Some customers of mattress-maker Sleep Number noticed an alarming passage in the company's privacy policy this week: It said it may record "audio in your room to detect snoring and similar sleep conditions."
Sleep Number quickly called the terms a "mistake" and clarified that the beds do not in fact have microphones or audio recording capability. The company has now revised its privacy policy.
But the customers were right to be alarmed. A spokesperson for the company told CNBC that a prototype was in the works to enable audio snoring detection, but was not launched, and this was the product to which the legal notice referred. One of the company's higher-end bed models does have a snoring function, but it only allows a partner to push a button and raise his or her snoring partner's side of the bed, a manual process that requires no recording, the spokesperson said.
The fact is, despite legislation meant to alleviate some of the confusion over privacy regulations, consumers still often have to rely on their eagle-eyed counterparts reading pages of documentation and posting their findings to Twitter. That's a scary prospect, as more and more of our everyday devices go online and we live more of our lives connected -- even when we're sleeping.
Realism and privacy policies
The $3,000+ "360 Smart Bed," the model that had been considered for the advanced audio snoring feature, comes with a smart phone app that allows users to track their sleeping habits.
There are other privacy policy caveats for these beds, including the collection of: "biometric and sleep-related data about how you, a child, and any person that uses the bed slept, such as that person's movement, positions, respiration, and heart rate while sleeping." The terms also say, "We may disclose your personal information to our affiliates, vendors, or business partners who are acting on our behalf."
It's very easy for consumers to miss these important caveats. Back in 2014, The Atlantic gathered the privacy policies of 50 of the world's biggest websites, and determined they together came close to 145,000 words.
Despite landmark General Data Protection (GDPR) legislation in the EU this May, not much has meaningfully changed since then. According to security software company Varonis, many large corporate privacy policies are still novella-length. Reddit's and Facebook's take nearly a half-hour to read fully, and Ebay's requires the reading level of a college senior, according to their research.
The legislation aimed to alleviate some confusion around privacy, in part by supporting those now-ubiquitious "we have updated our privacy policy" pop-ups. But as more devices have become connected, and many have had to add template-style GDPR privacy policies to their existing wording, those policies have just become longer, meaning consumers often have to rely on other watchful consumers to report on problematic changes.
