This report is part of The Understanding “the Biggest Lie on the Internet” Project, unpacking the reasons individuals agree to terms of service and privacy policies without accessing, reading, or understanding them.

Who gives people the most to read during digital service sign-up?

This report assesses the length and reading time for the privacy and terms of service policies of 70 digital services, including: social media services, popular apps, Canadian and American internet service providers (ISPs), and Canadian and American banks.

Summary of Key Findings

  • Overall, the privacy policies (PP) and terms of service (TOS) across various digital services present individuals with a considerable amount to read.
  • 57 of 70 services require an hour or more for the reading of both the terms of service and privacy policy materials.
  • 34 of 70 services require two hours or more.
  • Some policy materials are extremely long, requiring a considerable amount of time just for the individual service.
  • TELUS has policy materials reaching 123,049 words, which would take 10.2 hours to read. SaskTel’s 86,804 words would take 7.1 hours, and Bell Aliant’s 85,089 words 6.8 hours.
  • Twitter’s policies would take 6.7 hours to read, while Airbnb’s would take 4.9.
  • American ISPs tended to have the longest policies, with AT&T’s massive 383,077 policy words requiring 30.7 hours, while Verizon and CenturyLink’s would require 9.6 and 8.2 hours respectively.
  • For the banks, in both Canada and the U.S., Tangerine’s policies were the longest with 67,988 words, requiring 5.4 hours.
  • Some digital services did provide shorter policies, including Amazon 6,137 words, 0.5 hours to read; Netflix 6,576 words, 0.5 hours; Fongo Mobile 9,470 words, 0.8 hours; Manulife 7,436 words, 0.6 hours; Bank of NY Mellon 5,536 words, 0.4 hours; and PNC 2,791 words, 0.2 hours.

Why Assess Digital Service Policy Length?

“I agree to the terms and conditions” is known as “the biggest lie on the internet”1. This suggests people often click “agree” before accessing, reading, and understanding digital service policies. The length of terms of service and privacy policies may be contributing to these policy ignoring behaviours2. But how long are digital service policies?

Previous assessments have analyzed the length of policies3; however, newer analyses of what we term “complete” policies are needed. A complete policy is one that not only determines the number of words on the primary policy page, but also the number of words on pages linked to the primary page. This assumes that definitions of terms, clarifications, guidelines, examples, etc. often linked to a primary policy, are vital to ensuring awareness and understanding for the reader. Indeed, if the goal is to provide individuals with the information they need to make decisions about digital engagement and the implications of agreement, reading beyond the ambiguity and generalization common to primary policy texts seems essential. Furthermore, ongoing assessments of digital service policy length are necessary to determine which digital services continue posting long policies viewed as a nuisance4, and which are working to address “the biggest lie on the internet”.

How is Policy Length Assessed?

Assessments include the word count for each of the 70 digital service’s complete terms of service and complete privacy policy. As noted previously a “complete” policy includes the materials presented on the policy page, and all relevant supplementary material presented via links on those pages.

Throughout 2019 and into early 2020, researchers accessed corporate websites for each service via desktop computer where all relevant policy materials were retrieved. Word count analyses were conducted for each policy text. A unique user reading speed was calculated for each policy text, using Brysbaert’s5 reading rate specific to non-fiction texts, expressed in words per minute (wpm)6. Reading rates for policy texts in English tend to be slower for adults 60+ years of age, and individuals whose first language isn’t English7. With the wpm figures the number of minutes and hours it would take to read each policy was assessed. Comparisons between policies are provided below.

Findings for all 70 Services

Social Media Services

  • Facebook and Twitter have the most policy words, with Twitter reaching 83,432 words.
  • Twitter’s policies would take 6.7 hours to read; Facebook’s 4 hours.
  • Unique reading speed for total policy words (TOS + PP) ranged from 198 wpm (Tumblr) to 222 wpm (Snapchat). The more wpm, the easier the text is to read.
  • TOS were considerably longer than PP for all social media services.
  • Average TOS length 27,105 words; average PP 7,958 words.
  • Average total policy words was 34,064 words, which would take 2.7 hours to read based on a 211 wpm unique reading speed.
  • All social media services sampled require more than 1.5 hours to read their policies.

