Most people just click and accept privacy policies without reading them — you might be surprised at what they allow companies to do
- CNBC talks to three privacy professionals to get their take on privacy policies and what consumers need to know.
- Reading the policies requires at least some high school education and sometimes advanced degrees, according to research by cybersecurity company Varonis.
- “Unless you've paid for it, you're the product," says Varonis' Brian Vecci.
CNBC talked to three privacy professionals to get their take on privacy policies and what consumers need to know.
The first lesson: These policies are difficult for the average American to understand.
"They're not designed for consumers, for you and me, to understand. They're written by lawyers for lawyers to protect the company," said Brian Vecci, the field chief technology officer for Varonis, a cybersecurity company that focuses on securing data.
Varonis did research in July on how long it takes to read the privacy policies of some well-known companies and found some can take more than 27 minutes. The policies also require at least some high school education and sometimes advanced degrees.
"When we're getting these free services, we are engaging in a bargain. There is an exchange here. We're getting something free. And in exchange we are giving these companies our personal data," said Alex Urbelis, a partner at Blackstone Law Group, specializing in privacy and cybersecurity.
Vecci agrees. "Unless you've paid for it, you're the product. You're not the consumer," he said. "Every time you sign up for an app, in many cases, that app is going to ask for access to your photos, access to your location, access to your music files, whatever you're listening to. You're potentially giving up a whole lot of information."
Urbelis said he sometimes wonders why companies are collecting the data they do. "The reasons why they're collecting all of this information are really a mystery to the consumer. We don't know what's happening there. But what we do know is that they find this very, very valuable."
The information gathered can sometimes be shared with third parties. "The level of information and the amount of data being collected and shared with third parties is massive," said Michael Kasdan, a partner at Wiggin and Dana, who specializes in privacy and intellectual property.
Most companies say they will anonymize data before it is shared.
"Just a few points of location data, three or four points, let's say, of location data … could be used to de-anonymize data, and figure out who you actually are," Urbelis said.
Examples of troublesome privacy policies
CNBC asked the pros to point out privacy policies that raise some red flags.
Urbelis is concerned about Philips' Sonicare electric toothbrush model that contains Bluetooth. It connects to an app to reveal brushing habits.
"When you sign up to use this particular toothbrush, it's collecting information, sensitive information, about your brushing habits, where your cavities are located," he said. "When you brush, it's measuring things like the pressure that you're using on a toothbrush, the frequency of your brushing habits."
The policy says, "The personal data we collect may include your first name, username, profile picture, email address, gender, birthday/age, country, language and password." It adds, "Philips may also work with third parties who process your personal data for their own purposes."
A Philips spokesperson said the data collected is used for personalization.
"The Sonicare app provides personalized advice to users on how to improve their brushing and oral hygiene habits based on their personal data. ... Based on the personal data, the user will be able to receive personalized services, e.g. set personal goals, follow progress and receive oral care recommendations," said Philips spokeswoman Natasha Best in an email. "The Privacy Notice is aimed at transparency on this point, as it describes in detail which data will be received by Philips. ... For clarity, we wish to underline that some of the data fields to create a MyPhilips account (such as gender, age) are optional, so a user can decide to provide those data, or choose not to."
As for the third parties, Philips told CNBC, "This section of our Sonicare app Privacy Notice describes the option for our users to indicate their wish to share their personal data with other parties (i.e. independent third parties), who will then process the user's personal data for their own purposes and provide their own services to the user. The Privacy Notice describes who these parties are and informs the app users that Philips will only share their data with these independent third parties at the users' request. In these cases, the app will ask for the user's consent before sharing any data."
Kasdan flagged Starbucks' app and website for collecting much information that has nothing to do with serving coffee.
Kasdan pointed out that the policy allows third parties to access information to display ads or link your activity to social media.
"We have added certain features to our websites and mobile applications that allow social networks (such as Facebook, Twitter ...) to track the activities of their members," the policy says.
Starbucks says the privacy of its customers is important.
Governments are beginning to regulate how companies gather data. Last year, the General Data Protection Regulation, or GDPR, went into effect in Europe, requiring companies that collect data in European Union countries to clean up their policies for those consumers.
"GDPR basically says if a company is going to collect the private data of an EU citizen, it needs to do some things with that data that it may not have been doing before," Vecci said. "It needs to … delete the data when it's no longer needed. Those companies need to make sure that only the right people have access to that data and that it's not exposed."
California has a similar law going into effect next year, and other states may follow suit.
"These aren't negotiated agreements … these are sort of offered as is by these companies … if you don't want to agree to it you can't change it on an individual basis," Kasdan said. "The recourse is to not use the product or service. But I think you can also make some noise."