Why Privacy Policies Are So Inscrutable

Marcus Moretti and Michael Naughton | The Atlantic | September 5, 2014

The agreements of the 50 most popular websites in America are composed of 145,641 words. This is why.

Websites didn’t used to write privacy policies. As late as 1998 only 14 percent of websites disclosed anything about their data-gathering techniques, even as 92 percent collected “great amounts of personal information” about their customers, according to the Federal Trade Comission. But customers and the government soon caught on, and over the next few years the number of sites that disclosed how they use data caught up to the number that collected it. Today you probably couldn’t find a popular site that doesn’t have a privacy policy.

We work with data and research digital rights issues, and we were curious whether most popular websites respect your privacy as much as they claim to. So we gathered up and analyzed the 145,641 words that make up the privacy policies of the 50 most popular American websites. (Collectively, they amount to a text that’s about as long as The Grapes of Wrath.) What we found was that these policies tell you very little about the data these websites have on you. And that’s the point.

Today’s privacy policies don’t tell consumers the whole story for two main reasons. First, websites have adopted a kind of precautionary legalese to inoculate themselves against lawsuits and fines. The vaguer and more elastic their language, the more risk reduced. Second, over the past ten years, a new industry of “data brokerage” has arisen to help sites learn more about the people like you and me on the other side of the screen...