Most privacy policies are too long and complicated to read. That needs to change.
No one reads the privacy policies when signing for a new service. It's okay, you can admit it. When that pop up of endless text shows up on your screen, you scroll all the way to the end as quickly as possible and agree to the terms without batting an eye. We all are guilty of it, and as bad of a habit as it might be, you aren't to blame for doing it. Privacy policies should clearly and plainly lay out every detail that a user needs to know about how their information is collected and used. Instead, privacy policies are often too-complicated, novella-length texts that require a lawyer on hand to explain the fine print.
A recent analysis published by the New York Times looked at 150 privacy policies of popular websites and apps. It found that most take more than 15 minutes to read, with some requiring a person dedicated more than half an hour to parse every bit of detail regarding how a company uses their data.
More troubling than the amount of time that companies ask of a user is the type of language that they use to describe their policies and practices. Per the New York Times, the vast majority of privacy policies require a college or professional-level reading comprehension in order to understand them. The BBC produced similar findings when it analyzed the terms and conditions of popular apps last year. The vast majority require university-level reading comprehension, and most were determined to use more complicated than Charles Dickens' A Tale of Two Cities.
Even attempts to force companies into simplifying the language of these agreements have struggled to produce successful outcomes. The European Union's General Data Protection Regulation (GDPR) requires privacy policies be presented in a “concise, transparent and intelligible form, using clear and plain language.” But, after a full year of GDPR being in effect, most companies are falling short. The European Commission recently conducted a survey that found while 60 percent of Europeans attempt to read privacy statements, just 13 percent read them in full because the texts are too long or too complicated.
Privacy policies and other user agreements have been designed this way intentionally. While the documents are placed in front of consumers when they sign up for a service, the texts weren't designed for them. These policies are written for lawyers and meant to be read by lawyers. They are meant to protect a company by displaying they are in compliance with any legal or regulatory requirements. But users are expected to parse that language to figure out how it applies to them.
This system as it currently exists is entirely unfair to consumers. Aside from simply being challenging to understand, the policies often leave users with little recourse than to opt in to everything. Florian Schaub, an assistant professor of electrical engineering and computer science at the University of Michigan pointed out that most privacy policies simply require users accept the terms in full or not use the service at all. There are rarely opt-out options for certain policies — it's all or nothing. Schaub also highlighted the fact that companies maintain the right to change their policy at will, and consumers are required to acknowledge and accept those changes or risk losing access to the service entirely.