Federal laws needed to protect users from confusing privacy policies, research shows

Google Website on the Electronic Device Screen
Photo by PhotoMIX Company from Pexels

If you’re like most people, chances are you have agreed to a terms of service or privacy policy without actually reading the document all the way through.  

Many companies use tactics that intentionally discourage users from reading and understanding what they’re agreeing to, ultimately resulting in users giving broad access to their personal information, according to a recent paper by a Mercer University professor and alumnus. Federal regulations are needed to address the problems of these unfair contracts, they concluded. 

“Deliberately Confusing Language in Terms of Service and Privacy Policy Agreements,” by Associate Professor of Computer Science Dr. Johnathan Yerby and Class of 2022 graduate Ian Vaughan, was published in the journal Issues in Information Systems. 

“It’s just a risk that we accept in today’s society — that you might be signing your life away. But that’s not how it should be,” said Vaughan, who double-majored in information science and technology and cybersecurity at Mercer and now works as a cyber engineer at Raytheon Technologies. He started the paper as a project in his security laws, ethics and policies class, taught by Dr. Yerby, and it developed from there. 

Only one-in-five Americans say they always or often read a company’s privacy policy before agreeing to it, and even fewer say they understand a great deal of what they read, according to a Pew Research Center study cited in the paper. 

“People are confused by those terms of service and those privacy policies,” Dr. Yerby said. “We found several examples of companies that are intentionally confusing people, and they’re using something called an adhesion contract, which has regularly been found to be unfair.” 

In an adhesion contract, one party, usually the service provider, has substantially more power than the second party, usually the user. The user is often compelled to agree to the contract while the company retains all the rights to accept, refuse or modify the agreement. 

“You have no power. You have no room to negotiate,” Dr. Yerby said. 

The paper identified several examples of hidden provisions found in terms of service documents. For example, in 2015, Spotify updated its terms of service to include a provision that gave the company access to everything stored on the phone that had Spotify installed. The provision was later removed.  

To this day, Facebook’s terms of service give Facebook and parent company Meta wide-reaching permission to users’ content and personal data, even after the content is deleted. Users’ content and data may be used in advertising, sold to third parties or used in any number of other ways that make money for Facebook and Meta. 

“The contracts are there only to protect the business at the expense of the customer’s privacy, awareness and power to do anything about it,” Dr. Yerby said. 

Terms of service and privacy policies are not regulated at the federal level, though some states have begun enacting laws to give more rights to consumers. This method, though, can be problematic as laws inevitably will vary state-to-state. 

“It’s just going to create a compliance nightmare, and companies aren’t going to be able to effectively do business from state-to-state,” Dr. Yerby said.  

In their paper, Dr. Yerby and Vaughan suggested potential legislative solutions, including requiring plain-language contracts and creating an updated format so users can find, read and understand the terms that they are agreeing to. Updated Android permissions, which allow users to allow or deny an app access to certain functions on their phone, may also offer a framework that can be applied to the problem. 

Dr. Yerby said that without sweeping reforms, users are subjected to the privacy practices of companies that they interact with and have little to no control.

“Unfortunately, it’s a case where the companies that we want or need to interact with have the power. So, the user can abstain, which might be a realistic solution for some things but not always,” he said. “The only real thing you can do is if you’re ever in a position where you can advocate for national reform, do that.”


Do you have a story idea or viewpoint you'd like to share with The Den?
Get in touch with us by emailing den@mercer.edu or submitting this online form.