How to Read a Privacy Policy (And What to Look For)

The average privacy policy is 3,000–8,000 words long. A 2008 study estimated that reading every privacy policy you encounter would take 76 work days per year. Nobody reads them — and that's by design.

But you don't need to read every word to understand whether a company's privacy policy is good or bad. You need to know which sections matter, which phrases are red flags, and which promises are actually meaningful.

The five sections that actually matter

1. What data they collect

This section defines the scope of the relationship. Look for specifics — "name, email address, and payment information" is normal. Vague language like "information you provide" or "data about how you interact with our services" with no further definition is a red flag. It can mean almost anything.

Also look for what's collected automatically versus what you actively provide. Automatically collected data — device identifiers, location signals, behavioural data — is often more invasive than the data you consciously give them.

2. Who they share it with

This is where policies get creative with language. Watch for:

• "Service providers" — usually fine; third parties handling infrastructure on the company's behalf
• "Business partners" or "partners" — often means advertisers and data brokers
• "Affiliates" — the company's corporate family; can be very broad for conglomerates
• "Third parties" without further qualification — a significant red flag

3. Your rights and controls

The rights section tells you what leverage you have. Meaningful rights include: the right to access your data, delete it, port it to another service, and opt out of certain uses. Weak versions include the right to "request" these things with no commitment to honour them, or deletion rights that exclude data shared with third parties (which can't be recalled).

4. Data retention

"We keep your data for as long as necessary to provide our services" is one of the least meaningful statements in any privacy policy. "Necessary" has no fixed definition and is interpreted by the company whose interest it is to retain data.

Better policies specify: "we delete your account data within 30 days of account closure" or "we retain usage logs for 90 days." Specific timeframes are a positive signal.

5. How your data is used for AI / model training

This is the newest important section. Many companies now train AI models on user data. The policy should say explicitly whether your data is used for this purpose, whether you can opt out, and whether that opt-out actually prevents collection or just removes it from training after collection.

Red flag phrases

These phrases appear in real privacy policies and should prompt scrutiny:

• "We may share your information with trusted partners" — "trusted" has no legal definition; this can mean any paying advertiser
• "Information you choose to provide" — often used to describe data you're effectively required to provide to use the service
• "Infer additional information about you" — the company is deriving sensitive attributes (age, health status, political views) from behavioural signals
• "As permitted by applicable law" — the company will do whatever the weakest jurisdiction allows
• "Your continued use of the service constitutes acceptance" — changes to the policy are treated as automatic consent
• "We do not sell your data" — often technically true while data is extensively "shared" or "licensed" under definitions that exclude the legal definition of "sale"

Green flag phrases

• Specific retention periods — "deleted within 30 days of account closure"
• Technical detail on encryption — "end-to-end encrypted" or "encrypted at rest using AES-256"
• Opt-out before collection, not after — "you can disable X in settings before we begin collecting"
• No advertising business — non-profits, B-corps, or companies with explicit no-ads policies have less incentive to over-collect
• Independent audits — references to external privacy or security audits

The "plain English" test

After reading the key sections, try to summarise what the company does with your data in one sentence. If you can't, the policy is either unusually complex or deliberately opaque — both bad signs. A well-written policy should make it possible to explain in plain English what data is collected, why, and who gets it.

Use tools

You don't have to do this manually. Privacy Decoded's live analyser takes the full text of any privacy policy and returns a plain-English summary, a grade from A to F, red flags, and a score out of 100 in under a minute. Sign in for free to run up to 3 analyses per month.

You can also browse our library of pre-analysed privacy policies for 13 major companies, including Google, Meta, TikTok, WhatsApp, Apple, and Amazon.