In the modern technology era, from websites to mobile applications to IoT devices, data processing is an essential part of their function. Thus, a Privacy Policy is an integral part of every internet related activity. That said, it is no secret that most everyday users scroll through the endless text of a Privacy Policy and click “Accept”, without even a glimpse. And this is fair. According to studies, the average Privacy Policy would take up to 20 minutes to read. Taking into account how many Privacy Policies the average user would agree to in a year, reading all of them would take several days.

The main point of criticism to long Privacy Policies, is them being too long. In that regard, consumers are not willing to spend too much time to read through the details of how their data is being processed and click on “Accept” anyway. After all, if consumers do not accept, they will not be able to make use of the service. Another point, is that the GDPR requires communications to data subjects to be “concise, transparent, intelligible and easily accessible”, while Article 29 Working Party guidelines suggest that “The concept of transparency in the GDPR is user-centric rather than legalistic”, and that “the quality, accessibility and comprehensibility of the information is as important as the actual content.” Avoiding information fatigue through long and hard to navigate texts, should be a concern to the Privacy Policy writers. Considering all the above, the modern tendency is to shorten and simplify Privacy Policies.

However, the “less is more” principle, is not always the case. Shortened forms of Privacy Policies from companies conducting complex data processing procedures, inevitably leave out important details and simplify technology information. This over-simplification results in reduced transparency and accountability, as well as concealing of the “full story” of practices. In addition, short Privacy Policies are less likely to click all the boxes of the GDPR’s minimum requirements of information provided to data subjects, and other self-regulatory or voluntary standards that have to be met. Another point to be considered is that, although policies are usually addressed to customers, they remain legal binding terms of offering a service for the companies, applying in cases of audits from competent Authorities and regulators, as well as litigation cases.

All of the above lead us to the conclusion that quality over quantity should not have to mean “short”. There is no formula to determine the right number of pages, since every company or service is different, with no fixed range of data processing practices. Thus, it is important to keep in mind that, when it comes to the length of a Privacy Policy, it should not be longer than needed, containing all the essential details and avoiding anything unnecessary. The language has to be simple, clear and straightforward, but also as formal as a legal text. Format and structure are also crucial. Navigation headlines, table of contents and hyperlinks to further information are signs of a well-written Privacy Policy that despite its length, serves the purpose of informing the data subject in a clear manner. After all, the length of the Privacy Policy is not really the point. Transparency and accountability are.

The editorial team