This work was supported by the TRUST Center (NSF award number CCF ) Introduction In 1995 Mary J. Culnan stated that ‘fair information practices reflect three conditions of ‘knowledge, notice, and no’. First, consumers must be aware that personal information has been collected. Next, consumers must also be aware that their personal information may be shared with third parties. Finally, consumers must also be able to restrict their personal information from being shared with third parties if they choose.” The current industry practice is to meet the obligations of knowledge and notice by creating and posting a privacy policy/statement on their company’s website. The issue with current practice is that there are no real guidelines or rules in place to ensure that these documents are written understandably so that if read, they actually fulfill their stated purpose which is to give consumers knowledge and notice of a company’s information practices. There have been a number of studies conducted on the readability of privacy policies. These studies have tended to focus on either health industry specific policies or on those websites found to be ranked very high on popular website lists. This fails to capture the readability of the privacy policies of those websites who should most be required to ensure that their customers have both knowledge and notice, i.e. those websites actively engaged in selling their customers’ information. Many companies sell consumer data to third parties such as list brokers or direct marketers. The list broker industry is involved in the sale of huge volumes of personally-identifiable information linked to sensitive behavioral, medical, and demographic elements to almost anyone who wishes to purchase it. These list brokers advertise their databases through list search services such as NextMark, a freely available online service, which hosts 60,000 advertisements for list rentals known as “data cards”. The NextMark service claims that it contains over 37,000 data cards advertising consumer lists and 8,870 data cards advertising lists. Methodology Created Web Crawler using Python Collected “data cards” from Verified origin of information in data cards Removed duplicated data cards and URLs Collected privacy policies from web sites selling their customers’ information Analyzed privacy policies using style.exe available from Separated Statistics on the Privacy Policies according to whether the company’s practices violated their privacy policies, did not violate their privacy policies, or whether their privacy policy was ambiguous Created pivot tables comparing the readability statistics of the different categories of privacy policies Results How long does it take to read an average privacy policy? The average American adult reads at an average rate of words per minute ( The average word count of the privacy policies examined was 1436 words. It would take an average adult approximately 6 minutes to read a privacy policy of average length How difficult is it to understand an average privacy policy? The average American adult reads at the 8 th grade level The privacy policies in our sample earned an average of approximately 13.6 across multiple readability tests Is there a correlation between the popularity of a web site and its privacy policy? No Privacy Policy Language Author: Robert Carlson Faculty Advisor: Chris Hoofnagle, J.D. and Nathan Good, Ph.D. Implications Given that the average American adult reads at approximately 5.5 levels below the level of the average privacy policy and would take approximately 6 minutes to read it if they were not struggling to comprehend what they were reading, and there seems to be no correlation between the popularity of a web site and the complexity and length of its privacy policy, the logical conclusion is that the average American adult is not reading these privacy policies and, if they are reading them, then they are most likely not understanding what they are reading. This being the case, it seems disingenuous to claim that privacy policies are providing adequate knowledge and notice of a company’s information practices and thus these companies, knowingly are not, are engaging in unfair information practices. Further Work Evaluate the evolution of privacy policies over time Conduct usability tests on privacy policies to gain a better understanding of their effectiveness Compare the readability of privacy sections of websites with other comparable sections of the site such as the terms of service, FAQs, and support pages