back to article Reading privacy policies takes 10 minutes on average

Website privacy policies take on average 10 minutes to read and sometimes run into thousands of words, researchers have found. While some are short, others would take over half an hour to read. Researchers Aleecia McDonald and Lorrie Faith Cranor of Carnegie Mellon University looked at online privacy policies and how long it …


This topic is closed for new posts.
  1. A J Stiles

    How about this?

    This was the privacy policy on an old site I once maintained:

    Your e-mail address will not be passed on to anyone else for any purpose, not even to keep us out of prison.

    That certainly didn't take 10 minutes to read.

  2. docjekill
    Black Helicopters

    "not even to keep us out of prison"

    Ah, yes, that certainly would have been read in less than 10 minutes - but could you honestly have stuck to the letter of the policy, I wonder...?

    Black helicopter, because, well, yeah...

  3. druck Silver badge



    A. We don't give your details to anyone else, and only keep them as long as necessary to perform the service you have requested.


    B. We'll sell everything we can find out about you to anyone willing to give us money.

    I think that covers all the possibilities.

  4. this


    I found I couldn't read the whole article, started skimming, then gave up. Case proved.

  5. Ken Hagan Gold badge

    15 pages of text?

    If I saw a privacy policy *that* long, I'd assume that they intended to violate my privacy in every way open to them and sell the information to the highest bidder, criminal or not. Obviously, having reached that conclusion, I woujldn't bother to read the damn thing.

    As AJ Stiles says, a *privacy* policy requires only one line of text. You only need more if you need to document your violations of your customers' privacy.

  6. Charles


    Privacy notices suffer from the same problem most any other legal document suffers these days: excessive use of "Legalese". Why all this "party in the first part" drivel?

    Sometimes, I wonder if a law should be passed that demands that all future legal writings be written in terse but concise language that anyone can read and understand quickly. For example, a privacy notice could read:

    "We may use information ABOUT you (but not tracable to you) to form statistics, and we may be forced to turn over information if demanded by the law, but we will keep your personal information private otherwise. Should this not be the case, you may sue us under the law."

    Perhaps such an act could also include this line: "Make a bill or legal notice too lengthy, expect to spend up to a year in jail and to pay the costs of trying you."

  7. Anonymous Coward
    Anonymous Coward


    I know a website that stores only ha ash value of the email address in the database.

    Therefore the website owner will never hand out an email address even when sent to prison.

    Instead timestamps and Ip addresses are recorded for prosecution.

  8. Flocke Kroes Silver badge

    If the policy is ten minutes long ...

    ... it is not worth reading. Any competent lawyer should be able to hide get-out clauses around anything that looks like a binding commitment in such a long document.

    There are plenty of ways to deal with huge privacy policies. How many millions of internet users live in Beverly Hills (zipcode 90210)? Who else puts the website's own contact phone number into the form? How many people have a date of birth that varies with the phase of the moon? How many people use a bugmenot address for confirmation email?

    If there was an EFF Public Privacy Policy, and plenty of people used it then that would be a privacy policy worth reading - just like software licenses: If it is not GPL or BSD, software needs an outsanding reputation to make it worth reading the license.

  9. Graham Marsden

    The other question is...

    ... as with EULAs (which are generally unread or made unreadable!) are these Privacy Policies actually legally enforceable parts of the implied contract between the business and the customer...?

  10. A J Stiles

    @ docjekill

    It never came to it, in the end (either The Authorities took at face value another disclaimer, "Anything on this web site that would be illegal if it were true is made up", or -- more probably -- they just didn't bother with us); and it was before the RIPA became law. But I'd certainly like to think that I'd have gone to prison rather than compromise other people's privacy.

  11. Anonymous Coward
    Anonymous Coward

    Privacy policies aren't as simple as you might think

    The problem is that things get outsourced, and certain bits of your information will get transferred to achieve that. Who holds the information given to a "site"? The hosting company? The company who holds the copyright? The agency who manages it? What happens if one of those entities is outside of the EU? What happens when a third party is contracted to send you a catalogue or e-mail newsletter? What about Google Analytics tracking? (A very useful legitimate tool for a site developer to try and find and resolve 'black spots', but its use most certainly needs to be explained). What cookies are sent to your PC, what do they contain and how long do they last for? What actually *is* the consumer's responsibility (e.g., keeping passwords private)?

    All of these kinds of things need to be detailed in the privacy policy. I dare anybody to do it in a single sentence.

  12. A J Stiles
    Thumb Up

    @ Flocke Kroes

    I think your suggestion is an excellent one.

    The only refinement I could suggest is to have a few different "levels" of Public Privacy Policy, simply because one size is unlikely to fit all.

  13. Dave


    Sounds like we need a system like the GPL etc - then instead of having to read it every time, the policy would simply be reference - 'This site uses privacy policy 5b. Click here to read more. {Link to Policy site}'

  14. Anonymous Coward

    crystal mark for clarity

    All websites/applications should be required to go through the plain english campaign and achieve a crystal mark for clarity.

    I've been victom to the

    "But it says so in our terms and conditions, section 4, part 5.2..." when trying to make a complaint on poor service.

  15. DR

    session timeout

    how many sites would time out in the time taken to actually read a policy?

  16. Tom


    "All of these kinds of things need to be detailed in the privacy policy. I dare anybody to do it in a single sentence."

    Once you take in all the exceptions, weasel words, and excuses into account...

    We own all your data and will do what ever the hell we want, and everything is your fault.

    There you go, one sentence.

  17. RogueElement
    Black Helicopters

    obligatory small print [after Tom]

    ... the terms and conditions laid out in this document may be changed at any time without warning.

This topic is closed for new posts.