If one party to a contract cannot reasonably expect (!) that the contract was read by the other party, the contract should be invalid. Period, end of story.
This applies not just to Privacy Policies, but to just about every Terms of Service. You're telling me that when Apple updates the App Store's terms of use, they in good faith expect their customers to spend half their workday rereading the contract before clicking I Agree and downloading that new app? It's completely nonsensical!
Only high-level business software should be able to force its users to sign a contract, because that is the only circumstance in which it will be read.
One problem with your argument (from a political perspective) is that it undermines the entire system of mandatory disclosures (for drug warnings, investor relations, real estate, etc.). Accepting this argument means that all the (many) disclosure-based lawsuits and regulatory actions taken against companies are blatantly unjust, as they are based on the idea that consumers can and should read lengthy, confusing documents.
I should add that despite what people here are saying, the complexity of the wording is usually driven by legal requirements, not a desire to confuse people.
> One problem with your argument (from a political perspective) is that it undermines the entire system of mandatory disclosures (for drug warnings, investor relations, real estate, etc.).
A key factor here should be the complexity of the agreement compared to the value of the transaction.
If you're buying a house, you're laying out at least six figures and can be reasonably expected to read the fine print or hire somebody to do it for you, even if it takes multiple hours or several hundred dollars. If you're buying a $1 app or using a free service, expecting the same thing is facially absurd.
Meanwhile if you're buying a $5 bottle of drain cleaner, it's ridiculous to expect someone to read 20 pages, but 20 words is not so unreasonable.
This also bodes ill for "we may update this agreement at any time" because that's imposing the burden of re-reading the agreement every time you change it, which is pretty unreasonable for anything where the other party isn't paying you (or getting paid by you) hundreds or thousands of dollars a year.
If the danger is too complicated for people to reasonably understand in the amount of time they ordinarily spend trying to understand it, you already have a bigger problem. If the danger isn't that complicated and can be easily explained, you don't actually have this problem.
Well what is reasonable for a $5 bottle of ibuprofen? How about:
"Misuse of this product is dangerous and may cause death. Advil is not responsible for damages caused by misuse. Read and follow instructions on back of bottle"
That's a bit wordy but it indicates who is responsible (you) and what the gravity of the situation is (possible death). With that established, it means the onus is on the user to do more reading.
IANAL but I would like to belive something like that would satisfy all parties.
I don't necessarily disagree, but the way you framed it is a little too close to "Please read our privacy policy for more information", which doesn't get us anywhere. It works for ibuprofen because those instructions on the back are really quite short, so expecting customers to read them is more than reasonable IMO.
I should add that despite what people here are saying, the complexity of the wording is usually driven by legal requirements, not a desire to confuse people.
I emphatically disagree. In https://news.ycombinator.com/item?id=23566627 I take a sample from Apple's privacy policy that is written at a college reading level, and show how a rewrite can say more, in less words, while being readable at a grade 7 level.
This is merely an example illustrating that the vast majority of complexity in legal documents is driven by lawyers trying to look smart and not caring how impenetrable their prose is.
Well, not quite. Certain phrases have been tested in court. That is why arcane word-strings appear on contracts. Courts have established meaning and precedent for that word string. Going rogue with more readable language is asking for a ride on the litigation merry-go-round again, and nobody wants to foot the bill for that.
I am well aware of that. But those phrases also make up a small portion of most contracts. So I stand by my, "the vast majority".
Furthermore I believe we are one well-argued case away from concluding that consumer contracts are not enforceable if the language is too complex. Consider. You only have an enforceable contract if there is a meeting of minds. Automated complexity tests show that most consumer contracts require college level reading level to understand. Per https://www.wyliecomm.com/2019/03/us-literacy-rate/ it turns out that only 2% of US adults read at that level. Therefore no contract can exist with anyone in the remaining 98% of the public.
For comparison, 13% of Americans speak Spanish. Which means that if you the average consumer contract would be understood by more Americans if it was rewritten into plain Spanish!
We all know that this is true and the current state of affairs is beyond absurd. I do not believe that this absurdity will survive indefinitely.
We already have automated tests of language complexity. There already are courts that have said that materials have to be available to consumers in a form that they can understand. For example see http://www.illinoiscourts.gov/Media/enews/2018/032118_plain_... for such a ruling in Illinois. To end the absurdity just takes one clear precedent saying that a contract is not enforceable if not understood, and cannot assume to have been understood by the average consumer if it requires a reading level of over X on test Y.
I disagree. Contract language ends up in court because it is unclear enough that the parties can plausibly argue it means different things. Arcane word strings are, in my experience, usually just due to lazy copy and pasting from forms or false belief in the notion of “tested” language.
There are certainly terms of art that have well established meanings in certain fields but those should be used sparingly and don’t explain the massive amount of cruft in most contracts.
No one is well served by using deliberately arcane language.
Check out Ken Adams’ books and blogs[1] if you’d like to read more about this.
Not my problem. If this crap gets thrown out they will have to change strategy. The cost of snaring unwilling users in legal agreements should be high.
The current legal system effectively requires that you need a lawyer for everything you do.
Also, just having a lawyer read it isn't sufficient. They still need to communicate to you whatever information you need to be able to avoid violating the contract/law (if that is your intent).
I think he is saying that terms of service and user end policy agreements in their current state are completely unacceptable. We need to simplify these policies and contracts if we expect people to be legally accountable for understanding their contents.
I actually don’t even think there should be contracts, unless they can be cut down to a few paragraphs. Because nothing longer than that will be read by 99% of consumers.
Merely providing a bullet point summary of the contract (as I’ve seen some do, iirc GoG.com is one) is not enough—those bullet points would need to actually become the contract of record.
There is no reason the absence of contracts should lead to a breakdown of the tech industry. Tech companies are already protected by extremely generous copyright laws. Maybe they wouldn’t be able to collect everyone’s data all the time, but that’s a good thing.
I can’t speak as much to other industries because I know less about them. But I think e.g. landlords have a reasonable expectation that renters do read their contracts. I know I read my lease—that seems like a normal, reasonable thing to do. Reading a software ToS or Privacy Policy is, by contrast, exceptionally abnormal.
> But I think e.g. landlords have a reasonable expectation that renters do read their contracts. I know I read my lease—that seems like a normal, reasonable thing to do.
I also imagine it was much shorter than a typical software ToS/EULA.
> Reading a software ToS or Privacy Policy is, by contrast, exceptionally abnormal.
Part of the cause here is path dependence - we've been conditioned to ignore EULAs in the pre/early-Internet era, back when software walked and quacked like a product, not a service.
The only reason I mentioned copyright is, the classic thing all software ToS’s traditionally say is that you cannot create unauthorized copies of media.
