Commentary: If only privacy agreements were readable. Most aren't

Commentary: If only privacy agreements were readable. Most aren't

The GDPR requires companies to use clear and plain language in privacy agreements, but readability remains a challenge, says Victoria University's Associate Professor Samuel Becher.

man using phone
(Photo: Unsplash/Warren Wong)

WELLINGTON: The political economy of digital capitalism is largely premised on a new exchange: Individuals enjoy cheap or free services and goods in exchange for their personal information.

Put simply, individuals often pay online, consciously or unintentionally, with their data and privacy. 

As a result, companies hold a vast amount of information on consumers, and consumers allegedly agree to that practice. But as our research shows, online privacy agreements are largely incomprehensible.

READ: 50% off? What you unwittingly give up for a few freebies, a commentary


Privacy issues are becoming more and more salient, in part due to enormous privacy scandals. Perhaps most conspicuously, a massive public protest erupted in response to the Facebook-Cambridge Analytica data scandal. 

In this case, the data of millions of people’s Facebook profiles was harvested. Facebook’s CEO, Mark Zuckerberg, testified before two US senate committees about the company’s privacy practices.

Privacy is now also at the forefront of policy making. The most systematic legislative attempt to make more order in the messy world of privacy is the EU General Data Protection Regulation (GDPR). It comes as no surprise that European legislature was breaking the ground in this realm. 

The EU is known to have a strong focus on citizens’ rights. It is committed to data protection, and to consumer protection more generally.

READ: What those 'updates to our privacy policy' mean for Singapore, a commentary

The GDPR came into force in May 2018. Its primary objective is to level the playing field and give individuals more control over their personal data. The GDPR also aspires to force companies to be more transparent around data collection and more cautious about its usage.


Another interesting aspect of the GDPR is its requirement to clearly communicate privacy terms to end users. In this respect, the GDPR requires companies to use “clear and plain language” in their privacy agreements.

The EU's so-called General Data Protection Regulation (GDPR) comes into effect on Friday
The EU's General Data Protection Regulation (GDPR) ccame into effect on May 25, 2018. (Photo: AFP)

READ: Higher stakes in data privacy crisis yet Facebook’s response is business as usual, a commentary

Making privacy policies readable may bring about a few notable benefits. For starters, drafting readable policies better respects users’ autonomy. 

Beyond that, readability can contribute to better comprehension of legal texts. This, in turn, can make such texts more salient, leading companies to draft more balanced terms.

But does this indeed materialise? In my study with Professor Uri Benoliel from Israel, we examined whether, half a year post-GDPR, companies present users with online privacy agreements that are readable. 

We applied two well-established linguistic tools: The Flesch Reading Ease test and the Flesch-Kincaid test. Both tests are based on the average sentence length and the average number of syllables per word.

We measured the readability of more than 200 privacy policies. We gathered these policies from the most popular English websites in the UK and Ireland. Our sample included policies used by companies such as Facebook, Amazon, Google, Youtube, and the BBC.

We had good reasons to be optimistic. The GDPR receives a lot of attention. It employs harsh penalties, which can presumably serve as effective deterrence. Additionally, the cultural convention is that Europeans generally tend to be compliant and law abiding.

But we were disappointed. Instead of the recommended Flesch-Kincaid score of 8th grade for consumer-related materials, understanding the average policy in our sample requires almost 13 years of education. Almost all the privacy policies in our sample, about 97 per cent, received a higher than recommended score.

LISTEN: That awkward conversation we need to have with Facebook, an episode on The Pulse podcast


The European legislature thought that using plain language in privacy agreements can be part of a better, holistic approach to users’ privacy. We believe this is an idea worth exploring.

man in front of computer, coding, programming
(Photo: Unsplash/Arif Riyanto)

READ: We don't care about our data because we can't see or touch it, a commentary

While not a magic bullet, readability can prove to be important for users’ privacy. But despite the GDPR’s requirement, European citizens still encounter privacy policies that are largely unreadable.

Does the GDPR just bark, but not bite? While it is perhaps too early to say, we located 24 websites in our sample that included their privacy policies as drafted pre-GDPR. We then measured their readability. The results show that current privacy policies are only slightly more readable than the older ones.

This may offer some lessons. Most notably perhaps, good intentions and extensive legislation may not suffice. Merely having a general, vague law is not likely to yield the anticipated change.

Samuel Becher is associate professor of business law at Victoria University of Wellington. This commentary first appeared in The Conversation. Read it here

Source: CNA/nr(sl)