Skip to content   Skip to footer navigation 

How to make sense of a privacy policy

Privacy policies are lengthy and often full of jargon, so just what should you look out for?

person entering their details into webform on smartphone
Last updated: 06 May 2024
Fact-checked

Fact-checked

Checked for accuracy by our qualified fact-checkers, verifiers and subject experts. Find out more about fact-checking at CHOICE.

When most of us encounter a privacy policy, it's usually a case of TL;DR (too long; didn't read). You're unlikely to go through it in detail, and even if you found something you didn't like or understand, there's little you can do if you want to interact with the organisation anyway.

But it's important to understand what data you're giving away in order to give informed consent. Here, we look at the issues with current privacy policies and explain what you should look out for.

What is a privacy policy?

Privacy policies have become commonplace – a necessary response to an organisation's increased ability to collect personal information through the rise of digital interactions, and the increased value of consumer data as companies look to target people online.

So just when does a privacy policy apply and what is it for?

In Australia, government agencies, organisations with an annual turnover of more than $3 million and some small businesses such as health service providers must have a plain language statement that outlines how they handle personal information.

Privacy policies should explain which personal details are collected, and how those details are collected, used, stored and even transmitted

It must be available on the website, on paper or via a mobile screen. If you don't have access to the internet, you can phone the organisation or agency and ask for a paper copy.

Privacy policies should explain which personal details are collected, and how those details are collected, used, stored and even transmitted.

Ideally, privacy policies should build trust in people with the organisations they transact with and ensure the organisations are responsible in the way they handle sensitive information.

The problem with privacy policies

According to a 2020 Consumer Policy Research Centre (CPRC) survey, privacy policies in Australia don't help people make informed choices around the collection and use of their personal information, and they don't provide consumers with genuine choice or control.

The survey of 1000 consumers also found that most people don't read privacy policies, are compelled to accept terms they're not comfortable with, and are uncomfortable with how their information is collected and shared.

A separate study by the Office of the Australian Information Commissioner (OAIC) found that even among those who normally read the privacy policy attached to a website, 41% say they sometimes don't read it because it's too long, and 26% sometimes don't because it's too hard to read.

In 2023, the CPRC conducted another survey that focused on terminology in privacy policies. Of the 1000 consumers involved, results found that the majority did not know the meaning of terms often used in privacy policies. 

For example: 

  • 63% didn't understand the term 'audience data'
  • 67% didn't understand 'advertising ID'
  • 74% didn't understand 'hashed email address'
  • 81% didn't understand 'pseudonymised information'. 

So if you've found yourself confused by a privacy policy you can't comprehend or wade through, you're not alone. 

Most people don't read privacy policies, are compelled to accept terms they're not comfortable with, and are uncomfortable with how their information is collected and shared

Dr Normann Witzleb, adjunct associate professor in the faculty of law at Monash University, tells CHOICE that many organisations routinely collect or retain too much information. 

"In some cases, it's because they operate a data-driven business model, generating profits from processing large amounts of personal data. In other cases, it's because their business processes do not see data protection as a priority," says Witzleb.

In cases where a privacy breach occurs, he recommends organisations should face penalties that are proportionate to the severity of the incident. 

"There is also a need to properly fund the Office of the Australian Information Commissioner so that it can do its job," says Witzleb.

person entering a login and password on website

Most people use websites, apps and sign up to loyalty programs without reading the attached privacy policy.

What to check in a privacy policy

So you know what you should look out for, a privacy policy must include:

  • the organisation's name and contact details
  • the personal information collected and stored
  • how and why it is collected
  • how it will be used, disclosed and stored
  • how to access and correct personal details
  • how to lodge a complaint
  • whether information is shared outside of the country, and if so, whereabouts and who is legally responsible if something goes wrong.

It could also include whether electronic copies of ID documents (such as a driver's licence) are made and if so, how they are protected, and how long personal information is kept.

While this seems simple enough, privacy policies vary significantly in the amount of detail on these points and in the clarity of wording.

Is it OK to just skim read a privacy policy?

Short privacy policies aren't necessarily better – they may instead be vague and lacking in adequate detail. But if you're faced with a lengthy privacy policy, skim reading it is better than skipping it altogether. 

Searching for some common terms will help you gain insight into how your details are handled and whether the information that's collected about you is appropriate to the organisation and your dealings with it. 

Look for:

  • 'personal information' to gauge how your information is defined and collected
  • 'share with' used in conjunction with terms like 'affiliates', 'partners', 'related bodies' and 'third parties', which means your data is likely going to other organisations
  • 'identifying' or 'de-identifying', which refers to how personal details are removed from the data
  • 'process', 'collect', 'store' and 'transfer' indicate how your data is handled
  • 'offshore' or 'overseas' should tell you if your data is shared or stored externally
  • 'complaints handling' to find out how the organisation deals with complaints about the use and handling of the data they collect from you
  • 'advertising' information, including explanations of the data that is shared with external partners (usually called ad service providers).

