How Privacy Policies Have Changed Since GDPR

In March the EU's General Data Protection Regulation went into effect. The data privacy law aims to create greater transparency around how personal data is handled. As a result of GDPR, privacy policies across the web were changed. We look at how GDPR changed the policies of some of tech's biggest names.
Rob Sobers
6 min read
Last updated October 14, 2022

On May 25th, 2018 the European Union’s General Data Protection Regulation, better known as GDPR, became an enforceable law. The policy was implemented primarily to create greater transparency regarding how companies handle personal data, and to enforce stricter requirements around the use and sharing of that personal data.

While the regulation pertains to the personal data of EU citizens, the law and fines for misconduct still apply regardless of whether the person is paying for the service or whether the company has operations within the EU. The result has been a swath of privacy policy updates here in the U.S.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

Since privacy policies are often overlooked — in 2014 half of internet users didn’t even know what a privacy policy was according to the Pew Research Center — added complexities from GDPR are surely making things worse, right?

We decided to look at the individual privacy policies of the top websites on the web to check word count, reading time and reading grade level before and after GDPR to determine just how easy these companies are making it for users to understand their policy changes.

What Did Privacy Policies Look Like Before GDPR?

privacy policies before gdpr

As you can see, Reddit had the longest reading time, of almost 27 minutes to read. Facebook and eBay are a close second. Overall with eBay’s third highest word count and highest reading level of 18 (which is essentially a senior level college student) eBay was effectively the most difficult privacy policy to read.

Yahoo was by far the easiest the shortest read of the group at under 8 minutes. Their reading level site just above the average of 13.6. Perhaps fittingly, Facebook’s reading level was the easiest reading level of 11 given their push to be more transparent about their privacy.

So, how did things change once GDPR caused these sites to update their policies?

How Did Privacy Policies Change After GDPR?

privacy policies after gdpr

The major change seen here is that eBay not only increased their word count to the highest on the list, but their reading level now sits at 20. Yahoo is still the the lowest word count and reading time, but Reddit now has the easiest reading level. We dig deeper into each site to understand the changes after GDPR below starting with the most popular site on the web, Google.

Google privacy policy after GDPR

Google processes over 40,000 search queries every second, which translates into 3.5 billion searches every day. Since search is only one avenue for Google to collect data from users, the amount of raw data collected is mind blowing. By some estimates, Google owns and stores about 15 exabytes of data. To put this in perspective, 1 exabyte equates to 1 million terabytes.

The large number of products and users Google has opens up their exposure to data breaches. It might not surprise you that with the introduction of GDPR law, Google’s privacy policy increased by more than 48 percent.

Facebook privacy policy after GDPR

Following intense public scrutiny following the Cambridge Analytica scandal, Mark Zuckerberg testified before Congress and the European Parliament. After his testimony, the chair of the European Parliament Civil Liberties, Justice and Home Affairs said, “Mr Zuckerberg and Facebook will have to make serious efforts … to convince individuals that Facebook fully complies with European data protection law.”

How did Facebook’s efforts to increase the readability of their privacy policy measure up as a result of GDPR? Although they shortened the time it takes to read by over 5 minutes, the reading level increased by two full grades.

Reddit privacy policy after GDPR

Reddit is the self-proclaimed “front page of the internet” and, with over 1.5 billion monthly active users and over 1.2 million total subreddits, that tagline has become a self-fulfilling prophecy. There are subreddits dedicated to blackhat hacking techniques and other subreddits that have been targeted for the very nature of their existence.

In December of 2017, the cryptocurrency focused r/btc subreddit was targeted by a series of hacks that resulted in users bitcoin cash wallets being depleted. The very nature of Reddit, which involves sharing links to third-party sites, exposes users to threat of malicious intent. With this in mind, it’s a little surprising to see the word count decreased by 38.20 percent.

Amazon privacy policy after GDPR

Amazon has grown into more than just the largest eCommerce company in the world. Their cloud computing platform, Amazon Web Services, is now responsible for 10 percent of the company’s revenue. Security is more important than ever since Amazon now houses sensitive data of individuals — the cloud platform reached 1 million users in 2016.

The company also stores the information of companies and governments. An Uber breach in 2016 that compromised the information of 57 million users worldwide was linked to a compromised Amazon Web Services account.

Amazon’s privacy policy changes resulted in increases across the board: the web count, time to read, and reading grade level all went up.

Wikiedpia privacy policy after GDPR

Wikipedia was launched in 2001 with the goal to increase the availability of information worldwide, and the English edition has reached since reached 5.6 million articles. While the often-cited website has since become one of the most popular in the world, it’s information isn’t always completely reliable. The free encyclopedia was built around a model of openly editable content, which means that anyone with access to the Internet can edit it, even anonymously or using a pseudonym.

While the website has policies in place to remove false content, the reliability of the website is often in question — Turkey banned the site in 2017 after the company refused to take down an article with validity in question. Wikipedia’s privacy policy saw the largest increase in word count at nearly 95 percent; the time to read increased as well.

Yahoo privacy policy after GDPR

A golden child of the dot-com bubble, the domain “yahoo.com” was purchased on January 18, 1995. By 1997, Yahoo was the second most visited website on the internet, after AOL, and Yahoo’s valuation skyrocketed to $125 billion before the bubble popped and the company’s stock fell dramatically. When cooler heads prevailed, the stock price began to normalize and the company maintained its position as one of the most frequently viewed websites in the U.S.

