It’s a myth that consumers read privacy policies. They don’t. I know that because I like privacy policies more than almost anyone – I’ve written them, I’ve defended them, I’ve analyzed them – and yet I can’t remember the last time that I went to purchase something online for myself and read the company’s privacy policy. If privacy lawyers don’t pause to read them, I’m confident that average consumers do not.

It’s no surprise why consumers don’t read them. Assuming that a consumer cares about privacy and assuming that they think about reading a policy before submitting information online, privacy policies read like mini legal treatises. They refer to technology that may be hard to understand (e.g., what is a clear gif?), and subtle but significant differences that might not be obvious to some consumers (e.g., what does it mean to share data for “joint marketing with a third party,” but not for a third party to market themselves?).

About a year ago, I was asked to moderate a panel discussion on “best practices” when drafting privacy policies. We had a great panel of regulators, noted privacy officers, and general counsel, and I was excited to hear some new perspectives. I turned the discussion to a topic that has been on my mind for years – is it possible to draft a truly simple privacy policy that would be quick and easy for a consumer to read and understand? We talked about various companies that had attempted this by trying to use plain language, reducing word counts, or using matrices, graphics, tables, hyperlinks, roll overs, or cross-references. At the end of the day, despite some commendable efforts nobody could think of a truly successful attempt at making a privacy policy digestible.

There was some agreement as to the reason policies tend toward being long, convoluted, and legalistic. Privacy practices are complex and plaintiffs’ attorneys and regulators can be unforgiving. For example, a company that does not intend to sell, rent, or share information, may want to simply say that to consumers using those eight words “we do not sell, rent or share information.” The truth is, however, that there are no definitives when it comes to information. If the company has service providers (as most companies do), it inevitably shares information with consultants, lawyers, product fulfillment companies, etc. If a company receives a subpoena (which any company could), it may have to share information with the government. If the company is acquired (which many companies are), it will sell the information to the acquirer. If the company is sued, it may have to share the information with a plaintiff. The eight word statement, suddenly becomes a 100 word list of exceptions and exclusions to ensure that a company is not accused of deception by carrying out normal (and in most cases unavoidable) sharing practices.

The net result is that the precision that the plaintiff’s bar and some regulators have demanded, forces companies away from brevity and toward legalese. The end result is a precise policy that no consumer has the time (or attention span) to read.