Regulators may need to protect consumers from unreadable online contracts and privacy policies.
Everyone today interacts frequently with large online companies for a variety of purposes. We use social media, read news, book flights and hotels, rent cars, purchase insurance, and open bank accounts. In all of these and many other cases, we are presumably bound by two important agreements that regulate the relationship between users and firms: consumer standard form contracts, and privacy policies.
Online contracts and privacy policies are non-negotiable, pre-drafted standardized agreements. They are nevertheless legally binding. The assumption underlying them is that users are free to reject these agreements. No one forces a consumer to use an Uber ride to get from one place to another, book a room via Airbnb, purchase a book on Amazon, or post experiences on Facebook.
In the United States and in some other common law countries, consumers are legally assumed to have read the terms and conditions of their contracts. Due to this so-called duty to read, consumers are held responsible for the written terms of their agreements. This is true even if the consumer opted not to read the contract he entered.
But there is an interesting asymmetry here. Although consumers have a legal burden to read their contracts, companies do not have a general duty to offer readable contract terms. This asymmetry can lead to a reality where consumers are assumed to read contracts that are, in fact, unreadable.
In a recent paper, Uri Benoliel and I checked whether this concern is justified. The study examined the readability of the 500 most popular “sign-in-wrap” contracts—contracts to which consumers agree by signing up for a service—in the United States. Our sample included those sign-in-wrap contracts employed by some of the most well-known companies, such as Facebook, Amazon, Uber and Airbnb.
Sign-in-wrap contracts—which are now routinely used by numerous popular firms—assume that the user agrees to the website’s terms and conditions by registering or signing up. During the sign-up process, the website provides a hyperlink to its terms and conditions. The consumer, however, is not required to actually access the terms.
Can holding consumers to their online contract terms be justified based on the notion of consumer responsibility? After all, sign-in-contracts provide consumers with an opportunity to read the terms and conditions. If consumers nevertheless choose not to do so, they have no one else to blame. Or do they?
In our study, we applied two well-established linguistic tools to evaluate whether consumers could read sign-in-wrap contracts. The first tool is the Flesch Reading Ease test. The second is the Flesch–Kincaid (F–K) test. Both tests are based on two parameters: the average sentence length, and the average number of syllables per word.
The results of our study indicate that, according to these criteria, the popular contracts examined in our sample are rather difficult to read. In fact, they are generally written at the same level as academic articles. Effectively reading these agreements requires, on average, more than 14 years of education. This result is troubling, given that the recommended reading level for consumer materials is eighth grade.
A contract is based on mutual assent. Our study, however, shows that consumers cannot be expected to understand their contracts. It follows, then, that consumers cannot truly agree to something they cannot successfully read and understand.
The United States is not exactly known as a country that strongly supports consumer protection initiatives. Across the Atlantic, however, the ideological approach and the political climate are fairly different. Indeed, the European Union is famous for its strong culture of consumer protection, consumer rights, and consumer empowerment.
A notable and recent example of this approach is reflected in the European Union’s General Data Protection Regulation (GDPR). The GDPR is a sweeping data privacy law, which came into force in May 2018. One of the objectives of the GDPR is to level the playing field between consumers and companies while giving users more control over their personal data.
The GDPR aspires to force companies to be more transparent around data collection and usage. Along these lines, the GDPR also requires firms to clearly communicate privacy terms to end users by using “clear and plain language” in their privacy agreements.
In another recent study, Uri Benoliel and I examined whether privacy policies in the EU are indeed readable. Employing the same Flesch Reading Ease and F–K tools, we measured the readability of more than 200 privacy policies. We focused on the most popular English websites in the UK and Ireland, such as Google, YouTube, Facebook, and Amazon.
Disappointedly, the results of our study indicate that despite the GDPR’s requirement, European users still often encounter privacy policies that are largely unreadable. Instead of the recommended F-K score of eighth grade, the average F-K score in our sample was 12.78 and the median F-K score was 13—or one year of college.
This is slightly better than the (un)readability of U.S. online consumer contracts. Nonetheless, almost all the privacy policies in our sample, about 97 percent of them, received an F–K score that is higher than the advised score of eighth grade. This means that almost all of these policies are harder to read and understand then recommended.
Is the GDPR just a barking dog? We were able to locate 24 websites in our sample that included their privacy policies as drafted pre-GDPR. We examined these pre-GDPR policies to compare them with current levels of readability.
The results show that current privacy policies post-GDPR are slightly more readable than the older policies. For example, although the average F–K score of pre-GDPR policies was 13.62, the F–K score of current policies was 12.36. This difference marks a small improvement, yet does not really cure the problem.
To the extent that legislatures and courts maintain that consumers are free to read their agreements and constructively consent to them, our studies suggest otherwise. Moreover, the presumption that general plain language rules will transform the way firms approach consumer agreement also seems not to hold.
What is better: a barking legislation that does not really bite, or legal asymmetry that places on consumers an unrealistic burden to read? This is an intriguing, complex question. Perhaps both options require a fix.
This essay draws on Becher’s two recent studies, The Duty to Read the Unreadable and Law in Books and Law in Action: The Readability of Privacy Policies and the GDPR, both of which are co-authored with Uri Benoliel.