This post was also written by Frederick Lah.
A California state assemblyman proposed legislation this week attempting to require that online privacy policies be no more than 100 words. The legislation would also require that the privacy policy “be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared.” This legislation, if passed, would serve to amend California’s Online Privacy Protection Act, which applies to every operator of a website or online service directed to consumers in California.
Common sense and good business practice dictate that privacy policies be as comprehensible and as concise as possible. Most companies, however, will almost certainly find this 100-word limitation to be simply unworkable, especially given the requirement that there be statements about how personally identifiable information is sold, and to whom is it sold and with whom it is shared. That disclosure alone, even if written as clearly and concisely as possible, could easily exceed 100 words. At the very least, every privacy policy should also include details about what type of information is collected, how it is collected, and how it is used, as well as any additional content requirements from applicable federal laws like COPPA and GLBA.
In a day and age when the FTC and even the California AG have gone after companies for insufficient disclosures, a 100-word limitation would seem to conflict with this increasing demand from regulators for companies to have more complete disclosures. Forcing these companies to comply with a strict word count, rather than emphasizing “plain language” solutions, would seem to miss the point. It’s also important to understand that the average length of an online privacy policy is 2,500 words, according to a 2008 study. Even this short blog article (which contains more than 350 words), would be way too long as a privacy policy under the proposed legislation. Obviously, unnecessarily verbose privacy policies are not the answer, but we think the same can be said for word limitations.