In 2016, Yahoo reported a security breach that the company believed comprised the privacy of 1 billion accounts. In 2017, it was revealed that in actuality every single Yahoo account — over 3 billion accounts in total — had been hacked, making it the largest data breach in history. It might not be surprising to see the word count of their new privacy policy increase by 38.11 percent, but this could also be a result of their acquisition by Verizon in 2017.

Twitter privacy policy after GDPR

Twitter launched in 2006 after the founding team failed in starting Odeo, a podcasting company. The team included current CEO Jack Dorsey who sent the first “tweet” when it was an SMS service. The company had their initial public offering in 2013 with over 200 million monthly active users and over 500 million tweets per day.

In 2016, the company created the “Twitter Trust & Safety Council” to ensure users feel safe using the product. The company has had a string of security breaches, including one as recent as May 2018 when the passwords of 330 million accounts were exposed in plain text. Although the reading level has remained consistent, Twitter’s new privacy policy has grown by more than 29 percent.

Ebay privacy policy after GDPR

eBay, another veteran member of the Silicon Valley dot-com bubble on this list, started as an online auction marketplace. In fact, the company was started to help the founder’s fiancée trade her collection of Pez dispensers. With their “Buy It Now” feature, the company has moved beyond their original auction-style business model and solidified their place in eCommerce.

Certainly not immune to the tech industry’s privacy and security issues, eBay has had their fair share of public scrutiny. In 2014, eBay revealed that usernames, passwords, phone numbers, physical addresses and even banking information had been released for millions of users. It’s interesting to see that the privacy policy has become more difficult to read, increasing by two reading levels, yet the word count has increased only a little more than 8 percent.

instagram privacy policy after GDPR

Social media photo- and video-sharing app Instagram has a wealth of information to protect: As of 2017, the app has 800 million users, 500 million of which are daily users. Additionally, more than 40 billion photos have been uploaded to the app as of October 2015; this number doesn’t reflect the number of videos (or “Stories”) uploaded to the app, as that feature launched in 2016.

Instagram isn’t a stranger to breaches of this information, either. In 2017 the app suffered a data breach that left the personal information of approximately six million users vulnerable. Among the information affected were the phone numbers and email addresses of high-profile users, which was then made available on the dark web. The company is also owned by Facebook, which faced widespread criticism following the 2018 Cambridge Analytica scandal.

Instagram’s policies increased across the board: It’s word count increased over 40 percent, while the time it takes to read increased a full 6 minutes.

Netflix privacy policy after GDPR

What began as a DVD rental service in 1997 quickly expanded and exploded with the proliferation of technology: Today, Netflix is a subscription-streaming service provider and content producer with over 125 million users worldwide. The company also expanded globally in 2016, simultaneously launching in 130 countries and bringing its total availability to 190 countries.

The company has also been hacked: In 2015, security company McAfee released a report that detailed how you can buy access to streaming accounts, like Netflix’s, on the dark web. A file containing 1.4 billion hacked passwords, which was leaked on the dark web in 2017, also included Netflix login information.

Overall, Netflix’s privacy policy has seen an increase in word count, reading time and reading grade level, although the increases are slight compared to some.

How Privacy Policies Have Changed Overall?

how privacy policies have changed since gdpr

The goal of the updated privacy policies is to simplify the process of managing user privacy concerns and accessing user data. However, you might be surprised to see how the privacy policies have changed. Eight out of 10 companies we analyzed actually increased their privacy policy word count and the subsequent time it takes to read them.

Wikipedia showed the largest update, with a word count increase of almost 95 percent. Only two companies — Facebook and Reddit — decreased both the word count and the reading time of the privacy policies.

download gdpr privacy policies infographic

Sources
Google – Old | New | Facebook – Old | New | Reddit – Old | New | Amazon – Old | New | Wikipedia – Old | New | Yahoo – Old | New | Twitter – Old | New | eBay – Old | New | Instagram – Old | New | Netflix – Old | New | IBM Watson – Natural Language Understanding | IBM Watson – Tone Analyzer | Readability Formulas | Alexa | Niram | EU – GDPR

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

a-year-in-the-life-of-the-gdpr:-must-know-stats-and-takeaways
A Year in the Life of the GDPR: Must-Know Stats and Takeaways
This review of the GDPR covers how it's changed the way industries and individuals function online through GDPR stats, fines and policies of this past year
wyden’s-consumer-data-protection-act:-preview-of-us-privacy-law
Wyden’s Consumer Data Protection Act: Preview of US Privacy Law
The General Data Protection Regulation (GDPR) has, for good reason, received enormous coverage in the business and tech press in 2018. But wait, there’s another seismic privacy shift occurring, and...
australian-privacy-act-2022-updates
Australian Privacy Act 2022 Updates
A series of stunning data breaches in 2022 has prompted lawmakers to begin making changes to the 1988 Australian Privacy Act in the form of the new Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
gdpr:-pseudonymization-as-an-alternative-to-encryption
GDPR: Pseudonymization as an Alternative to Encryption
Have I mentioned lately that the General Data Protection Regulation (GDPR) is a complicated law? Sure, there are some underlying principles, such as Privacy by Design (PbD) and other ideas,...