When aiming to understand how an organisation uses your personal details, see if you can find the answers to these questions: 

  • What information are they collecting? Why and how?
  • How are they using this personal information and are they sharing it with anyone else?
  • Are there ways to opt out of some data collection and/or sharing, such as targeted advertising?

Clearer communication needed

The privacy regulator, the OAIC, says that privacy policies and notices need to communicate information-handling practices clearly and simply, but also comprehensively and with enough specificity to be meaningful. 

"They should be a transparency measure, not a take-it-or-leave-it rule of entry," a spokesperson says. 

In practice, most policies give people little or no option but to accept in order to access the product or service. 

OAIC suggests that to address the power and information imbalance between individuals and organisations, people should be able to choose between providers and organisations based on their information-handling practices. 

They should be a transparency measure, not a take-it-or-leave-it rule of entry

OAIC spokesperson

"Where alternative choices, products or services exist, privacy self-management mechanisms can influence the market to increase privacy protection in accordance with consumer demand," an OAIC spokesperson says.

If you want to make an official complaint about an organisation's privacy policy, go to the organisation's website and register the issue. And if possible, opt for another business.

If the concerns are more serious because you believe the policy doesn't comply with legal requirements, you can contact the OAIC.

CHOICE tip: The Terms of Service, Didn't Read website (abbreviated as Tos;DR) is a nonprofit, open-data project set up to help people decipher the fine print of privacy policies and terms and conditions. It grades the policies of major sites like Amazon, Facebook and YouTube on cookies, tracking and personal data use.

Best practice privacy policy 

A best practice privacy policy should: 

  • be downloadable so it can be saved and reviewed at a later date
  • use plain language and be neither overly long nor too brief
  • be structured in a way that's easy to follow
  • define the important terms and set out clearly what information is collected and how it's stored and processed (including any offshore transfers) 
  • outline your rights and where to direct any queries or complaints.

CHOICE consumer data advocate Kate Bower says that too often privacy policies are written in impenetrable legal jargon that deliberately obscures bad data practices.

"The worst privacy policies do little to inform and empower consumers and instead seek to offer legal protections for businesses who exploit and profit from consumer data," says Bower.

The worst privacy policies do little to inform and empower consumers and instead seek to offer legal protections for businesses who exploit and profit from consumer data

CHOICE consumer data advocate Kate Bower

A best practice privacy policy is written in simple and easily understood language that outlines what data is collected and for what purpose, and explains the context and principles underlying data collection. 

Given that organisations can have substantially more information about you than just the details you've provided, they need to be upfront about it. In addition to the information you provide, organisations can gather and buy data about you from partners and data brokers. 

"As the myriad uses for data grow, so do the requirements for disclosure in privacy policies making them long, dense and difficult for the average person to read and understand. And most have limited protection for consumers," says Bower. 

Consent fatigue

Witzleb points to the role of technology to empower consumers. In particular, the default settings in apps and websites should be to collect minimal personal data.

"The burden should not be on consumers to opt out of practices that they do not agree with," he says.

"Having to click your way through complex privacy menus for each website to protect your data is unreasonable and leads to 'consent fatigue', where consumers just give up on trying to protect their personal data," he adds.

Are privacy policies still fit for purpose?

There's one thing many people may not realise about privacy policies and data collection – the OAIC advises that consent is not always needed to collect an individual's personal information, although this is likely to change soon.

The Attorney-General's Department recently completed a three-year review of the Privacy Act. The report broadly found that stronger privacy protections are required in the digital age, based partly on consumer surveys that found 83% of respondents wanted more control and choice over how their personal information is collected and used.

As well as uplifting privacy protections, the reforms will focus on increasing the clarity of language used in privacy policies and increasing control and transparency over how customer data is used.

There is a lot more that a business can do to ensure they're putting people first, including only collecting and using the data necessary to provide you with the service or product

CHOICE consumer data advocate Kate Bower

Of the 116 proposals in the review, the government has agreed to 38 and agreed in principle to a further 68. Consultation with government, including the development of legislative and non-legislative amendments and proposals, is currently underway.

CHOICE would like to see less of the burden on individuals to be informed about data practices and more focus on businesses acting responsibly through the introduction of a fair and reasonable use test.

"A clear and simple privacy policy is the first step for businesses taking responsibility for how they collect and use our information. But there is a lot more that a business can do to ensure they're putting people first, including only collecting and using the data necessary to provide you with the service or product, which is what most of us would reasonably expect," says Bower.

We care about accuracy. See something that's not quite right in this article? Let us know or read more about fact-checking at CHOICE.

Stock images: Getty, unless otherwise stated.