Law in Books and Law in Action: The Readability of Privacy Policies and the GDPR

The most systematic legislative attempt to make more order in the chaotic world of privacy is the EU General Data Protection Regulation (GDPR). The primary objective of the GDPR is to level the playing field and give individuals more control over their personal data. Among other things, the GDPR aspires to force companies to be more transparent around data collection and usage. Along these lines, the GDPR requires firms to clearly communicate privacy terms to end users by using “clear and plain language” in their privacy agreements. In this study we ask whether, half a year post-GDPR, firms offer users online privacy agreements that are written in a readable manner. To that end, we empirically examine the readability of privacy policies of 300 highly popular websites. The results indicate that in spite of the GDPR’s requirement, users often encounter privacy policies that are largely unreadable. After presenting the empirical results we further discuss the legal and policy implications of our findings.

[1]  J. Kimble Plain English: A Charter for Clear Writing@ (Part Three) , 1992 .

[2]  Joasia Luzak,et al.  The Transparent Trap: A Multidisciplinary Perspective on the Design of Transparent Online Disclosures in the EU , 2018, Journal of Consumer Policy.

[3]  Paolo Torroni,et al.  CLAUDETTE meets GDPR: Automating the Evaluation of Privacy Policies using Artificial Intelligence , 2018 .

[4]  Lorrie Faith Cranor,et al.  Standardizing privacy notices: an online study of the nutrition label approach , 2010, CHI.

[5]  W. Gregory Voss,et al.  GDPR: The End of Google and Facebook or a New Paradigm in Data Privacy? , 2018 .

[6]  P. Schwartz,et al.  Transatlantic Data Privacy Law , 2017 .

[7]  Shmuel I. Becher,et al.  Hungry for Change: The Law and Policy of Food Health Labeling , 2019 .

[8]  Omer Tene What Google Knows: Privacy and Internet Search Engines , 2007 .

[9]  Mark A. Lemley The Splinternet , 2020, SSRN Electronic Journal.

[10]  Transatlantic Data Privacy , 2017 .

[11]  Paul M. Schwartz,et al.  The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures , 2013 .

[12]  Michael L. Rustad,et al.  Towards a Global Data Privacy Standard , 2018 .

[13]  David Lie,et al.  Towards Dynamic Transparency: The AppTrans (Transparency for Android Applications) Project , 2018 .

[14]  Michael E. J. Masson,et al.  Comprehension of legal contracts by non‐experts: Effectiveness of plain language redrafting , 1994 .

[15]  R. Baker,et al.  FONBAYS: A Simple Method for Enhancing Readability of Patient Information , 2007 .

[16]  G. M. McClure Readability formulas: Useful or useless? , 1987, IEEE Transactions on Professional Communication.

[17]  Francesca. Bignami,et al.  Transatlantic Privacy Regulation: Conflict and Cooperation , 2015 .

[18]  Tal Z. Zarsky Privacy and Manipulation in the Digital Age , 2019, Theoretical Inquiries in Law.

[19]  R. Alexander,et al.  Readability of published dental educational materials. , 2000, Journal of the American Dental Association.

[20]  Shmuel I. Becher,et al.  The Duty to Read the Unreadable , 2019, SSRN Electronic Journal.

[21]  P. Kenney Article 5 , 2019, European Financial Services Law.

[22]  Phillips Bradley,et al.  Law in Books and Law in Action , 1934 .

[23]  Nadia Coggiola,et al.  Asbestos Cases in the Italian Courts: Duelling with Uncertainty in an Uncertain World , 2009 .

[24]  Joel R. Reidenberg,et al.  Trustworthy Privacy Indicators: Grades, Labels, Certifications and Dashboards , 2019 .

[25]  M. Graber,et al.  Reading level of privacy policies on Internet health Web sites. , 2002, The Journal of family practice.

[26]  Jack M. Balkin Fixing Social Media's Grand Bargain , 2018 .

[27]  Shmuel I. Becher,et al.  The Law of Standard Form Contracts: Misguided Intuitions and Suggestions for Reconstruction , 2009 .

[28]  Richard Rogers,et al.  An Analysis of Miranda Warnings and Waivers: Comprehension and Coverage , 2007, Law and human behavior.

[29]  V. Narwani,et al.  Readability and quality assessment of internet‐based patient education materials related to laryngeal cancer , 2016, Head & neck.

[30]  George R. Milne,et al.  A Longitudinal Assessment of Online Privacy Notice Readability , 2006 .

[31]  Aleecia M. McDonald,et al.  The Cost of Reading Privacy Policies , 2009 .

[32]  Lorrie Faith Cranor,et al.  Disagreeable Privacy Policies: Mismatches between Meaning and Users’ Understanding , 2014 .

[33]  Estela Marine-Roig,et al.  A Webometric Analysis of Travel Blogs and Review Hosting: The Case of Catalonia , 2014 .

[34]  C. Hoofnagle,et al.  The European Union general data protection regulation: what it is and what it means* , 2019, Information & Communications Technology Law.

[35]  J. Murphy The General Data Protection Regulation (GDPR) , 2018, Irish medical journal.

[36]  Shirley Large,et al.  Written information given to patients and families by palliative care units: a national survey , 2000, The Lancet.

[37]  J. Reeve,et al.  Solutions to problematic polypharmacy: learning from the expertise of patients. , 2015, The British journal of general practice : the journal of the Royal College of General Practitioners.