What else is in ToS’s that tech companies absolutely must be able to enforce?
The problem is that the only reason they are complicated is because the courts require complexity. Each one of those complicated legal terms exists because of some lawsuit somewhere. Blaming it on the company, or saying that it's obfuscation simply misses the point.
If we want to get rid of these complicated 'agreements', we need to change the way our legal system operates.
The famous example in law school being writing a agreement on a cocktail napkin being an enforceable contract.
The legal system may be in need of reforms, but in these instances the complexity and length of tech company TOS or PP is a direct result of these entities having an army of in-house and outside counsel looking after their own interests.
There is simply a power imbalance between FAANG companies and even their most legally savvy and educated user. This has nothing to do with the courts, and if you don't believe me, then reach out to one of the FAANG legal departments and tell them you want to use their service but need to negotiate the TOS/PP first.
How many lawyers write their employment agreements, per-nuptual agreements, wills, or letters of engagement on cocktail napkins? Sure, it'd be enforceable, but almost worthless.
Pre-nups and wills are great examples of how simple agreements can be...prior to the internet you could pick up standard forms from stationary stores.
Google "contract on a cocktail napkin", most of the top results will be for million dollar contracts on cocktail napkins...so maybe we just have a different opinion about "enforceable, but almost worthless."
Contracts are only important when there is a disagreement. When everyone is getting along (which is most of the time), the contract can be verbal, cocktail, form, or lengthy, and it doesn't matter. You can see this from the fact that the most contentious subjects (such as construction) have the most rigorous contracts.
IANAL, but I have never heard of a lawyer writing a contract on a napkin, or advising a client to do so; and they say verbal contracts are worth the paper they're written on.
>IANAL, but I have never heard of a lawyer writing a contract on a napkin, or advising a client to do so
Where did I or anyone say that is what lawyers advise. In fact I specifically said it is because of their army of lawyers tech companies have long and complex TOS and PP.
The point is TOS and PP are not complex because Courts require them, and the cocktail napkin contracts are examples (the pinnacle law school example) of how simple contracts can be while still being enforceable.
>Contracts are only important when there is a disagreement.
No, contracts are most important before the disagreement because they are what help avoid the disagreement. It would be very difficult to explain in this forum, but if you know what Summary Judgment is, breach of contract cases essentially never end in summary judgement, which is actually very counter intuitive because one would think with all breach of contract case should end in summary judgement...because the contract should speak for itself right? In other word one would think either the contract was performed/breached or it wasn't right? The thing is whether a contract was performed or breached is a question of fact for the fact finder; thus, contract cases never end at summary judgement and would always have to go to a finder of fact (judge or jury). You would probably have to spend a semester or 2 to fully grasp this concept and even then, it probably takes some actual practice of law with contract cases to fully grasp why contracts do not resolve contractual disagreements. The reality is once there is a dispute and you are seeking enforcement you would much rather have the cocktail napkin than a complex agreement, it will save you years of litigation and the cost of the same.
Those articles are about expensive lawsuits fighting over the meaning of the contract. So they are almost worthless at their single function, which is to form an agreement.
>Those articles are about expensive lawsuits fighting over the meaning of the contract
Yes that is generally what breach of contract cases are about...do you think a breach of contract case for extremely complex agreements are any different in nature?
Do you think there are more or less questions regarding interpretation, intent and meaning, with respect to complex agreements or simple agreements? In my experience litigating these matters the more complex an agreement the more protracted the litigation, in fact in some of the jurisdiction I practice there are specific divisions (complex civil litigation divisions) where those types of agreements generally end up.
If companies expected and wanted users to be informed, the standard "we've updated our privacy policy" would be accompanied with a detailed list of changes or some sort of friendly marked-up change log. I have never seen anything like that from any company, so I have a hard time believing privacy policies and TOS are meant to be informative.
One potential problem is that any error in the markup might be the basis of a class-action suit; it's safer just to provide the full text, and there is no benefit to providing the markup.
There aren't legal requirements for many (most?) pieces of software. You can release a piece of software without any terms of use at all--that's perfectly legal. So I don't buy the idea that complexity is driven by legal requirements.
The legal problems come in when the software is discovered to have some flaw or an undisclosed interaction with some other system, and the class-action lawyers swoop in to eviscerate the publisher.
Lots of open source software has gone for decades with the following license, without the wrath of god falling on them:
Copyright (c) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
It seems to me like you could just cut the paragraph starting with "Permission" and the words "and this permission notice" from the next paragraph, and you'd have the same protections, but for a closed-source project.
So yeah, I'm going to go ahead and continue to believe that these EULA's are definitely not written with the user in mind.
>One problem with your argument (from a political perspective) is that it undermines the entire system of mandatory disclosures (for drug warnings, investor relations, real estate, etc.).
Is this a bug or a feature?
>as they are based on the idea that consumers can and should read lengthy, confusing documents.
The resolution of such lawsuits are based around the notion that consumers should be able to read such documentations. The law suits themselves are about a deeper issue of consent. I would see this action as nullifying the resolutions but not the problem. It is unjust, but to the consumers.
I don't really agree. Disclosure for drugs is comprehensive and short. You can usually read the whole thing in 10 minutes and I always do because taking a new drug and I know many who do. For investor relation, real estate and such the value is such that those are also read, usually by multiple eyes.
And most software user agréments are actually much larger and harder to understand than the real estate papers worth millions I've seen, or even shareholder agreements worth even more.
Contrary to what you think it is very possible to have short legal agreements. The GDPR data policy basic template is quite comprehensive and rather short for instance, although it could get better. We could also imagine some informative shortened version with icons and standardized information in the same way you have for food components or drug warnings, or crucially apps permissions nowadays, that would cover 95% of the legalese in the user agreements.
Apparently the Chief Justice of the Supreme Court of the United States disagrees with you on the length of drug disclosures.[1] He said that "[p]roviding too much information defeats the purpose of disclosure, and since no one reads it", and that "the legal system obviously is to blame for that".
As I commented elsewhere, all that it would take to fix this is a precedent or law saying that, "Any consumer contract with a Flesch-Kincaid Grade Level of over 8 shall be unenforceable because the average consumer cannot be expected to have understood what they were agreeing to."
Yes, there is a very clear reason. I've stated it elsewhere but I will state it again.
Under common law, there is no legal contract without a meeting of minds. There can be no meeting of minds without comprehension. Per studies of reading abilities, only 2% of Americans read at a college level. (See https://www.wyliecomm.com/2019/03/us-literacy-rate/ for a source.) Therefore such contracts should not be legally enforceable on the other 98% of Americans.
