Web

Study: Want to Know Your Full Online Rights? Set Aside 8 Days

Josh Catone
Share

Last month we reported on a study that found that privacy policies and EULAs for software and web sites were lengthy (averaging 3,442 words for privacy policies) and written at a grade level that would make them inaccessible to many people. The policies laid out in such user-facing legal documents are important, but are so long and difficult to understand that many users skip over them.

The lesson, we said, was to “make your privacy policy, EULA, and other user-facing legal documents as short and as easy to comprehend as possible.” That’s good advice, especially since one thing that the study we reported on in September didn’t take into account was how long it would take for users to actually read all of the unique privacy policies they come in contact with each year.

According a recent study from Carnegie Mellon University (via Slashdot), it takes an average of 10 minutes to read a privacy policy, and almost 6 minutes on average to skim the policy and be able to answer a set of basic comprehension questions correctly (i.e., pull relevant and useful information out of it). Researchers found that web surfers visit an average of about 1,200 unique web sites each year. If each of those sites had a unique privacy policy of average length, that would equate to about 201 hours of reading — or more than 8 days.

That’s a whole heck of a lot of time, and the theoretical cost to the US economy in lost productivity if everyone actually spent that much time reading privacy policies would be $365-$652 billion (depending on if you’re reading or skimming). The research only covers web site privacy policies — it didn’t cover all the other types of legal documents that we encounter in our daily lives, including web site and software license agreements, terms of service, and service level agreements — so the actual cost might be higher.

Of course, the simple truth is that most people don’t actually read or even skim all the privacy policies and other user-facing legal documents they come across on a daily basis.

The paper’s authors argue that the government, by allowing web sites to self regulate and develop their own privacy terms, has actually created an environment where a lot of time and money is wasted. “These estimates presume that people visit sites, read the policies once a year, and then carry on their business as before. Yet the […] vision of self-regulation presumes that at least for consumer sites, Internet users will visit multiple sites to comparison shop for acceptable privacy practices,” writes the paper’s authors. “The true cost of adherence to the self-regulation vision is perhaps on the order of double the costs we estimate, depending on which percentage of sites have ready substitutes and how many sites people are expected to compare.”

The researchers propose that corporations and web sites need to do a “better job of conveying their practices in useable [sic] ways, which includes reducing the time it takes to read policies.” If they can’t, government regulation may be necessary, the authors conclude, to provide privacy protections and ease the burden placed on users to keep track of their rights online.

The assertions made in the paper have predictably been met with resistance by some company executives. You can access a PDF of the study here.