Every website you visit has a privacy policy. And almost nobody reads them. There’s a good reason — the average privacy policy takes about 18 minutes to read, is written in dense legal language, and most people assume it says “we protect your privacy.”
It usually doesn’t. Most privacy policies actually say the opposite: “We collect your data, we share it with third parties, and by using our service, you agree to all of this.” A privacy policy is less of a promise to protect you and more of a legal document telling you exactly how a company plans to use your information.
This guide translates the most common privacy policy language into plain English so you know what you’re actually agreeing to.
In this guide:
- What a privacy policy actually is (and isn’t)
- The most common phrases and what they really mean
- Red flags to watch for
- How privacy policies enable data brokers
- How to protect yourself regardless of what the policy says
While you’re reading this: Companies have been sharing your data with data brokers for years under the cover of their privacy policies. Run a free Optery scan to see where your data has ended up.
What a Privacy Policy Actually Is
A privacy policy is a legal document that discloses how a company collects, uses, stores, shares, and protects your personal information. It’s required by law in most jurisdictions — the CCPA, GDPR, and other privacy laws mandate that companies tell you what they do with your data.
But here’s the critical distinction most people miss: a privacy policy is a disclosure, not a protection. It tells you what the company does with your data — it doesn’t promise to keep your data safe. In fact, most privacy policies explicitly state that they share your data with third parties.
Think of it like a nutritional label on junk food. The label tells you there are 800 calories and 40 grams of sugar. It doesn’t stop you from eating it — it just discloses what you’re consuming. A privacy policy works the same way. It discloses the data practices. It doesn’t prevent the company from selling your information.
What Privacy Policies Really Say (Translated)
Here are the most common phrases in privacy policies and what they actually mean:
“We may share your information with third-party partners”
What it means: We sell or give your data to other companies — which may include data brokers, advertisers, marketing companies, and analytics firms. “Third-party partners” is deliberately vague and can include hundreds of companies you’ve never heard of.
“We collect information to improve your experience”
What it means: We track everything you do on our platform — what you click, how long you stay, what you search for, what you buy — and use it to profile you. “Improve your experience” is code for “target you with personalized advertising based on your behavior.”
“We may use cookies and similar technologies”
What it means: We track you across the internet using cookies, pixels, and fingerprinting. This lets us (and our advertising partners) follow your browsing activity across websites and build a profile of your interests, habits, and demographics. That’s why ads seem to follow you.
“We may share aggregated or de-identified data”
What it means: We strip your name from the data and sell it as “anonymous.” But researchers have repeatedly shown that “de-identified” data can often be re-identified — especially when combined with other data sources. Your “anonymous” data may not be as anonymous as this phrase implies.
“We retain your data for as long as necessary”
What it means: We keep your data indefinitely. “As long as necessary” has no defined endpoint — companies interpret this to mean as long as the data has any commercial value, which is essentially forever.
“You can opt out of certain data sharing”
What it means: We make it technically possible to opt out, but we bury the option in your account settings and make the process as confusing as possible. Most users never find or use the opt-out, which is exactly the point. How to actually opt out →
“We take reasonable measures to protect your information”
What it means: We have some security in place, but if we get breached, “reasonable measures” gives us legal cover. This phrase is carefully worded to avoid promising that your data is safe — because no company can guarantee that.
“By using our service, you consent to this policy”
What it means: You agreed to everything in this 8,000-word document by clicking “I accept” without reading it. This is the legal basis for everything else in the policy. Your “consent” is assumed the moment you use the service.
Red Flags in Privacy Policies
When reviewing a privacy policy, these red flags should make you think twice:
“We sell your personal information.” Some companies are surprisingly direct about this. If a policy explicitly states they sell your data, they sell your data. At least they’re honest — many others do the same thing using more euphemistic language.
No mention of data deletion rights. Companies covered by the CCPA or similar laws must allow data deletion requests. If a privacy policy doesn’t mention deletion rights, the company may not comply voluntarily — and may not be legally required to in your state.
Vague language about “service providers.” “Service providers” can mean anything from their web hosting company to hundreds of data brokers and advertising networks. The vaguer the language, the broader the data sharing.
“We may update this policy at any time.” This means the company can change how they handle your data without meaningful notice. The policy you agreed to when you signed up may be completely different now.
No contact information for privacy questions. Legitimate companies provide a privacy contact — email, address, or form. If there’s no way to reach someone about privacy concerns, that’s a red flag about how seriously they take privacy.