This reasoning applies only to contracts where members of the general public were expected to review the contract unassisted. By contrast in a business contract where both sides retained legal counsel, the complexity of the language is not prima facie evidence that the contract was unlikely to be understood.
Because people generally find that informed consent is the only consent that counts. If someone cannot read a contract, how can they give informed consent to it?
If we decide that uninformed consent is still consent, we open a significant problem. And if we try to patch it by selectively applying the standard, we introduce arbitrariness which is an even larger problem.
I don't have a lot of time to comment to this, unfortunately, because I think it is a really important discussion. However, whenever I see these issues arise on Hacker News, I rarely see much said in defense of Terms of Service and Privacy Policies. Speaking only about Terms of Service right now, the problem is that if things are not laid out at the beginning, the business takes on all liability (or at least runs the serious risk of that liability). While that may sound reasonable initially, that means that nearly all of the amazing services we have would be impossible from a business perspective.
The problem is, we have an extremely litigious society, and lawyers are asked to think through and address all of the risks. The lower the dollar amount, the lower the liability that a company can reasonably take for the transaction.
Do you want to have an account? Great, but we need to be clear about who is responsible for use of the account and its credentials. We also need to clarify when it can be suspended or terminated. Do you want to submit content? Cool, but we should confirm that what you submit is your own responsibility, and we need to add some language about ownership and licensing to avoid copyright and other IP issues. We should also confirm that certain types of activities are not OK (e.g., pornography, harassment). Do you want to provide feedback? Awesome, but you cannot sue if it is used. Do you want to use APIs? Sweet, but there are things you can and cannot do so you don't break or abuse our system. Are you paying for things? We need to be clear how that works. And through it all, we need to have key provisions about warranties and limitations of liability so the business is not on the hook for millions when the account is worth $10.
And all this is for a simple service. There are countless ways to add complexity to a service.
I still agree with a ton of points here about the dangers of one-sided agreements, limited options for services, complex legalese, etc. But I will say that this is a trickier issue than people seem to give it credit. It may be nonsensical to say that a consumer read and understood a contract, but it is also nonsensical to say that companies should risk bankruptcy for free or cheap services (unless we are OK with free or cheap services no longer existing).
> While that may sound reasonable initially, that means that nearly all of the amazing services we have would be impossible from a business perspective.
Is that not the point of pursuing this train of thought? You aren't going to get businesses that have honest transactions with customers when such dishonest practices are allowed and generate enormous profits.
You can certainly be of the opinion that these contracts are by definition dishonest, and there are definitely companies that do shady things and protect themselves with these types of contracts. But I think that there have to be at least some examples of services that are honest that still need these types of protections.
Imagine a service that is objectively good -- maybe a non-profit organization creates a free app to help connect homeless people with food, shelter, and potential employment opportunities. Businesses can then use the app to post jobs, etc. The non-profit runs on a shoe-string budget and certainly cannot afford to get caught up in litigation related to issues arising between users of the app (e.g., a homeless user upset that they did not get a job because a bug in the app lost their application, or a business upset because they were connected with a dishonest applicant). It seems fair that the non-profit should be able to limit its liability here.
You have a really good point about deceptive businesses and the importance of transparency and balancing the power between businesses and consumers. It is bad that shady businesses can be protected by contracts, but those contracts also protect good businesses. I honestly do not know what the solution is, but I personally think that eliminating contracts is less useful than strong consumer protection legislation like stronger privacy laws.
> Imagine a service that is objectively good -- maybe a non-profit organization creates a free app to help connect homeless people with food, shelter, and potential employment opportunities. Businesses can then use the app to post jobs, etc. The non-profit runs on a shoe-string budget and certainly cannot afford to get caught up in litigation related to issues arising between users of the app (e.g., a homeless user upset that they did not get a job because a bug in the app lost their application, or a business upset because they were connected with a dishonest applicant). It seems fair that the non-profit should be able to limit its liability here.
Certainly they should be liable for their service—of course they should be! You can’t expect a non-profit to do the government’s job, and certainly not without public (by which I mean via tax or capital) funding.
Regardless of non-profits, it’s a complete perversion of the very idea of “consent” to refer the users of the internet as consenting to any ads or data mining. There is no transaction to access the service, no way to view the true cost of the service or how much derived value your data has, no way to simply pay for the service with what the ad clients would have paid for the ad slots. In my book that’s completely dishonest. IMHO the onus is entirely on the company to explain and allow transparency into their monetization. If not, there’s nothing distinguishing what people might call “evil” behavior from what is apparently a competitive edge in the market, a “good” in America if I’ve ever heard it.
You sound like you know a lot about this, and I'm basically a layperson, so please excuse me for asking what are possibly stupid questions--but I still feel like I have to ask them.
> Great, but we need to be clear about who is responsible for use of the account and its credentials. We also need to clarify when it can be suspended or terminated.
Do we, though? I purchased a membership at an ice skating rink last winter, which gave me unlimited entry and access to a private locker. I didn't sign a contract[1].
Is my skating membership any different than an online account, and if not, why are contracts only seen as necessary in the digital realm?
> we need to add some language about ownership and licensing to avoid copyright and other IP issues.
Isn't this stuff laid out in Section 503--the service provider isn't responsible for what their users upload, as long as they take action when they're informed of a violation, or some such? If that's US law, why does it need to get restated in the Tos?
> Do you want to provide feedback? Awesome, but you cannot sue if it is used.
I'm not sure what "if it is used" means, but if, say, someone goes ahead and reuses my review in promotional material without my knowing consent, I think I should be able to sue! That's exactly the problem with agreeing to a contract you don't realistically have the ability to read.
> Do you want to use APIs? Sweet, but there are things you can and cannot do so you don't break or abuse our system.
If someone is abusing your API by, e.g. making too many requests, you should cut them off--why do you need a contract for that?
If it's a private API for businesses, I actually think a ToS is fine. Professionals can reasonably be expected to read business-critical contracts.
---
As I acknowledged at the jump, these are probably dumb questions. But--and I'm trying to anticipate your answer here, so maybe it's off base to begin with--if the issue is that a Twitter spammer could sue Twitter for being banned, then we need broader legislation to address that, in a way that applies universally to all companies. Because, clearly you should be able to ban people who spam, contract or no contract.
Although, since restaurants can kick me out for holding up pornographic posters, and I can enter a restaurant without signing a contract... I have to wonder, again, why this is really necessary.
---
[1] I did need to sign a waver before stepping onto the rink, in which I acknowledged I might fall and injure myself. However, this wasn't related to my membership, and it was two paragraphs long.
