Privacy Policies: almost as complicated as reading Kant's Critique of Pure Reason

The Critique of Pure Reason Immanuel Kant is not a text precisely known for being easy to read and understand. However, according to a study conducted by The New York Times (NYT), numerous Privacy Policies turn out to be equal or more complicated to understand than the aforementioned work.

NYT published in June of this year an interesting study which states that numerous privacy policies of digital companies such as Facebook, Airbnb, Uber, among others, are full of "legal jargon" and complex sentences that make reading incomprehensible. This, in the opinion of the NYT would, in many cases, hide real intentions to sell the data of millions of users without they really understand the implications of their authorization.

The aforementioned analysis was carried out taking into account the time of reading the policy and the level of complexity of the text using factors such as the length of the sentences or the difficulty of the vocabulary. These were the results:

Source: ThePrivacyProject The New York Times.

As we can see, the Privacy Policy of Facebook and Uber takes time to be read around 20 and 25 minutes, respectively. In the case of Airbnb it takes about 35 minutes but, in addition, it is evident that the complexity level of the text is high (which makes it more difficult to read).

To demonstrate the degree of complexity of the Privacy Policies, a comparison was made with some classic works. Just as an example, the policies of Netflix and Facebook get a score above the famous A brief History of Time of the scientist Stephen Hawking.

However, the BBC, the NYT points out, has an unusually readable policy. It is written in short sentences, declarative and, in simple language. And it's below Pride and Prejudice and above Harry Potter and the Sorcerer's Stone from (great) JK Rowling.

Source: ThePrivacyProject The New York Times.

As we see, the Privacy Policies are not made so that everyone who understands them understands them. In fact, according to the aforementioned research, most policies would only be understood in their entirety by people with a professional career specialized in laws or related matters.

Source: ThePrivacyProject The New York Times.

So, the problem that appears at first glance is that privacy policies are written "by lawyers and for lawyers". And the truth is that people do not know what they are really consenting to when they put click in accept". On this, it is clear that privacy policies should change their approach and use simple and understandable sentences for all.

However, this change should not only come from companies. The rules of protection of personal data, from our point of view, should be reviewed by virtue of establishing specifically what are really the essential obligations that must be contained in the privacy policies of the virtual pages. This in order to provide the most important information to holders of personal data.

In the Peruvian case, article 18º of the Personal Data Protection Law (LPDP) establishes a series of obligations that the person who collects data must inform the person in relation to the processing of their data. Incorporate each and every one of these obligations, at the discretion of the Data Protection Authority, has a minimum of three faces[1].

Then we see that the "amount" of information required to be delivered to the user is imposed by the State itself. However, on the other hand, companies are also required to deliver this information in a clear and simple format to understand. The LPDP, in its article 18º, indicates the right of the owner of personal data to be informed "in detail, simple expressly and unequivocally "the information related to the processing of your personal data.

Naturally, some will point out that forcing companies to develop policies in "clear and simple formats" is not enough to make the change of approach effective. And this is true, in part.

According to the previously mentioned study, in the 2018 year, Google's privacy policies took around 30 minutes to read them completely. However, for the 2019 year, its data protection policy became more readable and, the reading time was reduced to 15 minutes.

Source: ThePrivacyProject The New York Times.

This change is due, in part, to the entry into force of the General Data Protection Regulation of the European Union that requires that privacy policies be delivered in "a concise, transparent and intelligible form, using clear and simple language" . Also, Google added a glossary of terms in its portal that raise the level of understanding of the text.

We believe that although the legislation ensures the legal obligation of all companies to review their privacy policies in order to reduce the level of complexity of the texts, much of the change is also due to the fact that companies such as Google have internalized the need to Make your policies increasingly friendly and simple to understand. Which in the long run, generate benefits.

However, the truth is that today policies only serve as "the information legally that nobody wants to read and nobody understands. " This is unfortunate because precisely privacy policies emerged as a tool for empowering the owner of personal data with the purpose that it decides what to do with their data by virtue of the exercise of their right to information self-determination.

On this, the NYT points out, "people do not need technical knowledge of data collection processes to protect their personal information. Instead of explaining the complicated internal jobs of the data market, privacy policies should help people decide how they want their data to be used. "

According to Jen King, Consumer Privacy Director of the Center for Internet and Society, "this does not mean that we should reject privacy policies in their entirety, we just need a new beginning."

Perhaps, on occasions like this, the calls to make the real change are not the lawyers, but the advertising and marketing agencies that are constantly searching for new disclosure methods. Or also professional linguists.

Meanwhile we can only ask for more JK Rowlings and less Kants[2].

[1] In the year 2018, the Ministry of Justice through the Data Protection Authority issued as an Annex a model of Authorization for the Protection of Personal Data that conglomerated all the information that should be communicated to the holders of personal data every time they deliver your data to a third party.

[2] The author wishes to point out that the comparison is made only for didactic purposes. In the world we need JK Rowlings and also Kants

- Advertising Notice-
María del Pilar Segura
Lawyer from the Pontifical Catholic University of Peru (PUCP). I am interested in issues related to Competition Law, Data Privacy and Digital Regulation. I believe in freedom with responsibility. Contact:


1,914Happy fans


*All fields are required
es Spanish