When you download a new app or start a new online account you probably click to agree to the privacy policy without ever reading it. But what you don't read may surprise you. Many companies are gathering loads of personal data and could be sharing that info. CNBC talked to three privacy professionals to get their take on privacy policies and what consumers need to know.

Getty Images

The first lesson: These policies are difficult for the average American to understand. "They're not designed for consumers, for you and me, to understand. They're written by lawyers for lawyers to protect the company," said Brian Vecci, the field chief technology officer for Varonis, a cybersecurity company that focuses on securing data. Varonis did research in July on how long it takes to read the privacy policies of some well-known companies and found some can take more than 27 minutes. The policies also require at least some high school education and sometimes advanced degrees.

Brian Vecci is the field chief technology officer for cybersecurity company Varonis, which specializes in keeping data safe. CNBC

"When we're getting these free services, we are engaging in a bargain. There is an exchange here. We're getting something free. And in exchange we are giving these companies our personal data," said Alex Urbelis, a partner at Blackstone Law Group, specializing in privacy and cybersecurity. Vecci agrees. "Unless you've paid for it, you're the product. You're not the consumer," he said. "Every time you sign up for an app, in many cases, that app is going to ask for access to your photos, access to your location, access to your music files, whatever you're listening to. You're potentially giving up a whole lot of information." Many policies include language that says a company can change the policy at any time without notice, according to Vecci. "Companies shouldn't be able to change their privacy policy on a dime without notifying anybody. Companies shouldn't be able to start collecting more information about you that you didn't give them consent to do." Urbelis said he sometimes wonders why companies are collecting the data they do. "The reasons why they're collecting all of this information are really a mystery to the consumer. We don't know what's happening there. But what we do know is that they find this very, very valuable."

Alex Urbelis, a partner at Blackstone Law Group, specializes in privacy and cybersecurity. CNBC

The information gathered can sometimes be shared with third parties. "The level of information and the amount of data being collected and shared with third parties is massive," said Michael Kasdan, a partner at Wiggin and Dana, who specializes in privacy and intellectual property.

Michael Kasdan, a partner at Wiggin and Dana, specializes in privacy and intellectual property. CNBC

Most companies say they will anonymize data before it is shared. "Just a few points of location data, three or four points, let's say, of location data … could be used to de-anonymize data, and figure out who you actually are," Urbelis said.

Examples of troublesome privacy policies

CNBC asked the pros to point out privacy policies that raise some red flags. Urbelis is concerned about Philips' Sonicare electric toothbrush model that contains Bluetooth. It connects to an app to reveal brushing habits. "When you sign up to use this particular toothbrush, it's collecting information, sensitive information, about your brushing habits, where your cavities are located," he said. "When you brush, it's measuring things like the pressure that you're using on a toothbrush, the frequency of your brushing habits." The policy says, "The personal data we collect may include your first name, username, profile picture, email address, gender, birthday/age, country, language and password." It adds, "Philips may also work with third parties who process your personal data for their own purposes."

A selection of electric toothbrushes, including a Philips Sonicare 3 Series, Oral-B Pro 6500 Black Smart Series Bluetooth, Colgate Proclinical A1500 Expert White, Philips Sonicare DiamondClean, Foreo Issa and Panasonic EW-DE92 Ionic Rechargeable, taken on October 6, 2015. (Photo by Joseph Branston/T3 Magazine via Getty Images) Future Publishing | Future | Getty Images

Urbelis is concerned about the sharing of information. "What really terrified me about this was that in the Sonicare privacy policy, they tell you they're going to share this information," he said. A Philips spokesperson said the data collected is used for personalization. "The Sonicare app provides personalized advice to users on how to improve their brushing and oral hygiene habits based on their personal data. ... Based on the personal data, the user will be able to receive personalized services, e.g. set personal goals, follow progress and receive oral care recommendations," said Philips spokeswoman Natasha Best in an email. "The Privacy Notice is aimed at transparency on this point, as it describes in detail which data will be received by Philips. ... For clarity, we wish to underline that some of the data fields to create a MyPhilips account (such as gender, age) are optional, so a user can decide to provide those data, or choose not to." As for the third parties, Philips told CNBC, "This section of our Sonicare app Privacy Notice describes the option for our users to indicate their wish to share their personal data with other parties (i.e. independent third parties), who will then process the user's personal data for their own purposes and provide their own services to the user. The Privacy Notice describes who these parties are and informs the app users that Philips will only share their data with these independent third parties at the users' request. In these cases, the app will ask for the user's consent before sharing any data." Kasdan flagged Starbucks' app and website for collecting much information that has nothing to do with serving coffee.

Zhang Peng | Getty Images

The company's privacy policy says it collects, "the web pages you view (including the date and time ... and the subject of the ads you click or scroll over." Kasdan pointed out that the policy allows third parties to access information to display ads or link your activity to social media. "We have added certain features to our websites and mobile applications that allow social networks (such as Facebook, Twitter ...) to track the activities of their members," the policy says.