Not stupid questions at all. I'm not entirely sure of the best way to answer this, as the internal quoting is getting messy. Here are my initial thoughts, though:
In a perfect world, maybe we would not need contracts. Certainly not so many. For low risk and low volume agreements, like your skating rink membership, maybe a contract is not helpful. Although I would be interested to know what happens this winter if a pandemic means the skating rink shuts down. Should the rink reimburse customers who only got partial use out of their membership?
There are statutory protections for service providers, but they do not cover everything. For example, they do not give the service provider recourse against the user for their bad actions. They also do not address the service provider's IP, nor do they address licenses from the user to the service provider.
By "feedback," I meant suggestions for changes, like if you told Facebook about a new feature that you would like to see but then sued them if they built that feature. Or if you sent them an email they never saw but then they implemented the feature.
I guess it boils down to three big points:
1. Litigation is nasty and expensive, even if you are totally in the right. It is expensive to go before a judge or jury to say "This user did awful things, so I banned them and did not provide a refund. Here's what they did and why we kept their money." It is much cheaper to cut it off early with a motion to dismiss or motion for summary judgment by saying "This person violated Section 7 of the TOS, so I terminated in accordance with Section 8."
2. Lawyers are hired to look out for their clients' interests. It is their duty to their client, and they can be sued for malpractice if they do not. We generally agree that this is a good thing, I think. But it is a risk to the lawyer, not just the business, if the lawyer leaves a lot of issues open.
3. Your point about legislation is interesting. However, you could approach from the other direction as well, and have legislation that says certain liability cannot be limited or certain actions cannot be taken by businesses regardless of contract. This is what we do now and arguably could/should do more, and it has the added benefit of not making lawyers act out of their clients' interests.
I don't expect this to be very satisfying, but hopefully it at least puts this all in a bit of context.
Why should that apply only to people vs corporations? How about people vs government? Should I be expected to read all the laws, and if not a reasonable expectations, laws are invalid?
Somebody is sure as hell trying and I'm honestly impressed by the commitment and content produced from their effort, behold: @crimeaday https://twitter.com/crimeaday
Because laws apply to you whether or not you agree to be bound by them. Your consent is not required.
(I do agree it would be great for our laws to be more readable, but I don’t see how society could function with as low a limit on legislation as you’re suggesting.)
I'm not sure about where the upper bounds of legal complexity should be, but I do have at least one thought on how to limit the overall complexity, at least for the average citizen.
Eliminate all victimless crimes in their entirety. If no third party is harmed or unreasonably endangered, there shouldn't be any reason to fine or incarcerate someone. This basically eliminates all 'possession of' crimes that are so often misused by police to inflict all kinds of harm. (Good example being getting arrested for some marijuana in the car leading to car impound and ludicrous fees to get it released.)
I agree, but I don't think that's relevant. Those laws are pretty well known, and their problem isn't obscurity or complexity, its injustice of outcomes.
I disagree primarily due to the way plea deals are handled. You can be innocent of any wrongdoing and still have to take a deal that results in jail time to avoid losing the rest of your life. If there is no charge, there is no need to plea. And, if there is no charge (and therefore probably no arrests being made) there is no looking for evidence of some other thing. (Imagine someone arrested for Marijuana, but it turns out they also happen to have some party drugs somewhere. Game over.)
That said, these laws are complex. [0]This is a felony scoresheet from Florida that shows how things get tallied up. Looking closely you can see the extreme impact of plea deals in sentencing, and the way multiple charges get added together.
The return of mens rea requirements and sharp curtailing of strict liability crimes would solve some of the effect of "surprise laws" at the cost of making enforcement and convictions more difficult - which some to many would call a feature and not a bug.
I'm firmly in the camp that convictions should be difficult to get. I dislike the manipulations of the legal system that universally work against the average person and for the large entities or wealthy who can afford expertise.
Jury Nullification is one such example. Threats of life in prison (even if innocent) unless you plea down to a lesser charge is another.
From a Catholic perspective, laws are only valid if they're promulgated popularly by the state. If the state makes a law and doesn't openly share it, the law does not need to be followed.
Only sharing because the Church has done extensive writing on legal theory and because the Church is transnational -- it's beyond the jurisdiction of any country and predates every country currently on earth.
In an ideal world unused laws would be scrapped and complicated laws would be simplified. One could even come up with a criterion: the entire law book should be readable in 10 hours by a layperson.
None of us know which of our actions constitute a crime. Even worse, in many cases neither does anyone until someone goes to a court and a precedent is set. This is a terrible system.
Naw, you can have regulations for specific industry. They just wouldn't be relevant unless you are in such an industry, and should be organized enough that you can read and understand them when going into an industry, and have clear boundaries of when they become relevant in the simplified general law.
Also, the concept conflicts with the idea of local government and basically requires a large central world government. I feel like thr idea of simplified laws is mostly an impractical pipe dream propagated by people who don't like that they can't dump poison into local rivers or sell people scams that harm them.
Here is how we can get a proper measure of the problem: how often are people harmed by complex contracts they signed but didn't understand, vs how often are people harmed by laws they didn't know existed? And how often were those people doing something meaningfully harmful to someone else and should have known better on basic moral grounds?
Further, it's routine for these long documents to make you 'agree' that they (alone) can alter the 'agreement' at any time, and that it's up to you to keep coming back to reread it and see if you notice any change. They might as well conclude with "Also, fuck you."
I wouldn't blame any particular company for not departing from this equilibrium we're in. But it makes a "meeting of the minds" so absurd it's a mockery of the ancient meaning of a contract.
Edit: I may be thinking only of terms of service; I don't remember how routine that term might be in privacy policies.
Is a "policy" is a "contract"? What does the user agree to by reading a policy? Why is the privacy stuff separated out into a "policy" instead of being part of the Terms of Service? How does the user (cf. the company) "enforce the policy"? Do companies ever violate their own policies? Do they announce this to the public when it happens? How do we determine when a company has violated their own policy?
These are meant to be rhetorical questions but I am curious how people would answer.
The median US adult reads at a grade 5 level. That's a problem in and of itself. However when I paste Apple's privacy policy at https://www.apple.com/legal/privacy/en-ww/ into https://readabilityformulas.com/freetests/six-readability-fo... it comes out with a Flesch-Kincaid Grade Level of 14.4. There are a variety of readability measures at that site, and for this document they varied between grade 12 and college graduate.
It is therefore demonstrably impossible for the average American to read that policy. EVEN IF THEY WANTED TO.
Now another poster claims that this is because of what is legally required. That is nonsense. It is because nobody cares about making it readable. Let me demonstrate. Here is a sample paragraph from the document with a reading level of grade 13.4:
You may be asked to provide your personal information anytime you are in contact with Apple or an Apple affiliated company. Apple and its affiliates may share this personal information with each other and use it consistent with this Privacy Policy. They may also combine it with other information to provide and improve our products, services, content, and advertising. You are not required to provide the personal information that we have requested, but, if you chose not to do so, in many cases we will not be able to provide you with our products or services or respond to any queries you may have.