How Privacy Policies Enable Data Brokers
Here’s the connection most people don’t make: the “third-party sharing” language in privacy policies is exactly how your information ends up on data broker sites.
When you sign up for a retailer’s website, join a loyalty program, download an app, or create an account — the privacy policy you accepted almost certainly allows that company to share your data with third parties. Those third parties include data brokers, who add your information to their databases and sell it to anyone who wants it.
This is how your name, address, phone number, and purchase history end up on sites like Whitepages, Spokeo, and BeenVerified — companies you never interacted with directly. The companies you DID interact with shared your data under their privacy policy, and the data broker ecosystem took it from there.
Run a free Optery scan to see where your data has ended up after years of companies sharing it under their privacy policies.
How to Protect Yourself Regardless of Privacy Policies
You can’t realistically read every privacy policy for every service you use. And even if you could, “opting out” within each one is tedious and often ineffective. Here’s the practical approach:
Assume every company shares your data. Operate under the assumption that any information you give a company can and will be shared with third parties — including data brokers. This mindset makes you more selective about what you share.
Use secondary contact information. Google Voice number and a secondary email for signups. When data gets shared, it’s your secondary info — not your primary.
Minimize the data you provide. Skip optional fields. Use guest checkout. Don’t join loyalty programs you won’t use. Every piece of data you don’t provide is data that can’t be shared. Full shopping privacy guide →
Remove your data from data brokers. Regardless of how many privacy policies have allowed your data to be shared, you can remove it from the broker sites where it ended up:
Optery — Our top recommendation. Free scan to see your exposure. Paid plans ($39-$249/year) automate removal from 350+ data broker sites. Read our full Optery review →
Incogni — Best budget option. Covers 180+ data brokers for $6.49/month billed annually. Read our full Incogni review →
Exercise your legal rights. If you’re in a state with privacy laws, use your right to delete and opt out of data sales. The CCPA and DELETE Act give California residents the strongest tools.
Delete old accounts you no longer use. Every account is a company holding your data under a privacy policy that allows sharing.
The Bottom Line on Privacy Policies
A privacy policy is not a promise to protect your privacy. It’s a disclosure of how a company uses your data — and in most cases, it’s telling you that your data will be shared, sold, or monetized in some way.
You can’t opt out of every privacy policy. But you can control the damage:
- Run a free Optery scan — see where your data has ended up after years of companies sharing it
- Remove your data from broker sites using Optery or Incogni
- Use secondary contact information — Google Voice and a secondary email for all signups
- Minimize what you share — skip optional fields, use guest checkout, avoid unnecessary accounts
- Exercise your legal rights — opt out of data sales and request deletion where your state allows
Privacy policies are telling you exactly what companies plan to do with your data. Start listening — and start protecting yourself.
Frequently Asked Questions
Do I have to agree to a privacy policy to use a service?
Generally yes. Most services require you to accept their privacy policy to create an account or use the service. “By using our service, you consent to this policy” is standard language. Your option is to accept the policy or not use the service.
Are companies required to have a privacy policy?
In most jurisdictions, yes. The CCPA, GDPR, and other privacy laws require companies to disclose their data practices. However, having a policy doesn’t mean the practices described in it are privacy-friendly — it just means they’re disclosed.
Can a company change its privacy policy without telling me?
Usually yes. Most privacy policies include language allowing updates “at any time” with notification only through posting the revised policy on their website. You’re responsible for checking for changes — which almost nobody does.
Does “we don’t sell your data” mean my data is safe?
Not necessarily. Companies can share your data with “partners” and “service providers” without technically “selling” it. The distinction between selling and sharing is often meaningless from a privacy perspective — your data still ends up with data brokers and advertisers.
What can I do if a company violates its privacy policy?
File a complaint with the FTC (reportfraud.ftc.gov) or your state attorney general. If you’re in California, file with the California Privacy Protection Agency. Companies that violate their stated privacy practices face potential enforcement action and fines.
Should I read every privacy policy?
Realistically, no — the average person would need 76 work days per year to read every privacy policy they encounter. Instead, assume all companies share data, use secondary contact information, minimize what you share, and remove your data from data broker sites using Optery or Incogni.
This post contains affiliate links. If you purchase through our links, we may earn a commission at no extra cost to you. See our affiliate disclosure for details.