Abstract
The most systematic legislative attempt to make more order in the chaotic world of privacy is the EU General Data Protection Regulation (GDPR). The primary objective of the GDPR is to level the playing field and give individuals more control over their personal data. Among other things, the GDPR aspires to force companies to be more transparent around data collection and usage. Along these lines, the GDPR requires firms to clearly communicate privacy terms to end users by using “clear and plain language” in their privacy agreements. In this study we ask whether, half a year post-GDPR, firms offer users online privacy agreements that are written in a readable manner. To that end, we empirically examine the readability of privacy policies of 300 highly popular websites. The results indicate that in spite of the GDPR’s requirement, users often encounter privacy policies that are largely unreadable. After presenting the empirical results we further discuss the legal and policy implications of our findings.