Here is a rewritten version that is significantly shorter, more readable (grade 7.3), and actually says more:
When you contact Apple or its affiliated companies, we may ask you questions about yourself. Examples that we commonly ask for include your name, age, address, and credit card number. You do not have to answer us. But if you don't, we may not be able to answer your questions or provide you with our services.
Your answers can be shared between Apple and its affiliates as long as we follow this Privacy Policy. We can also combine your answers with other data that we have. We do this to provide and improve our products, services, content, and advertising.
I could easily improve the readability more, but my point is made. The hardest part of the exercise was making the rewritten version long enough to get a readability score.
I think it would be very reasonable to pass a law saying that any consumer contract with a Flesch-Kincaid Grade Level of over grade 8 should not be enforceable. The reasoning being that there cannot have been a meeting of minds when few consumers are even able to understand the language which the contract is written in. And if there were such a law, I guarantee that lawyers would quickly learn how to put their thoughts in plain writing instead of legalese.
> When you contact Apple or its affiliated companies
carries different implications than the potential bidirectionality of
> anytime you are in contact with Apple or an Apple affiliated company
because the latter explicitly includes "when Apple contacts you".
"We may ask you questions about yourself" also implies a much wider range of latitude in the question topics than "provide your personal information".
The splitting of the "can combine your answers" and the "provide and improve" also makes me twitchy but I can't quite put my finger on why but it feels loophole-y.
Legislating in this direction might lead to there being a quiz at the end of every privacy policy. This doesn't seem like it would be great outcome to me.
Perhaps a better way would be to legislate what privacy policies can contain, so that they are more like Creative Commons licenses.
> Legislating in this direction might lead to there being a quiz at the end of every privacy policy. This doesn't seem like it would be great outcome to me.
As much as Google wants your data, there is no way they're going to actually make customers spend hours wading through dense legal speak before allowing them to use their service. No one would do it. They'd just go to duckduckgo.
Alternately, if getting access to your data is really so important to Google that they're willing to put users through so much pain, maybe users really do need to go through that pain, so they know what they're agreeing to.
I view Privacy Policies as a type of a labeling law, like the ingredients lists on all of your food. Even though only a small fraction of people actually read it, it's still doing its job and its important that it's there.
Some people care about the ingredients in their food, for a variety of reasons. Maybe they're vegan, or Kosher, or allergic to bananas, or are wary of processed sugar. Those people have the ability to make informed decisions, because they are informed. Similarly, privacy-conscious consumers can choose to avoid services based on their particular values when they are informed.
Another important use case is advocacy and/or journalism. If data-sharing arrangements must be public, then a motivated researcher is able to connect the dots, like finding how many sites send data to Facebook/Google, how many of them are health or bank or porn sites, what non-public-brand companies are actually collecting lots of data. Then it's possible for the gestalt "public" to be informed even if each individual isn't doing the reading themselves.
[edit] People are rightly pointing out several of the differences between ingredients lists and privacy policies, especially readability. I agree with this, and view it as a focus for regulation. Ingredients lists are useful in part because they're highly regulated in both contents and format. Privacy policies could be made more useful if they were to take some cues.
I view privacy policies as worthless. They don’t exist to protect the consumer‘s privacy. They only exist to shield the service provider from liabilities. In that case privacy policies serve no valid consumer facing function why bother the consumer with them in the first place?
I, as a consumer, would prefer to not bother with this stupidity knowing I have virtually no privacy online and cannot sue the service provider for privacy violations except in cases of provable negligence. Since that applies to consumers whether or not they agree with it don’t waste the effort with the privacy notice. Save it for my lawyer.
If, as consumers, we actually wanted privacy we would pressure our law makers to write privacy law like HIPAA or the Federal Privacy Act of 1974.
Well sure, but if naming something more accurately causes people to reject it because it sounds really bad, I don't think the issue is with the naming.
> They only exist to shield the service provider from liabilities. In that case privacy policies serve no valid consumer facing function why bother the consumer with them in the first place?
Because the consumers bother the companies with lawsuits if they aren't "forced" "to read" the privacy policy. The only way you can get away from the requirement to display these policies prominently is if you make it generally illegal to sue over anything disclosed in the privacy policy, even if it's not prominently displayed. Or, as you say, make the kinds of things people like to sue for actually illegal, so there will be nothing to disclose.
It sounds like you are arguing for tort reform. They can sue anyways regardless of whether they read the policy and regardless of whether the suit is groundless. All it takes to create a law suit is to issue a motion to the court. Whether or not the suit is frivolous is for the court to decide in response to an opposing motion.
I wouldn't say I'm arguing for it. I don't have any real problem with the status quo as it pertains to privacy policies. I'm just saying IF you have a problem with privacy policies, it needs to be very inexpensive to defend lawsuits on privacy grounds which are currently defensible only due to privacy policies.
There is a great many of us who don’t use certain sites for privacy reasons. What happened here where Facebook was required to provide a service? Could you not avoid your entirely valid concern altogether by just not using the service? Why do these types of posts end up going the entitled route? You as a consumer have options for these luxury services, don’t use them and they’ll change.
This makes a lot of sense. Providing some kind of categorized/easily digestible format for the policy to fit into.
When I was writing mine I tried to be very clear, but my startup is specifically focused on privacy, so I didn't really have much to disclose.
The GitHub terms of service[1] have a pretty good format. However, the summaries are often too vague -- they describe the type of content instead of summarizing its contents, so it's still possible to hide unsavory details. For example, section R2, on assignability, is grossly imbalanced.
I co-authored the Snowdrift.coop terms of service[2], which we adapted from GitHub -- we could not afford legal review and figured GitHub has enough lawyers to make sure the CYA language included was thorough enough to cover us pre-launch (we will get legal review before processing payments for outside projects). There was some legalese we'd prefer to remove but didn't feel comfortable without legal counsel, but the summaries are non-binding so we rewrote many of them to be more descriptive. Curious what you think!
On the privacy policy[3] side, we agreed with you -- if our policy was long or complicated enough that a summary was necessary, we were doing something wrong. So we just described all the ways we collect personal data, in "If you X, we will Y" format. For example,
> If you create a Snowdrift.coop account, we store your email address and use cookies to keep you logged in.
I wish more sites had policies like this, so that "long and unreadable policy" would become more of a red flag.
I read through a good amount and I think they make sense. The short version helps, but that always worries me from a legal standpoint. If we summarize something in a legally ambiguous way have we undermined the original intent?
