US lawmakers recently introduced a bill seeking to improve transparency of terms of service agreements. The US Terms-of-service Labeling, Design and Readability (TLDR) Act proposes websites and applications (apps) provide summary terms-of-service statements that are easy to read. The bill specifically requires summary statements to include:
- Categories of sensitive information collected and if that information is needed for functionality
- Information on if and how a consumer can delete their data
- The legal liabilities of a consumer, including rights to their content
- A change log
- A record of data breaches that occurred in the last 3 years1
If passed, the aptly named TLDR Act, which shares an acronym with a commonly used term on the Internet (too long; did not read [TL;DR]), could be a great stride toward transparency. Most privacy notices are incredibly long and full of jargon that the average user may not understand. Even if everyone visiting a website or downloading an app could understand the terms and conditions of those websites and apps, it would take an inordinate amount of time to read through them. The average person has 40 apps installed on their phone.2 The terms and conditions of the 13 most popular apps would take 17 hours to read.3
The average person has 40 apps installed on their phone. The terms and conditions of the 13 most popular apps would take 17 hours to read.
And that only addresses apps. Reading the terms and conditions of every website visited would take 200 to 250 hours per year.4 (That estimate is from 2012. With the growing number of connected devices, it is likely that number is even higher now.) A conservative estimate is that it would take more than 11 full days for users to read the terms and conditions of every app they use and website they visit.
Given this unrealistic burden placed on consumers to understand what is happening to their data, it is clear that some kind of change is needed. Could the TLDR Act address this issue?
What Does This Mean for Enterprises?
Transparency is top of mind for many consumers, and savvy organizations should prioritize becoming more transparent. Enterprises have considerably more power than their consumers; although consumers ultimately have the choice of if they want to do business with an enterprise, there is rarely much room for negotiating terms of service and privacy policies. Given this imbalance, enterprises around the world should value transparency and understand why it is important for consumers, regardless of whether the TLDR Act becomes law. Although providing complex, jargon-filled terms of service and privacy policies may achieve compliance, it does not necessarily enhance consumer trust.
Customers may agree to a terms of service policy without reading or understanding it, but if they later become upset when undesirable data processing practices come to light, it can irreparably harm an enterprise’s reputation, even though the consumer did technically agree to the terms. In contrast, enterprises that are transparent with customers (e.g., clearly explaining privacy policies and data processing activities in easy-to-understand language) can attract new customers and build trust with existing customers.5
Enterprises that understand and address the following privacy barriers consumers face can empower their data subjects, improve their customer relationships and gain a competitive advantage over their less-transparent competitors.
Fighting Apathy
The length of privacy policies and terms of service likely puts people off from reading them. But apathy may be at play as well. Ninety-one percent of people accept legal terms and services conditions without reading them.6
Shorter terms of service agreements and highlights of key terms will only improve transparency if end users read them. Given that the average US Internet user visits 138.1 webpages per day, even the time to read a high-level, clearly written statement may be too time consuming.7
Before legislation such as the TLDR Act can improve consumer privacy, consumers need to have a better understanding of why the privacy policies and terms of service are important to read before accepting.
TLDR: Analogous to Nutrition Labels
The TLDR Act has been compared to nutrition labels on food. Nutrition labels help consumers make educated decisions about the food they eat; however, that means they must already know what they need to meet their dietary needs. Before the TLDR Act can help consumers make better decision, consumers need to be educated about privacy.
In the case of nutrition labels, a label may specify how much sugar food has, but if people have no idea how much sugar they should eat in a day, that may not be very helpful. And the sugar tolerance for someone with diabetes vs. someone without will vary. Privacy is similar; most people claim to care about privacy but often act in ways that are contradictory. This could be because people are unaware of how their actions affect privacy (i.e., they may say they value privacy but not realize that having public social media profiles and regularly checking in to locations and geotagging photos affects their privacy). And as the ideal amount of sugar consumed varies from one person to the next, so does the privacy threshold. Those who are from historically marginalized groups may have more at risk if their privacy is violated and their sensitive information is shared, so they may be less willing to give up their privacy.
An enterprise’s terms of service and tracking policies do not exist in a vacuum. To further the nutrition label example, high sugar content in one snack may be acceptable if the person eating it knows the rest of their meals will be low in sugar. The same goes for privacy and online tracking; people use multiple websites, software programs and apps, and they are not unaffected by each other. If someone purchases a new home and posts a photo in front of it, tags that photo with the city the home is located in and posts it on social media, it would not take much effort to look at real estate websites to determine that individual’s new address. It may seem harmless to post a photo in front of a new home with the home’s street number showing, but when that information can be combined with information from another source, it may reveal too much information about the new homeowner.
This kind of nuance cannot be explained in a nutrition-label style terms of service overview. For the TLDR Act to be effective, the average person must learn a lot more about privacy and how information from one place can be combined with other sources of data.
Empowering Data Subjects
If the previous two concerns were resolved and data subjects suddenly cared immensely about their privacy and had a better understanding of how web tracking worked, the TLDR Act still would not be enough to empower them. This is through no fault of the legislation; it relates to the imbalance of power between consumers and providers. Most websites and services do not give users a way to negotiate terms and conditions. Users must accept the terms if they want to use the service. Their only other alternative is to not use the website or service.
Data subjects cannot be empowered to protect their privacy until they have a say in the terms and conditions of using a product or service. Until the power disparity between consumers and providers is addressed, measures such as the TLDR Act will not make a meaningful difference to consumers and their privacy.
TL;DR
The TLDR Act has potential, but without addressing data subject apathy, consumer education and empowering data subjects, it will not do enough to protect people’s privacy.
Endnotes
1 Trahan, L.; “The TLDR Act”
2 Kataria, M.; “App Usage Statistics 2021 That’ll Surprise You (Updated),” Simform, 5 January 2021
3 Cohen, J.; “It Would Take 17 Hours to Read the Terms & Conditions of the 13 Most Popular Apps,” PC Magazine, 4 December 2020
4 Vedantam, S.; “To Read All Those Web Privacy Policies, Just Take a Month Off Work,” NPR, 19 April 2012
5 Weinhouse, M.; “Why You Should Be Radically Transparent With Your Customers,” Forbes, 16 April 2018
6 Cakebread, C.; “You’re Not Alone, No One Reads Terms of Service Agreements,” Business Insider, 15 November 2017
7 Fleming, E.; “How Many Webpages Does an Average User Visit per Day?” SidmartinBio, 30 October 2020
Safia Kazi, CIPT
Is a privacy professional practices lead at ISACA®. In this role, Kazi focuses on the development of ISACA’s privacy-related resources, including books, white papers and review manuals. She has worked at ISACA for 8 years, previously working as assistant editor of the ISACA® Journal and developing the award-winning ISACA Podcast. In 2021, she was a recipient of the AM&P Network’s Emerging Leader award, which recognizes innovative association publishing professionals under the age of 35.