Data Privacy Hidden in Fine Print: Why Streaming Sites' Illegible Privacy Policies are Problematic 

A recent study by VPNOverview has revealed that privacy policies from some of the most popular streaming services are extremely difficult to read, sparking concern about the complexity of data privacy documentation.  

The study, which measured the readability of each policy on a scale of 0 to 100, found that the majority of streaming services policies were unreadable to anyone who isn’t educated at the university level. 

The least readable policy by far belonged to Disney+, whose privacy policy took 20 minutes to understand despite being notably shorter than other entries. 

The children-targeted tv and film-streaming platform scored a readability score of 2.8, making it almost entirely illegible to the majority of the world’s population.

Some of the most popular streaming platforms in the world, such as Netflix and Spotify, also scored low on the readability scale. 

Netflix was the second least readable with a score of 23.7, while Spotify scored slightly higher, with a score of 25.0. Both of the policies could only be read by university graduates aged 21 and above, the report noted. 

“This is particularly problematic when you consider that 1 in 7 adults in England alone have a reading age expected of a 7-9-year-old,” he added. 

“The majority of the policies we examined would be considered unreadable for many UK users, given that the majority required at least a university undergraduate reading level, Chris Bluvshtein, cybersecurity expert and author of the study, explained.

Data privacy hidden in fine print

The findings echo recent research by the Pew Research Centre, which showed that just 9 per cent of adults read privacy policies due to their complexity and length. 

While many of the policies examined as part of the study do specify how they collect users’ data, much of this information is hidden behind pages of over-complicated and unnecessary information, making it inaccessible and unclear. 

Channel 4’s privacy policy, for instance, totalled a whopping 9,286 words in its entirety despite being the most readable of all the policies examined. 

This means that, despite being readable to 5 to 18-year-old school students, it would take the average reader 1 hour and 11 minutes to read the pages and pages of information. 

To read more about data privacy, visit our dedicated Data Management Page. 

Within the walls of largely irrelevant information, Channel 4’s privacy policy provides a short statement about how it handles users’ data it takes from third-party providers. 

It states that the streaming platform takes  from “reputable data providers who we have thoroughly checked” and one of these, Axiom, has collected data “through publicly available records such as the electoral roll.”

This personal data includes information about peoples’ housing situation, marital status, family and children, and household consumption habits, the study noted. 

“A privacy policy is one of the most important statements on a company’s website. Skipping over one could put your personally identifiable information at risk of being exposed and resold, Mr Bluvshtein explained. 

“This makes you more vulnerable to annoying, unwanted spam calls and having your identity stolen," he added, making users more susceptible to cybercriminal activity.

Sensitive data: taken, shared and re-used

One of the most concerning findings from the study was the sheer amount of personal and sensitive information streaming services take from users and share with third parties. 

This is Disney+ Hotstar's privacy policy. Read the last point. The reason we need GDPR. pic.twitter.com/IeuczJ9IrD

— Sunil Bhusari (@sunilbhusari) April 26, 2020

Although it is standard practice for streaming firms to share data with third parties, many of those examined detailed further data privacy policies that users may not be aware they are agreeing to. 

“The information received by the other company is controlled by that company and becomes subject to the other company’s privacy practices,” Disney’s policy reads in fine print, which the study notes means that users are agreeing to the policies of other companies' policies without realising. 

Other policy documents can be changed at any moment by their provider. The BBC iPlayer’s privacy for policy, for instance, states it can adjust its privacy policies at any time as long as it warns users of significant revisions that change their use of users’ data. 

“We will revise the privacy notice if there are significant changes to how we use your personal data. The date of the most recent revisions will appear on this page,” the document reads.   

Get involved in the most important technology event for business! Over 10,000 business leaders and pioneers across industry verticals connect at Tech Show London. Be a part of the latest tech conversations at the Mainstage Theatre and tackle the hottest topics like skill shortages, diversity, cyber security, sustainability, and more. One ticket gets you free access to five shows: Big Data & AI World, Cloud Expo Europe, Cloud & Cyber Security Expo, Data Centre World, and DevOps Live.

Don’t miss out on one of the most popular technology shows of the year on 8-9 March 2023 at ExCeL London. Register here!