There are some inconsistencies with how you present the data that I think would help to smooth out. On your summary table. You start with the description being more of a goal for that section, than sporadically start switching to the "short version" of what your terms are.
For me I was hoping that it would be the short-version so I essentially get a comprehensive cliff-notes kind of view.
Also some minor issues with bolding some headers
4. Project Termination
4. Survival
As well as inconsistently formatting the short version. (I prefer the all bold version to help clearly show where the short part ends)
Privacy policies are much easier for me to wrap my head around. What you store, How you store it, and what you do with it.
This clause was a good idea that I will "borrow":
If our corporate structure or status changes (e.g., if we restructure, are acquired, or go bankrupt), we will notify all users so that you may choose to anonymize or delete your private data before we pass on any data to a successor or affiliate.
My version is here https://www.pritact.com/privacy-policy.html which I think follows along a lot with yours in spirit, but just has less ground to cover because of the nature of my platform.
> If we summarize something in a legally ambiguous way have we undermined the original intent?
I share some of your concern. A written contract (including ToS) is supposed to capture an agreement between two parties, so if they later disagree on what was agreed, there's an unambiguous record. If one party isn't clear on the terms as written (say, because they only read the legally-ambiguous summary), then it's hard to say there was an agreement.
Unfortunately, these goals are often at odds: many websites/services feel the need to include lots of boilerplate to shield themselves from liability, and in the pursuit of precision, legalese is often jargony and inscrutable. In my opinion, we'd be better off if people didn't disclaim so much liability and were willing to take a chance on clearer but less established language. But there are societal reasons for those things that I can't really fix as an individual.
So, ideally, terms should be both legally precise and short/layperson-readable; in practice that's often not possible, which means any readable summary is necessarily ambiguous (otherwise, we'd just replace the terms with it). Given that existing ToS are often not layperson-readable, I think they're already failing to establish agreement, so I think that summaries, while clearly a non-ideal compromise, are a net positive.
> You start with the description being more of a goal for that section, than sporadically start switching to the "short version" of what your terms are.
I agree it could use more consistency and I agree the "shortest version" is better (many "goals for the section" barely have more meaningful words than the section title alone). It is how it is because summarizing is hard and our time is not unlimited. Definitely open to future revision.
For what it's worth, there is a "short version" at the top of each individual section; the table at the top is a further summary (hence "shortest" above). Given more bandwidth, I'd make each of the table sections expandable to show the "short version" as well.
> Also some minor issues with bolding some headers 4. Project Termination 4. Survival
> As well as inconsistently formatting the short version. (I prefer the all bold version to help clearly show where the short part ends)
This was intentional; the bolded summaries are for two sections (warranty and liability) which, IIRC, are legally required to be emphasized. Usually that's done by putting the sections themselves in all caps (ugh), with the side effect of making them unreadable. GitHub's terms, on which ours are based, have a bold "Please read this section carefully; you should understand what to expect." in that section after the summary; we opted to just bold the whole thing. Maybe that's confusing, though, and we should just follow their lead.
I agree, it looks nice. :) Especially, I like putting the form of data collected as the first words of each sentence under "what we store". Having our "If you…" part first makes it read better but harder to skim. I'll propose changing that next time we modify the policy.
Aside, I looked at the home page and while I understood what your service does, it wasn't clear to me how it was delivered (app? website? dedicated hardware (joking)?). I don't think I would have figured it out if I hadn't seen a reference to app.pritact.com in the privacy policy.
Credit card companies were forced to do this, and it has improved the industry for consumers having some bullet points of the key facts up front. Industries have to be forced to act on consumers behalves, as they stand to benefit from fleecing them.
As a consumer it's extremely hard to find out what you need in a Privacy Policy, as it is simply too big of a document generally.
For companies its different as they should have someone payed to read that.
So what is needed is a standard way of conveying what data is being collected. And what is kept in-company, and what is shared/sold. Just like the ingredients in a package, a simple Table.
Privacy Policies are written in juridical terms and are hardly/not-easily understood by an average person or user. That is the main issue with Privacy Policies, in my opinion.
> A label on food is easily looked at and any important information can be found within seconds.
I don't really agree. if I look at the label on a box of poptarts, I can see the number of calories in a serving and the ratio of carbs, fat, and protein. from this I can conclude that it is a relatively unhealthy food, but I have no idea how to interpret the breakdown of exactly what types of fat they contain. are polyunsaturated fats bad? what about monounsaturated? the nutrition facts are right there on the box, but I don't really know what they mean without doing a bunch of research.
the actual ingredients list is worse. there are at least ten ingredients in poptarts that I just don't recognize. I can clearly tell that they are not an "all natural" food, but not much else. if I had a food allergy or wanted to avoid a specific additive for whatever reason, it would certainly be useful, but otherwise not so much.
Imagine a “Privacy facts” label at facebook.com/privacy.
The format of the page is mandated by the government, including the font and margins. It is easily scraped and must be by law. This label is required in place of a privacy policy.
Facebook.com will:
Store data about you forever in a profile.
Share data about you with 3rd parties.
Show you advertisements based on a profile.
Show you content based on a profile.
Share profile about you information with law enforcement.
Facebook.com’s top five markets by revenue are:
Advertising
News Redistribution
Device Development
This may still be opaque and ignored by most people. Standardizing the language and format in a way that laypeople can read delivers actual value to consumers.
As a vegetarian, I find ingredient lists pretty reliable and useful, and consult them regularly. There are a lot of non-obvious things you have to look out for if you're vegan, but even there it's usable and useful.
With a few things people like to avoid, it's tricky -- MSG notably can be under a bunch of different names -- but most common allergies are clearly highlighted, or at least not hidden.
If you don''t have specific things you need to avoid, then of course a list of the specific things in it is not useful, but why/how would it be? It has a purpose and it serves that purpose.
"Is this healthy?" isn't an answerable question. There's no one specific answer true for multiple people--it's analogous to "Will this website respect my privacy?" On the other hand, "Is this vegetarian" and "Will this website share my data with third parties" are. (Or are closer to being so.)
I want to know if there's meat in an item of food, and the label tells me that in a fairly easy-to-read format.
I want to know if my data will be shared to third-parties by a website, and the privacy policy maybe provides it to me, but in a very inaccessible manner.
I think that comparison is very misleading because ingredient lists of food are not written by lawyers, they use very simple language, and they don't make you give up all kinds of rights.
They are also not even remotely as extensive as privacy policies are. Case in point: Back in 2012 one already needed 76 workdays to read all the privacy policies accepted on the Internet in one year [0].
Since then that number has very likely gone extensively up as people use even more online-services on average, particularly on mobile devices, and a lot of these services now also have extensive codes of conduct in addition to the privacy policies and bloated ToS/EULAs.
