Should online users be bound by their privacy agreements?
Put simply, individuals often pay online, consciously or unintentionally, with their data and privacy. As a result, companies hold a vast amount of information on consumers, and consumers allegedly agree to that practice. But as our research shows, online privacy agreements are largely incomprehensible.
Privacy issues are becoming more and more salient, in part due to enormous privacy scandals. Perhaps most conspicuously, a massive public protest erupted in response to the Facebook-Cambridge Analytica data scandal. In this case, the data of millions of people's Facebook profiles was harvested. Facebook's CEO, Mark Zuckerberg, testified before two US senate committees about the company's privacy practices.
Privacy is now also at the forefront of policy making. The most systematic legislative attempt to make more order in the messy world of privacy is the EU General Data Protection Regulation (GDPR). It comes as no surprise that European legislature was breaking the ground in this realm. The EU is known to have a strong focus on citizens' rights. It is committed to data protection, and to consumer protection more generally.
The GDPR came into force in May 2018. Its primary objective is to level the playing field and give individuals more control over their personal data. The GDPR also aspires to force companies to be more transparent around data collection and more cautious about its usage.
Clear and plain language
Another interesting aspect of the GDPR is its requirement to clearly communicate privacy terms to end users. In this respect, the GDPR requires companies to use "clear and plain language" in their privacy agreements.
Making privacy policies readable may bring about a few notable benefits. For starters, drafting readable policies better respects users' autonomy. Beyond that, readability can contribute to better comprehension of legal texts. This, in turn, can make such texts more salient, leading companies to draft more balanced terms.
But does this indeed materialise? In our study (with Professor Uri Benoliel from Israel), we examined whether, half a year post-GDPR, companies present users with online privacy agreements that are readable. We applied two well-established linguistic tools: the Flesch Reading Ease test and the Flesch-Kincaid test. Both tests are based on the average sentence length and the average number of syllables per word.
We measured the readability of more than 200 privacy policies. We gathered these policies from the most popular English websites in the UK and Ireland. Our sample included policies used by companies such as Facebook, Amazon, Google, Youtube, and the BBC.
We had good reasons to be optimistic. The GDPR receives a lot of attention. It employs harsh penalties, which can presumably serve as effective deterrence. Additionally, the cultural convention is that Europeans generally tend to be compliant and law abiding.
But we were disappointed. Instead of the recommended Flesch-Kincaid score of 8th grade for consumer-related materials, understanding the average policy in our sample requires almost 13 years of education. Almost all the privacy policies in our sample, about 97%, received a higher than recommended score.
Readability remains a challenge
The European legislature thought that using plain language in privacy agreements can be part of a better, holistic approach to users' privacy. We believe this is an idea worth exploring.
While not a magic bullet, readability can prove to be important for users' privacy. But despite the GDPR's requirement, European citizens still encounter privacy policies that are largely unreadable.
Does the GDPR just bark, but not bite? While it is perhaps too early to say, we located 24 websites in our sample that included their privacy policies as drafted pre-GDPR. We then measured their readability. The results show that current privacy policies are only slightly more readable than the older ones.
This may offer some lessons. Most notably perhaps, good intentions and extensive legislation may not suffice. Merely having a general, vague law is not likely to yield the anticipated change.