Kasdan pointed out that the policy allows third parties to access information to display ads or link your activity to social media.
"We have added certain features to our websites and mobile applications that allow social networks (such as Facebook, Twitter ...) to track the activities of their members," the policy says.
Starbucks says the privacy of its customers is important.
Governments are beginning to regulate how companies gather data. Last year, the General Data Protection Regulation, or GDPR, went into effect in Europe, requiring companies that collect data in European Union countries to clean up their policies for those consumers.
"GDPR basically says if a company is going to collect the private data of an EU citizen, it needs to do some things with that data that it may not have been doing before," Vecci said. "It needs to … delete the data when it's no longer needed. Those companies need to make sure that only the right people have access to that data and that it's not exposed."
California has a similar law going into effect next year, and other states may follow suit.
"These aren't negotiated agreements … these are sort of offered as is by these companies … if you don't want to agree to it you can't change it on an individual basis," Kasdan said. "The recourse is to not use the product or service. But I think you can also make some noise."