So while reading the ingredients of everything you eat is a very realistic and plausible thing to do, something people with allergies do on a near-daily basis, trying the same with privacy policies is just not realistic. Particularly when one wants to read them in an informed way to actually understand what you are agreeing to [1], for that you would need a lawyer to read them with you to make sense of the convoluted legal-speak they are usually written in.
A fact that is pretty common knowledge to such a degree that companies have even written $10k rewards into their ToS for people actually reading them. [2]
That's why most privacy policies do not really exist to inform the users as food labeling does, their main purpose is for the company to cover their ass legally while doing all kinds of shady things with users' data.
To be fair, ingredients labelling is covered by an extremely strict set of regulations, and companies do play games with it as much as they're able (my favourite is "aqua" when they mean "water").
Which may be the way to go: introduce a strict set of regulations covering how to present your privacy policy
Writing "aqua" instead of "water" is not playing with the regulations, it is a regulation. In the US cosmetics have to be labelled using the International Nomenclature of Cosmetic Ingredients (INCI) and the INCI name for water is "aqua".
there's a load of problems with food labeling requirements... for example, sometimes they use multiple kinds of sugars to make them appear lower on the ingredients list...
But yeah, privacy policies should be required to include the important bits in a small table, maybe a bit smaller than the Nutrition Facts table on foods.
There's also lots of new apps like Yuka which try to warn you about bad ingredients. You scan the bar code on a food product then you get some summarized details and warnings.
Maybe there's something to do to make these privacy policies more comprehensible.
This analogy fundamentally falls flat for a simple reason: Labelling is not legally binding.
A privacy policy is a contract. It contains valud actions, outcomes, liabilities and remedies, all the components of a contract. Kindly stop minimizing their importance.
Nutritional information is information. It is legislated and regulated, but not a contract. The manufacturer has to comply with regulations, but that is not considered a legally binding contract, and failure to comply does not constitute breach of contract. To be clear, just because there's a legal penalty attached for failure to comply does not constitute a contract between the manufacturer and the government.
Similarly, the individual is not bound to any contract to the manufacturer by purchasing a can of beans. They are, on the other hand, when purchasing software. It's a crucial difference.
It's not quite the same to describe something that already exists, as opposed to describing actions that have or have not happened yet (nor will they for the duration of a policy lifespan). Auditing ingredients is _relatively_ trivial to trying to audit the amorphous "privacy" restrictions.
In spirit-of-the-law terms (maybe letter of the law too), I'd argue that privacy policy is not a contract. A contract requires a meeting of minds. It's well-known that privacy policies are rarely read and to most people, incomprehensible or unreadable for simple lack of time in the day. That they are binding contracts is a fiction that the legal system just hasn't seen its way through yet.
There are also a very wide set of laws about things you can't put into food even if you label it, and classes of ingredients that must be called out specifically, like certain food colorings, allergens, and compounds that various high profile genetic abnormalities are affected by (phenolketoneuria for one).
I wonder if there's a Q&A format one could do for legal agreements that still meets muster, or could be legislated as such?
See, now you've got me thinking that there should be some sort of "labelling law" for privacy policies, at least for companies of a certain size. A standard, easy to read summary of the privacy policies of any given software or service. "Yes this app provides your data to third parties", "no, it does not record your location history", etc...
But food labeling is pretty well standardized, you can't just make up your own terms and add ten pages of convoluted circumscriptions and then say that's ok because a professional trained in just the right sub-field of biochemistry could deduce what's in there. If privacy policies were like food labeling nobody would object.
This is good, but "nobody reads the privacy policies" is the wrong reason. "Due to market pressures, consumers have little meaningful choice of service providers without onerous policies, and invasion of consumer privacy on a nationwide scale is a net social negative" is a better reason.
Furthermore, a user typically does not have access to the privacy policy until after they have purchased a product. If they disagree with a policy, they have limited recourse towards obtaining a refund. Products that do offer a refund have policies that take almost 30 days to get one.
In this fully connected world, it's almost criminal that a purchase is processed in seconds whereas a refund takes 30 days. It's time that WAS criminal. It's a contract right? Well, all contracts are required to comply with a cooling off period (by law), ranging anywhere from 3 days to two weeks depending on type of contract and jurisdiction. It's time for the legal system to enforce these laws for software contracts.
If I don't like an app within 3 days after purchase, I should have access to a prominently visible button to return it. If I click on it, the app should promptly issue a refund to my credit card (there's no reason why this can't be immediate) and delete the app from my device. Such a button should be mandated by law regardless of platform or application. But of course, the lawyers and lawmakers work for the rich, not the middle-class or poor.
I will suggest another reason, already built into contract law, these agreements/contracts are unconscionable.
Generally where a contract would otherwise be enforceable, having met all the legal elements of a legally enforceable contract, the Court does not enforce the contract finding is would be unconscionable.
There are all sorts of reasons a court would find it unconscionable to enforce an otherwise legally binding agreement/contract, so these cases really get into the nitty gritty facts. However, a typical example of an unconscionable contract is where one party is an experienced dealer in a type of business, while the other party is an average consumer. I know this basically sounds like every agreement between a business and consumer, but in practice its not (again you would have to begin reading tons of case law to get an idea). However, consider every single social media platform that builds into their agreements they have the right to modify the terms with or without actual notice to the users of said modification...that is about as unconscionable as it gets.
Back in the decentralized autonomous organization (DAO) days, where proponents always claimed "the code is the law" and if the code allowed investor money to be stolen, that wasn't a hack or breach of contract, rather it was a contractual right the investor agreed to (even in light of plain English marketing contrary to the actual code, even though the marketing materials disclaimed: "the code is the law")...I always explained, and was often down voted into oblivion, a court would never enforce such a agreement/smart contract as it would be unconscionable.
IMO they're not even contracts. The idea that there is a 'meeting of the minds' when I click through an installation dialog or website privacy policy, without even reading it, while screaming at my computer "I do not agree!" is ridiculous.
>The idea that there is a 'meeting of the minds' when I click through an installation dialog or website privacy policy
This is a fantastic point with respect to these online agreements because of analytics. Just as you say, someone clicks through these installation/website signup screens, click agree, etc... It is very easy to prove an agreement would take a minimum of x minutes to read through, yet these tech companies would have knowledge the user spent 1-2 seconds on the contract page/dialog box before clicking agree, therefore, they had knowledge the user did not and could not have read the same before agreeing.
Privacy and other ToCs cannot efficiently be optimized by markets because markets can only optimize efficiently for primary and a limited number of secondary attributes. Think how hard it is for consumers to beyond GHz to pick a processor. EULA, service terms etc are the last thing that is optimized for.
