Most people just click and accept privacy policies without reading them — you might be surprised at what they allow companies to do

Key Points
  • CNBC talks to three privacy professionals to get their take on privacy policies and what consumers need to know.
  • Reading the policies requires at least some high school education and sometimes advanced degrees, according to research by cybersecurity company Varonis.
  • “Unless you've paid for it, you're the product," says Varonis' Brian Vecci.
What is really in that privacy policy?
What is really in that privacy policy?

When you download a new app or start a new online account you probably click to agree to the privacy policy without ever reading it. But what you don't read may surprise you. Many companies are gathering loads of personal data and could be sharing that info.

CNBC talked to three privacy professionals to get their take on privacy policies and what consumers need to know.

Getty Images

The first lesson: These policies are difficult for the average American to understand.

"They're not designed for consumers, for you and me, to understand. They're written by lawyers for lawyers to protect the company," said Brian Vecci, the field chief technology officer for Varonis, a cybersecurity company that focuses on securing data.

Varonis did research in July on how long it takes to read the privacy policies of some well-known companies and found some can take more than 27 minutes. The policies also require at least some high school education and sometimes advanced degrees.

Brian Vecci is the field chief technology officer for cybersecurity company Varonis, which specializes in keeping data safe.

"When we're getting these free services, we are engaging in a bargain. There is an exchange here. We're getting something free. And in exchange we are giving these companies our personal data," said Alex Urbelis, a partner at Blackstone Law Group, specializing in privacy and cybersecurity.

Vecci agrees. "Unless you've paid for it, you're the product. You're not the consumer," he said. "Every time you sign up for an app, in many cases, that app is going to ask for access to your photos, access to your location, access to your music files, whatever you're listening to. You're potentially giving up a whole lot of information."

Many policies include language that says a company can change the policy at any time without notice, according to Vecci. "Companies shouldn't be able to change their privacy policy on a dime without notifying anybody. Companies shouldn't be able to start collecting more information about you that you didn't give them consent to do."

Urbelis said he sometimes wonders why companies are collecting the data they do. "The reasons why they're collecting all of this information are really a mystery to the consumer. We don't know what's happening there. But what we do know is that they find this very, very valuable."

Alex Urbelis, a partner at Blackstone Law Group, specializes in privacy and cybersecurity.

The information gathered can sometimes be shared with third parties. "The level of information and the amount of data being collected and shared with third parties is massive," said Michael Kasdan, a partner at Wiggin and Dana, who specializes in privacy and intellectual property.

Michael Kasdan, a partner at Wiggin and Dana, specializes in privacy and intellectual property.

Most companies say they will anonymize data before it is shared.

"Just a few points of location data, three or four points, let's say, of location data … could be used to de-anonymize data, and figure out who you actually are," Urbelis said.

Examples of troublesome privacy policies

CNBC asked the pros to point out privacy policies that raise some red flags.

Urbelis is concerned about Philips' Sonicare electric toothbrush model that contains Bluetooth. It connects to an app to reveal brushing habits.

"When you sign up to use this particular toothbrush, it's collecting information, sensitive information, about your brushing habits, where your cavities are located," he said. "When you brush, it's measuring things like the pressure that you're using on a toothbrush, the frequency of your brushing habits."

The policy says, "The personal data we collect may include your first name, username, profile picture, email address, gender, birthday/age, country, language and password." It adds, "Philips may also work with third parties who process your personal data for their own purposes."

A selection of electric toothbrushes, including a Philips Sonicare 3 Series, Oral-B Pro 6500 Black Smart Series Bluetooth, Colgate Proclinical A1500 Expert White, Philips Sonicare DiamondClean, Foreo Issa and Panasonic EW-DE92 Ionic Rechargeable, taken on October 6, 2015. (Photo by Joseph Branston/T3 Magazine via Getty Images)
Future Publishing | Future | Getty Images

Urbelis is concerned about the sharing of information. "What really terrified me about this was that in the Sonicare privacy policy, they tell you they're going to share this information," he said.

A Philips spokesperson said the data collected is used for personalization.

"The Sonicare app provides personalized advice to users on how to improve their brushing and oral hygiene habits based on their personal data. ... Based on the personal data, the user will be able to receive personalized services, e.g. set personal goals, follow progress and receive oral care recommendations," said Philips spokeswoman Natasha Best in an email. "The Privacy Notice is aimed at transparency on this point, as it describes in detail which data will be received by Philips. ... For clarity, we wish to underline that some of the data fields to create a MyPhilips account (such as gender, age) are optional, so a user can decide to provide those data, or choose not to."

As for the third parties, Philips told CNBC, "This section of our Sonicare app Privacy Notice describes the option for our users to indicate their wish to share their personal data with other parties (i.e. independent third parties), who will then process the user's personal data for their own purposes and provide their own services to the user. The Privacy Notice describes who these parties are and informs the app users that Philips will only share their data with these independent third parties at the users' request. In these cases, the app will ask for the user's consent before sharing any data."

Kasdan flagged Starbucks' app and website for collecting much information that has nothing to do with serving coffee.

Zhang Peng | Getty Images

The company's privacy policy says it collects, "the web pages you view (including the date and time ... and the subject of the ads you click or scroll over."

Kasdan pointed out that the policy allows third parties to access information to display ads or link your activity to social media.

"We have added certain features to our websites and mobile applications that allow social networks (such as Facebook, Twitter ...) to track the activities of their members," the policy says.

Trust in tech
Trust in tech

Starbucks says the privacy of its customers is important.

"We regularly evaluate all policies to make sure we're protecting their best interests. We strive to be transparent in how we engage with and use this information to personalize our customer experience; we do not sell information to advertising companies. You'll also note that the terms of our policy provide customers options for choosing to share information with us as well as the ability to opt-out or modify what information we access, with their consent. If customers have any questions about our privacy policy, we encourage them to contact us directly," said Starbucks spokeswoman Maggie Jantzen in an email.

Governments are beginning to regulate how companies gather data. Last year, the General Data Protection Regulation, or GDPR, went into effect in Europe, requiring companies that collect data in European Union countries to clean up their policies for those consumers.

"GDPR basically says if a company is going to collect the private data of an EU citizen, it needs to do some things with that data that it may not have been doing before," Vecci said. "It needs to … delete the data when it's no longer needed. Those companies need to make sure that only the right people have access to that data and that it's not exposed."

California has a similar law going into effect next year, and other states may follow suit.

In the meantime, Urbelis and Kasdan say you should read the privacy policy before clicking to accept.

"These aren't negotiated agreements … these are sort of offered as is by these companies … if you don't want to agree to it you can't change it on an individual basis," Kasdan said. "The recourse is to not use the product or service. But I think you can also make some noise."