which virtually probably less than 10% of the population will actually read before accepting.
It's to do with more than laziness though.
These types of contracts seem to be intentionally long and worded how they are a lot of the time, probably because the vendor knows that the longer and harder to read it is, the less likely someone is going to dig through all of it. Thus helping prevent people from understanding how bad the service really is in terms of rules/privacy and still having a legal escape route to use in court when someone does find out how invasive/out of order the service behaves.
You can blame us for not always reading but also the company should be at blame for not making it super clear to outline important parts in an easily-readable form IMO.
Avast collect data about their users and they even sell it for profit but they are EXTREMELY OPEN and CLEAR about it. They have a whole tab dedicated to it. More companies should follow how Avast outlined it, so users can truly understand what data on them a vendor will have and how it will be used. How it's used is incredibly important, as well as how that data is protected.
Consumers should be entitled to know at-least the following in an extremely clear and easy-to-read way enforced by law:
- What data the service will collect on the user
- Where the data will be transmitted (e.g. kept on local servers after transmission, stored on a cloud network after transmission, sent to third-parties (and list which third-parties))
- How the data will be used (e.g. to improve the service, to make money, etc.)
- If the data will be sold (and who it will be sold to if it will be)
- How the data collected will be able to accomplish the goal of how it will be used
- How the data will be protected (e.g. what if an attacker managed to steal it, is the encryption strong? What type of encryption is being used?)
- When the data will be removed from the servers (if they ever will be?)
There should also be legal enforcement for every single service (at-least in the EU - maybe there already is this though) where a consumer can request to audit all data the service has on them, be told exactly where this data has been and whether it's been sold in the past (and who to) and be able to request removal and have it processed within 30 days.
Since I am on a privacy rant, why not add one more thing? It should be legally enforced for services to notify all customers via at-least e-mail of a security compromise/breach within 24 hours of confirmation of it. Any service which pays a ransom and keeps an attack quiet should have severe consequences as well, not to be able to just get away with it with some marketing and wording of response speech.
This is my personal opinion.