Privacy Policies: almost as complicated as reading Kant's Critique of Pure Reason

The Critique of Pure Reason Immanuel Kant is not a text precisely known for being easy to read and understand. However, according to a study conducted by The New York Times (NYT), numerous Privacy Policies turn out to be equal or more complicated to understand than the aforementioned work.

NYT published in June of this year an interesting study which states that numerous privacy policies of digital companies such as Facebook, Airbnb, Uber, among others, are full of "legal jargon" and complex sentences that make reading incomprehensible. This, in the opinion of the NYT would, in many cases, hide real intentions to sell the data of millions of users without they really understand the implications of their authorization.

The referred analysis was carried out taking into account the reading time of the policy and the level of complexity of the text using factors such as the length of the sentences or the difficulty of vocabulary. These were the results:

Source: ThePrivacyProject The New York Times.

As we can see, the Privacy Policy of Facebook and Uber takes time to be read around 20 and 25 minutes, respectively. In the case of Airbnb it takes about 35 minutes but, in addition, it is evident that the complexity level of the text is high (which makes it more difficult to read).

To demonstrate the degree of complexity of the Privacy Policies, a comparison was made with some classic works. Just as an example, the policies of Netflix and Facebook get a score above the famous A brief History of Time of the scientist Stephen Hawking.

However, the BBC, the NYT points out, has an unusually readable policy. It is written in short sentences, declarative and, in simple language. And it's below Pride and Prejudice and above Harry Potter and the Sorcerer's Stone from (great) JK Rowling.

Source: ThePrivacyProject The New York Times.

As we see, the Privacy Policies are not made so that everyone who understands them understands them. In fact, according to the aforementioned research, most policies would only be understood in their entirety by people with a professional career specialized in laws or related matters.  

Source: ThePrivacyProject The New York Times.

So, the problem that appears at first glance is that privacy policies are written "by lawyers and for lawyers". And the truth is that people do not know what they are really consenting to when they put click in accept". On this, it is clear that privacy policies should change their focus and use simple sentences that are understandable to everyone.

However, this change should not only come from companies. The rules of protection of personal data, from our point of view, should be reviewed by virtue of establishing specifically what are really the essential obligations that must be contained in the privacy policies of the virtual pages. This in order to provide the most important information to holders of personal data.

In the Peruvian case, Article 18 of the Personal Data Protection Law (LPDP) establishes a series of obligations that the person who collects data must inform the person regarding the processing of their data. Incorporating each and every one of these obligations, at the discretion of the Data Protection Authority, has a minimum extension of three faces[1].

So we see that the "amount" of information required to deliver to the user is imposed by the State itself. However, on the other hand, companies are also required to deliver this information in a clear and easy to understand format. The LPDP, in its article 18, indicates the right of the owner of personal data to be informed "in detail, simple express and unequivocal ”the information related to the processing of your personal data.    

Naturally, some will point out that forcing companies to develop policies in "clear and simple formats" is not enough to make the change of approach effective. And this is true, in part.

According to the previously mentioned study, in the 2018 year, Google's privacy policies took around 30 minutes to read them completely. However, for the 2019 year, its data protection policy became more readable and, the reading time was reduced to 15 minutes.

Source: ThePrivacyProject The New York Times.

This change is due, in part, to the entry into force of the General Data Protection Regulation of the European Union that requires that privacy policies be delivered in "a concise, transparent and intelligible form, using clear and simple language" . Also, Google added a glossary of terms in its portal that raise the level of understanding of the text.

We consider that although the regulations ensure the legal obligation of all companies to review their privacy policies in order to reduce the level of complexity of the texts, a large part of the change is also due to companies like Google having internalized the need to make their policies increasingly friendly and easy to understand. Which in the long run, generate benefits.

However, the truth is that today policies only serve as "the information legally that nobody wants to read and that nobody understands ”. This is unfortunate because privacy policies emerged as an empowerment tool for the owner of personal data in order for them to decide what to do with their data by virtue of the exercise of their right to informational self-determination.

On this, the NYT points out, “people do not need technical knowledge of the data collection processes to protect their personal information. Instead of explaining the complicated inner workings of the data market, privacy policies should help people decide how they want their data to be used. " 

According to Jen King, Director of Consumer Privacy at the Center for Internet and Society, "this does not mean we should scrap the privacy policies in their entirety, we just need a fresh start."

Perhaps, on occasions like this, the calls to make the real change are not the lawyers, but the advertising and marketing agencies that are constantly searching for new disclosure methods. Or also professional linguists.

Meanwhile we can only ask for more JK Rowlings and less Kants[2].

[1] In the year 2018, the Ministry of Justice through the Data Protection Authority issued as an Annex a model of Authorization for the Protection of Personal Data that conglomerated all the information that should be communicated to the holders of personal data every time they deliver your data to a third party.

[2] The author wishes to point out that the comparison is made only for didactic purposes. In the world we need JK Rowlings  and also Kants

- Advertising Notice-
María del Pilar Segura
Lawyer from the Pontificia Universidad Católica del Perú (PUCP). I am interested in topics related to Competition Law, Data Privacy and Digital Regulation. I believe in freedom with responsibility. Contact:


1,954Happy fans


*All fields are required
es Spanish