Privacy Policies: The Document Nobody Reads (But Everybody Signs)

You did it this morning. I did it yesterday. The popup appeared, the button was right there, and you clicked 'Agree' before you finished your coffee. You probably did not read a single line.

You are not alone, and you are not careless. A 2023 Pew Research Centre study found that 56% of American adults always or almost always accept privacy policies without reading them. Without conclusive data from the Caribbean, it is safe to say, the context may be the same. A separate analysis found that reading every privacy policy you encounter in a year of typical internet use would cost you roughly 76 full working days. That is not user negligence. That is a structural design failure.

Privacy policies govern what companies collect about you, who they share it with, how long they keep it, and what rights you hold over your own data. They are not fine print. They are the terms of a relationship you enter with every platform, application, and service you touch. And in the Caribbean, where digital services are rapidly scaling and data governance regulation is still evolving across CARICOM member states, the stakes of that unsigned bargain are rising.

Why Nobody Reads Them

The research is unambiguous. McDonald and Cranor's landmark Carnegie Mellon study calculated that reading the privacy policies of the top 75 US websites would take approximately 10 minutes per policy. Applied across the roughly 1,462 websites the average person visits annually, that amounts to 244 hours of reading time per year, or about 30 working days. Their study estimates the opportunity costs for the time spent reading privacy policies to be around $781 Billion.

By 2018, the problem had worsened. A follow-up study found that privacy policies for the 20 most-used mobile apps had grown 58% longer since 2008, averaging nearly 4,000 words each. Reading all 20 policies back-to-back would consume more than six and a half hours.

Length alone does not explain the avoidance. The 2023 Pew data also revealed that 67% of US internet users say they understand little to nothing about what companies actually do with their data, up from 59% in 2019. Comprehension is declining even as legal frameworks multiply. Research involving college and law students asked to review the privacy policies of five popular platforms found that 20 to 40% of 'easy' questions about those policies were answered incorrectly, even when participants could consult the policy before answering.

People are not skipping privacy policies because they do not care about their data. A 2024 Cassie survey found that 93% of consumers are concerned about the security of their personal information. They skip them because the documents, as currently designed, function less as communication and more as liability shields for the organisations issuing them.

What You Might Actually Be Agreeing To

A typical privacy policy will tell you, somewhere in its wall of text, that the company collects your IP address, device identifiers, browsing behaviour, location data, and purchase history. It will disclose that this data is shared with 'third-party service providers,' a category that can encompass advertising networks, analytics firms, data brokers, and government authorities upon request.

Some policies grant the issuing company the right to change those terms at any time, notifying you only by updating a webpage you will never voluntarily visit again. Others contain arbitration clauses that waive your right to pursue class-action legal remedies if the company misuses your data.

You agreed to all of that. Probably this morning.

The EU's General Data Protection Regulation (GDPR) recognised this problem and attempted to legislate its way to a solution. Article 12 of the GDPR requires that privacy notices be provided in 'a concise, transparent, intelligible and easily accessible form, using clear and plain language.' The regulation explicitly acknowledges that most individuals skip over long legal notices. Yet even with that mandate, many companies produce GDPR-compliant policies that remain practically incomprehensible to the average reader.

The Update Problem

Of all the failures in current privacy policy practice, the update notification may be the most cynical. You receive an email with a subject line like 'We've updated our Privacy Policy.' The body contains a link and one or two lines of generic reassurance that your experience is unchanged. What actually changed? Under what legal basis? What does it mean for you specifically? That information is buried, if present at all.

This matters because policy updates are often triggered by meaningful shifts: new data-sharing partnerships, changes to retention periods, expansions into new markets, or regulatory settlements. Those are precisely the moments when users deserve clear, specific communication. Instead, they receive a legal paper trail that protects the company's compliance record while delivering nothing intelligible to the person whose data is at stake.

What Better Looks Like

The good news is that the solution is not complicated. It requires will, not technology. Several approaches have demonstrated value, and regulators and design researchers have been advancing them for years.

Layered notices: The most practical reform involves offering a short, plain-language summary at the top covering what you collect, why, and with whom you share it, with the full legal document available to those who want it. This is not a workaround. GDPR and several national frameworks explicitly encourage this approach.

Change-only updates: When a policy changes, organisations should communicate only what changed, in plain language, with a before-and-after comparison if necessary. Not a link to 47 pages of reformatted legalese. The change. The reason. The impact on you.

Plain language standards: The GDPR benchmark of 'clear and plain language' needs to be operationalised. Some organisations write policies that their own legal teams cannot navigate without a search function. Plain language does not mean imprecision. It means precision that a non-lawyer can hold.

Meaningful opt-out architecture: Consent should be as easy to withdraw as it was to give. If clicking 'Agree' takes one second, withdrawing that consent should not require navigating five menus and submitting a form to a data protection officer who responds in 30 days.

What This Means for Organisations in the Caribbean

For Caribbean organisations building digital platforms, deploying HR systems, or partnering with international technology vendors, this is not a distant problem. The data your staff, clients, and beneficiaries share through those platforms is governed by agreements most of them never read. As regional digital transformation accelerates and frameworks like the OECS Data Protection Act and national equivalents across CARICOM member states mature, organisational leadership will need to understand what they are asking people to agree to and whether those agreements reflect the values they claim to hold.

Ethical digital governance is not just about compliance. It is about whether the organisation you lead treats the people it serves with the honesty and respect they deserve.

The shoemaker in St. Julien who was my grandfather repaired both sides of a shoe even when the customer only brought one. He said it would save them 'a little change.' He was not contractually obligated to do that. He simply believed in doing quality work, even when no one was watching.

Privacy policies are a test of that same ethic. Not whether your legal team can defend the document in court, but whether the people who sign it actually understand what they agreed to.

Start there.

Uwàmìto Consulting advises Caribbean leaders and organisations on strategic resilience, ethical governance, and evidence-based programme design.

Connect: www.uwamito.com