You downloaded the app this morning. It was free. You tapped accept on the terms without reading them. You always do. Everyone does.
What you almost certainly didn’t realise is that within minutes of installing it, that app started sending data about you — your location, your device ID, your behaviour, your contacts — to a handful of companies whose names you’ve never seen and would never recognise.
The legal authorisation for this is real. You agreed to it. You did so without reading anything, because reading the document that contained the authorisation would have taken longer than most people spend on the entire app.
This is the deal you keep accepting, dozens of times a year, almost certainly without ever quite understanding what it actually is.
The companies you’ve never heard of
An Oxford University study of nearly 1 million apps from the Google Play Store found that the typical app is connected to multiple third-party trackers — companies whose entire business model is collecting data about you from inside the apps you use.
Family apps average 7 distinct tracker companies per app. Games and entertainment apps average 6. News apps are the worst, often crossing 10 or more. A separate 2023 study found averages of 8.64 trackers per Android app and 5.52 per iOS app.
These trackers aren’t bugs. They’re business partners. The free app you downloaded is paying for itself by selling access to you. You’re not the customer. You’re the product. The actual customers are the data brokers, advertisers, and analytics companies sitting one layer behind the app, receiving a constant feed of information about your phone, your behaviour, and your life.
A Scientific American investigation found that more than 70% of apps share data with at least one tracker, and around 15% share with five or more. Alphabet alone collects data from roughly half of all apps studied.
You didn’t consent to most of this in any meaningful sense. You tapped accept.
The novellas you didn’t read
Here’s where the second half of the trap operates.
What you agreed to, when you tapped accept, was a document. That document is, in theory, available to you to read. In practice, almost nobody does. 91% of users consent to terms of service without reading them. Researchers have calculated that if you actually read every privacy policy you encountered in a year, it would take roughly 244 hours — six full working weeks of reading legal documents.
For some companies, the documents themselves are genuinely astonishing in length. A 2023 NordVPN study found Meta’s privacy policy runs 19,434 words — taking around 82 minutes to read at average speed. A 2019 analysis of 70 major services found that AT&T’s complete policy materials ran to 383,077 words, which would take over 30 hours to read. TELUS came in at 123,049 words. SaskTel at 86,804.
For context: a typical novel runs 70,000 to 100,000 words. A novella is usually 17,500 to 40,000. Meta’s privacy policy is longer than most novellas. AT&T’s full policy stack is longer than most fantasy trilogies.
You aren’t reading them. Nobody is reading them. They aren’t designed to be read. They’re designed to satisfy a legal requirement that you were given the opportunity to read them.
Why this gets worse, not better
The strangest part of the story is that the introduction of strong privacy regulation has, in some ways, made the documents harder rather than easier to understand.
Since GDPR came into force in 2018, privacy policies have increased in length by an average of more than 25%. The regulations require companies to disclose more about what they’re doing with your data, so they disclose more — in dense, legal, deliberately precise language that obscures rather than clarifies. The end result is a longer document that fewer people read.
The transparency requirement was supposed to give you the information you needed to make a real choice. In practice, it’s given you more text to ignore.
What’s actually in the data they collect
It isn’t just your name and email. Most app trackers harvest device identifiers — long alphanumeric codes that uniquely identify your specific phone. These IDs let different companies link the data they collect across many apps and websites to build a single profile of you that follows you everywhere.
One Scientific American case described a single participant having over 600 location coordinates sent to a single third-party advertising company during a study period. That’s a map of where they slept, worked, ate, prayed, exercised, and shopped. Built without their meaningful awareness. Sold to whoever wanted it.
This isn’t unusual. It’s the typical case for the modern free app.
What you can actually do
You won’t fix this individually. You can reduce your exposure.
On iOS, App Tracking Transparency lets you reject the request when an app asks to track you across other apps. On Android, you can revoke tracking permissions in settings. Both platforms now let you reset your advertising ID periodically, which fragments the long-term profile companies build of you.
You can also be more selective. The apps with the worst tracking records tend to be free games, news aggregators, and apps targeted at children. Paid apps generally collect less, because they don’t need to monetise you to survive.
But the deeper point is structural. The deal isn’t fair. Reading the contract takes longer than using the service. The contract was deliberately designed to be unreadable. The companies on the other side know almost certainly that you didn’t read it.
You agreed anyway. You’ll agree to the next one too.
That’s not really consent. That’s the closest thing to it the legal system has been able to produce, and it isn’t very close at all.
The next time an app asks you to accept, you don’t have to. You can also delete the app. The internet still works if you only have the apps you actually need — and many of the most invasive ones aren’t ones you need at all.