My suggestion: we should only allow privacy policies to contain standardized sections which are based on industry standards such as ISO, IETF, DIN terms. This would ensure that terms can be better compared and remove the possibility for companies to cheat consumers by hiding predatory terms.
I think privacy and ToCs could be optimized if there were an (probably regulatory) incentive. Imagine users had to take a quiz on the privacy policy before they were legally allowed to sign up, to prove informed consent. I imagine they would get optimized pretty quickly!
because most people don't actually care what's in the privacy policy. "X but with better privacy" is not a selling feature outside of a very small group of people.
the privacy grading is a cool idea and i'd love to have that displayed in my address bar for every site i visit, but bundling it with a "tracker blocker" means that the extension needs full access to all my data on every webpage i visit. i think my privacy is better protected by having one fewer extension installed with such broad permissions.
A good tracker should only be running locally. Ublock origin is just local rules and filters, nothing is being logged or sent anywhere. I'm not sure about this one, however.
I feel like much of the debate about this topic focuses on how corporations hide what they are doing to us, and reforms would focus on making the language easy to understand like a nutrition label. However, if that reform passes, all that will happen is that all major corporations will in lockstep offer nearly the same terms and force us to take them.
The problem isn't their sneakiness, it's their power. You can't even begin to conceive of a possible solution to this that won't be undone within a few years without asserting popular control over the decisions of a corporation.
Medicare did something like this. Insurance companies are limited to 10 standard supplement plans. Each covers exactly the same thing, regardless of insurer. So there are direct comparison charts, and policies are mostly sold on price. Insurance companies hated that. It's worked out well.
We should have standard privacy policies, graded A through F. Companies get to pick freely, and users get to see which one they picked before signing up.
I'm struggling to think of a way in which a business, operating in good faith, would benefit from its customers not knowing what they signed up for. In fact I think it's tautological that they wouldn't.
Good regulation won't guarantee that a privacy-friendly business will succeed, but at least they could differentiate themselves as such, because the claims they make would mean something.
It's completely pointless to read privacy policies or really any EULA because they can change at any time. Sometimes they change monthly. It doesn't matter if they are easy to read or not, and it doesn't matter if they are simple or complex, when the other side can just change the rules out of nowhere. That's not an agreement, in the way that most people understand agreements intuitively.
I think there should be an absolute limit on the length. 1kb seems about right. Any more than that and the whole document is too long to possibly read.
Severability clauses (like "If a provision of this Agreement is or becomes illegal, invalid or unenforceable in any jurisdiction, other provisions should still hold") should be explicitly banned. If something isn't legal, companies shouldn't be asking for it.
I like the thinking, but a hard length limit would have to be conjoined with a no-external-references rule. Otherwise 900b will be spent linking to exhibits A-z. Also should specify the encoding for such contracts so they're actually readable. So basically just set a letter limit.
A thousand letters should be plenty for almost every contract the average consumer is likely to encounter if they stick to well-known and standardized terms instead of writing every contract from scratch in impenetrable legalese. I wouldn't set a hard limit of 1KB, but it's not a bad goal to strive for.
People can reasonably be expected to learn the nuances of a small set of common contracts; we could include this as part of the standard school curriculum. They cannot be expected to read and fully understand separate one-off contracts full of legal jargon for every company they happen to deal with. As such, deviation from the standards should be expensive. I would consider it perfectly reasonable to require companies to submit any custom contract terms to the courts in advance if they want them to be enforced against arbitrary members of the public, and to reject any non-standard terms which would not be readily comprehensible to at least 80-90% of the target audience.
I agree with not imposing arbitrary limits. The point was simply to keep the text as short as possible. For example, anything with a Creative Commons license can be described in at most eleven characters: the longest and most restrictive version is "CC BY-NC-ND". When you see those eleven characters you know exactly what the terms are for that work, without reading the full license text on each occasion.
I doubt we could compress all standard contract terms down to that length, but I do think most could be written in 1KB—or perhaps one printed page, double-spaced with decent margins—if we're only spelling out the truly unique parts.
Do for privacy policies and ToS what we did for software licenses.
So that I read the lawyer explain ApachePrivacy1.0 and can reuse that knowledge going forward.
And it seems like startups would benefit from that a lot. They tend to copy-paste the lawyery bits anyway.
I'm scrolling the comments looking for this and having trouble believing nobody thought of it. Is it obviously impossible or something?
A set of standard contracts where you can read explainers about them can go a long way without needing really hard to change societal reforms like this. I hope one day creative commons makes a privacy policy wizard that most people understand.
Instead of calling these Privacy Policies, I wish there was some honesty in the industry and call them Surveillance Policies.
Off topic, but I have been on a war path, talking to family and friends about the surveillance economy, and how the tech giants collecting personal info is to their benefit not ours. Most people have been receptive to at least using FireFox and containers.
When my apartment installed a Luxor One locker for packages, I tried to read the privacy policy on the kiosk. The interface timed out on me while I was reading it. The designers did not consider that customers would read the fine print for their service.
I’ve heard somewhere that Warren Buffett never signs a contract that’s more than a page or two.
If the authors where interested in having their users read and understand their agreements, policies, and such. Then why not create a very simple, readable, one. Then present the content of it, and have the user accept the terms, in part, spread out over time. Such that the user only have to read a sentence, or paragraph, or so.
If they did it like that, I would probably read the ToS of the apps that I use.
Even a page or two of the most straightforward language would tie up Warren Buffet's time enough to be worth tens of thousands of dollars. So I'm sure he's picky of whatever he chooses to read anyhow.
Back when I was a contractor I often wondered if it would be OK to bill a few hours a day reading the 20 page legal documents required to hit OK on lol.
HN users do (well, sometimes), and that's why I love the users here. Any time I share a startup, I get at least a little bit of feedback about my TOS/privacy policy.
I read privacy / TOS from time to time (and write up notable findings), and believe that most users click without reading -- including most of my lawyer friends whom I've asked
I think most policies don't say exactly what they do with the data, even post-GDPR -- like they're not docs of the app's RBAC system
They all just say 'your privacy is important to us and we won't share your data with anyone (other than our business partners and for reasons of business)'
I think any service you pay for should be obligated by law to reveal what data they have about you, where they got it, and how it factors into a decision (weights / PCA if not precise algorithm).
This applies not just to Privacy Policies, but to just about every Terms of Service. You're telling me that when Apple updates the App Store's terms of use, they in good faith expect their customers to spend half their workday rereading the contract before clicking I Agree and downloading that new app? It's completely nonsensical!
Only high-level business software should be able to force its users to sign a contract, because that is the only circumstance in which it will be read.