EU: Privacy Policies Defy User Understanding

A large-scale, longitudinal comparison of privacy policies in the EU pre- and postGDPR found that privacy policies increased in length
without demonstrating improvements in sentence structure complexity.

Defining Privacy: How Users Interpret Technical Terms in Privacy Policies, Proceedings on Privacy Enhancing Technologies ; 2021 (3):70–94

This study shows the difficulty in drafting privacy and data reforms in such a way as to achieve the desired effects. It appears that in spite of the GDPR providing that information about data collection and use be communicated “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”, the attempt by attorneys to do so results in an increased use of technical terms and legalese that users simply don’t understand.

California Consumer Privacy Act (CCPA) imposes similar transparency requirements for disclosures and require that policies are “written in a manner that provides consumers a meaningful understanding of the information being collected”. The cited study has found however that privacy policies are still written at a high reading level, where misconceptions and misunderstandings about technical terms are pervasive.