) often require companies to obtain user consent before sharing their personal data with third parties, including data partners.

This means that companies must inform users about their data sharing practices and give them the opportunity to opt-in or opt-out of such sharing. However, the extent to which this is happening right now is staggering with most websites having hundreds, yes you heard me right HUNDREDS of data partners.

So an “OK TO ALL” on a privacy option could send your data to all of them.

What is Data Sharing with Data Partners?

Imagine you're using a website or app, and you see recommendations for products you might like or ads that seem tailored to your interests. Have you ever wondered how they know what you might be interested in?

That's where data sharing with data partners comes in.

What Happens Behind the Scenes?

When you use a website or app, you leave behind a trail of digital footprints—things like the pages you visit, the searches you make, and even the products you buy.

Companies can collect this information to learn more about you and improve your experience. Data sharing with data partners allows websites and apps to offer you personalized experiences.

For example, it helps them show you ads that are more relevant to your interests, recommend products you're likely to enjoy, or improve their services based on how you use them.

In conclusion, the study offers a nuanced portrayal of the multifaceted realm of online privacy policies. While strides towards simplicity and transparency are commendable, the pervasive trend towards complexity and length warrants introspection.

As custodians of user trust and data stewardship, online entities must heed the clarion call for accessible, comprehensible privacy documentation, ensuring that users are empowered with knowledge and agency in the digital age.

Key findings (Summary)

The below findings were identified by studying over 50 top online companies by looking at their present and past privacy policies. We analyzed the lengths and text complexity of the documents by estimating a reading speed of 200 words per minute.

After counting the number of words in each document we proceeded to calculate the Readability (Flesch-Kincaid) Grade Level.

  • More than 40% of Privacy Policies are updated between November and January
  • The oldest unrevised Privacy Policy is 3.6 years old and belongs to India Times.
  • The longest Privacy Policy belongs to Facebook and takes more than 2 hours to go trough
  • The most complex text belongs to Yelp with a mind bending 16.1 Readability level (Flesch-Kincaid Grade Level) topping in complexity many academic papers out there. By contrast a 80% of Americans can read a grade 8 text.
  • On average a Privacy Policy is about a year old
  • On average a Privacy Policy has a Readability (Flesch-Kincaid) Grade Level of 10.34
  • On average a Privacy Policy has an average reading time of 34 minutes
  • Privacy Policies are generally getting longer and more complex. If we look at Google over the past 3 years, the time necessary to read the document increased by a whopping 58% in three years together with the complexity of the text that went up by 61%. This means that on average Google's privacy Policy went up both in length and complexity by 20% each year.
  • There are however some good examples of simplification and shortening of Privacy Policies by big players in the online domain including Microsoft and Apple, which have put significant effort in improving the reading time and complexity of their privacy legal documents.
  • The number of Data Partners of an average website is over 100, with websites reaching over 600 in some cases