Privacy policies set out all the ways in which an organization gathers, stores, and uses its customers’ or clients’ personally identifiable information and data. These are legal statements which people often agree to without fully reading, due to the length and complexity of these documents.

With this in mind, cybersecurity expert Chris Bluvshtein from VPNOverview has compared the most complicated and difficult to read privacy policies from the top streaming services, in order to see what data these companies are really gathering about you.

Disney+
Time to read: 20 minutes
Reading level: University Graduate (21 and above)

Disney+ was found to be the hardest policy to read, given it had the lowest readability score by far at just 2.8 out of 100. The policy says that the streaming platform can share your data with third parties, which is a common part of many privacy policies. However, Disney also include the following in the fine print:

“The information received by the other company is controlled by that company and becomes subject to the other company’s privacy practices.”

This means that you are also agreeing to the policies of those other companies without knowing it.

Netflix
Time to read: 38 minutes
Reading level: University Graduate (21 and above)

Netflix was found to be the second most difficult policy to read with a readability score of 23.7 out of 100. Its policy is also one of the longest at 4,977 words, meaning that it would take the average reader nearly 40 minutes to sift through.

The streaming giant collects a wide range of invasive user data such as devices used, location, and browsers. Netflix is very vague on exactly how and why it collects said data but uses it to its advantage with crackdowns on account sharing.

Spotify
Time to read: 45 minutes
Reading level: University Graduate (21 and above)

Spotify had the third most difficult policy, with a readability score of 25.0 out of 100 and was the second longest, taking around 45 minutes to read through.

Spotify’s privacy policy states that it can log and store voice data and build up personal profiles of users, despite having no real need to do so. The policy claims to use voice data to “evaluate and develop new features, technologies and improvements to the Spotify service” and “to comply with a legal obligation we are subject to.”

In fact, 42% of Spotify’s policy relates to the collection and use of your personal data, equating to 2,468 out of the 5,799 words in the document.

Sky
Time to read: 13 minutes
Reading level: University Graduate (21 and above)

Sky’s privacy policy is one of the shortest at only 1,710 words but due to its low readability score of 29.7, ranks the fourth most difficult to read.

Sky states that it will keep data including payment card and financial history for up to seven years, even after you cancel your subscription. Other types of data such as recorded calls to customer services are deleted after a more reasonable twelve months.

YouTube
Time to read: 7 minutes
Reading level: University Student (18-21 years old)

The video sharing and streaming platform ranked as the fifth most difficult to read, with a policy readability score of 30.6 out of 100. YouTube’s policy is the second shortest on this list at just 872 words. As it would take the average user only 7 minutes to read, the policy is shorter than the average video on the platform.

YouTube shares some of its privacy policies with Google as it belongs to this parent company. The policy states that data such as search terms, videos watched, and location data are all stored and used to serve personalised adverts to its viewers.

ITV
Time to read: 22 minutes
Reading level: University Student (18-21 years old)

ITV’s privacy policy is only 300 words longer than that of Disney+ however it is much easier to read with a score of 35.6/100.

The policy states that the user can object to the company processing their personal information and that they will “consider if your rights outweigh our interests and if they do, then we will either restrict our use of your information or delete it.”

BBC iPlayer
Time to read: 4 minutes
Reading level: University Student (18-21 years old)

This is the shortest policy on the list at 555 words and taking just 4 minutes to read. It is the third easiest to read policy on our list with a score of 43.2.

Within this policy, the BBC do include a small note about updating the document. Users should be made aware of any changes by email in the event they want to cancel the service.

The BBC states that “We will revise the privacy notice if there are significant changes to how we use your personal data. The date of the most recent revisions will appear on this page.”

This means that the BBC are not able to drastically change the way they use your data, without you agreeing to their privacy policy again.

Apple TV+
Time to read: 18 minutes
Reading level: University Student (18-21 years old)

Apple have taken steps to improve user privacy such as including a ‘do not track’ option for users. Their policy is on par with the BBC for ease of reading as it has a readability score of 43.4/100.

However, the policy for Apple TV states that information regarding purchases and downloads can be retained for “at least a 10-year retention period, but in regions such as China that period can be 30 years.”

Channel 4 (All 4)
Time to read: 71 minutes
Reading level: School Student (15-18 years old)

Channel 4, who own the streaming service All 4, have the easiest privacy policy to read out of all the streaming services with a readability score of 56.2/100. They do, however, have the longest policy on the list, taking the average user 1 hour and 11 minutes to read through it all.

Channel 4 have a statement in their policy concerning third parties. The policy states that they collect data from “reputable data providers who we have thoroughly checked” and that one of these, Axiom, has collected data “through publicly available records such as the electoral roll.”

This data includes information about your housing status; if you are married or have children and your household consumption habits.

Chris Bluvshtein from VPNOverview adds:

“A privacy policy is one of the most important statements on a company’s website. Skipping over one could put your personally identifiable information at risk of being exposed and resold. This makes you more vulnerable to annoying, unwanted spam calls and having your identity stolen.

“The majority of the policies we examined would be considered unreadable for many UK users, given that the majority required at least a university undergraduate reading level. This is particularly problematic when you consider that 1 in 7 adults in England alone, have a reading age expected of a 7-9 year old.”