Taking a look at some of the best and worst privacy policies in terms of overall readability
In this instalment of the collaboration between Diffbot and Avast in which we analyze consumer privacy issues globally, we'd like to take an in-depth look at company privacy policies. The main takeaway from our research is that the privacy policies are hard to read, regardless of a company’s country of origin, industry or domain popularity. The policy remains a very comprehensive, long, legal document that is written for lawyers, not people. It is essentially a legal disclosure the company is making to avoid any potential legal liability.
The fact that there was no difference between countries surprised us because GDPR, the European data protection regulation, specifically states that “concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child” must be used. We found that policies from domains within the EU are no different in this regard and in fact would require a college education to comprehend, which is clearly at odds with the legislation.
Further reading: How to read a privacy policy
To determine a privacy policy’s readability, we used a formula that is based on the linear combination of three global metrics of a given text: sentence, word and syllable count (the best possible score is 1 and the worst is 0). We also only considered English language policies. For example, I have included the shortest privacy policy that we came across, which reads, "We do not share any information collected from users.” This is refreshingly short and straightforward.
Let's take a look at some examples of the best and worst in terms of overall readability.
Top 5 easy to read policies
Top 5 hard to read policies
To save you the trouble of visiting these pages we have highlighted some individual paragraphs to provide additional context. The first two are examples of easy-to-read paragraphs, while the last two are difficult to read.
From EzineMark:“If you are a member of this website or have left comments, you can ask that we send you the information about you. You can also make sure that we erase any information about you. We will not erase any information we need for administrative, legal, or security reasons.”
From Hinge Marketing: “If at any time, you get tired of hearing from us and you want to get your email address the heck off our system, you’ve got a lot of options—you can unsubscribe, email us, or call 703-391-8870 and we’ll take you off our list, lickety split. We’re tough. We can take it.”
From TheOptimizer.io: “TheOptimizer.io takes all measures reasonably necessary to protect against the unauthorized access, use, alteration or destruction of potentially personally-identifying and personally-identifying information.”
From Multimedia University: This Privacy Notice has been prepared to inform you of how Multimedia University ("University") process your information including personal data when you interact and/or transact with us whether via this website or in any other medium, forms, methods or ways for enrolment and/or subscription of any of the University and/or our Group's products and services for better services and/or enhancement and/or enrich your experience with our products and services.
We found that the majority of policies are as readable as the US constitution. Ironically, the very document is meant to regulate privacy policies should be readable, but is unreadable itself (GDPR).
Feel free to browse readability and see how much time it would take to read the privacy policies of some of the more popular domains:
Overall, privacy policies are too hard to understand for the majority of people. The graph below shows education level versus the necessary education level to understand privacy policies.
Since privacy policies in general would require one or two more grade levels than the average years spent in education in developed countries, we can see that policies are not written for the purpose of being read and understood by the average person, but instead to address legal obligations. In this instance, the only action the users can take if they do not consent is to leave the site, similarly to what happens with consenting to cookies in many instances.
While a single policy does not take long to read (12 minutes on average), when you consider multiple services, time adds up quickly. “McDonald and Cranor demonstrated that it would take the average individual around 244 hours per year (roughly six full 40-hour work weeks) to read and understand the privacy policies for every company with which they interacted" which is obviously not realistic. We would like to see GDPR enforce its readability clause and for companies to make their privacy policies as short and easy to read as possible to make it easier for consumers to understand the privacy implications of doing business with a specific company.