Earlier this month The New York Times published an interactive data-filled article on privacy policies titled “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster.”
Author Kevin Litman-Navarro performed several analyses. For example, he timed the minutes it took him to read a privacy policy. Craigslist’s policy took the shortest amount of time, around 3 minutes, with Indeed’s and Airbnb’s policies taking the longest–nearly 35 minutes. (If you can access the NYT article, moving your cursor over the dots reveals the company names.)
He tested how easy it was to understand each policy based on factors such as sentence length and vocabulary. Of the sites featured in the article, the BBC’s policy was the easiest to understand (although more than 3,000 words). These were among the hardest: CNN, GoDaddy, Walt Disney, Hulu, and M.L.B. (Major League Baseball).
Here’s an example Litman-Navarro offered from the BBC’s clear policy:
We have to have a valid reason to use your personal information. It’s called the ‘lawful basis for processing.’ Sometimes we might ask your permission to do things, like when you subscribe to an email. Other times, when you’d reasonably expect us to use your personal information, we don’t ask your permission, but only when: the law says it’s fine to use it, and it fits with the rights you have.
Compare this 98-word snoozer of a sentence, which I plucked from Airbnb’s privacy policy:
For text messaging in the United States, by requesting, joining, agreeing to, enrolling in, signing up for, acknowledging, or otherwise consenting to receive one or more text messages (“Opting In”) or using a Airbnb arrangement in which Airbnb sends (or indicates that it may send, or receives a request that it send) one or more text messages (“Text Message Service”), you accept these SMS Terms for U.S. (“SMS Terms”), consent to the handling of your personal information as described in the Airbnb Privacy Policy, and agree to resolve disputes with Airbnb as described in our Terms of Service.
Litman-Navarro measured the readability of the first chapter of some classic texts to compare them to the privacy policies. His data shows that:
- Immanuel Kant’s demanding Critique of Pure Reason is easier to read than lots of companies’ privacy policies, among them Crunchyroll, Baidu, Zoom, CNN, GoDaddy, Walt Disney, Hulu, and M.L.B.
- Charles Dickens’s Great Expectations is easier to read than all but Craiglist’s and the BBC’s policies.
- Harry Potter and the Sorcerer’s Stone is easier to read than all of them.
He also graphed policies by their reading levels, and he shows that the majority of privacy policies–like those of Chase, Citi, eBay, Yelp, Shopify, Apple, and UPS–exceed college reading level.
Litman-Navarro writes that “A significant chunk of the data collection economy is based on consenting to complicated documents that many Americans can’t understand.”
But do we have to consent to them? I’m trying my best to reject them.
For instance, the other day while making a reservation online for a favorite Seattle restaurant, I tried using the restaurant’s new reservation service, Resy. I was directed to read a privacy policy of 4,622 words and click a link to acknowledge having read it. Nope. Not going to do it! I’m not going to read a 4,622-word policy, and I’m not going to pretend I read it–not for a restaurant reservation. I called the restaurant and reserved a table in a nice conversation with a human being. I let the restaurant know that I’m not going to deal with Resy and its required privacy policy.
I had a similar experience last month with Avis. I had wanted to rent a car from them because they listed hybrid cars as an option. But Avis insisted that I acknowledge having read a 13-page 4,270-word policy to create an account. I declined and kept my original National car rental reservation, despite National’s not having hybrids. I’ve probably agreed to National’s policy in the past, but I’m not going to do this anymore–not unless I have to do it to get what I need.
When companies start offering clear, concise, well-organized, and well-formatted privacy policies whose reading is optional, I’ll start clicking yes. But until then, I’m going to avoid companies that make me work too hard to be their customer–or who expect the impossible of me.
How do you feel about privacy policies? Do you read them? Do you click to agree and pretend to have read them?
Litman-Navarro suggests that this is what a good privacy policy would look like:
A good privacy policy would help users understand how exposed they are: Something as simple as a list of companies that might purchase and use your personal information could go a long way towards setting a new bar for privacy-conscious behavior. For example, if you know that your weather app is constantly tracking your whereabouts and selling your location data as marketing research, you might want to turn off your location services entirely, or find a new app.
I think that’s a good start. How about you?
Enroll in my online, self-study course Business Writing Tune-Up to write policies worth reading.
Lynn