Fig-1-Words-social-media
Table 1: Social media terms of service reading time

Popular Apps

  • Airbnb has the most policy words at 60,784, and would take 4.9 hours to read.
  • iTunes has the second-most policy words at 33,651 and would take 2.7 hours.
  • Unique reading speed for total policy words (TOS + PP) ranged from 200 wpm (SHAREit) to 219 wpm (Bitmoji).
  • TOS were considerably longer than PP for all apps except for Uber and Netflix. Uber’s PP was more than double the length of its TOS.
  • 8 of 10 apps require more than an hour to read their policies.

Fig-2 words-popular-apps
Table 2: Popular apps terms of service reading time

Internet Service Providers (Canada – Major)

  • Telus has the most policy words, with a total of 123,049 words.
  • The Bell companies all have more than 70,000 words, with Bell Aliant at 85,089 words.
  • To read the Telus policies would take more than 10 hours; 6.8 hours for Bell Aliant.
  • Unique reading speed for total policy words (TOS + PP) ranged from 189 wpm (Vidèotron) to 210 wpm (Bell, Bell MTS, and Shaw).
  • Average TOS length 36,820 words; average PP 14,480 words.
  • Average total policy words = 51,300 words, would take 4.2 hours to read based on a unique reading speed of 205 words per minute.
  • Most ISPs have TOS that are longer than their PPs, except for TELUS and Vidèotron.
  • All major ISPs sampled from Canada require an hour or more to read their policies.

fig-3-words-Canada-ISPs
Table 3: Internet service providers Canada major terms of service reading time

Internet Service Providers (Canada – Minor)

  • SaskTel has the most policy words at 86,804 words, which would take 7.1 hours to read.
  • Northwestel and Fido have 40,937 and 39,632 policy words respectively, requiring more than 3 hours each.
  • Unique reading speed for total policy words (TOS + PP) ranged from 197 wpm (Northwestel) to 213 wpm (Freedom Mobile).
  • Average TOS length 25,673 words; average PP 3,467 words. TOS were considerably longer than PPs.
  • Average total policy words = 29,140 words, would take 2.4 hours to read based on a unique reading speed of 205 words per minute.
  • Chatr Mobile’s PP is 587 words long.
  • 10 of 10 ISPs had TOS that were longer than their PP.
  • 8 of 10 minor ISPs require 1.4 hours or more to read their policies.

Fig-4-words-Canada-minor-ISPsTable 4: Internet service providers Canada minor terms of service reading time

Internet Service Providers (USA)

  • AT&T has the largest total policy words with 383,077 policy words, requiring 30.7 hours to read.
  • Verizon and CenturyLink also have a considerable number of policy words, with 115,641 and 100,907 words respectively.
  • Verizon’s policies would require 9.6 hours to read, and CenturyLink 8.2 hours.
  • American ISP TOS are quite long, with all ten considerably longer than their PPs. AT&T’s is 370,184 words and Verizon’s is 103,520 words.
  • Unique reading speed for total policy words (TOS + PP) ranged from 200 wpm (Verizon) to 209 wpm (Cox Communications).
  • 10 of 10 ISPs sampled require more than 2.4 hours to read their policies.
  • 8 of 10 require more than 3.5 hours to read their policies.
  • 6 of 10 require 5 or more hours to read their policies.

Fig-5-words-US-major-ISPs
Table 5: Internet service providers USA terms of service reading time

Banks (Canada)

  • Tangerine has the most policy words, with a total of 67,988 words, requiring 5.4 hours to read.
  • TD Bank and CIBC have 50,207 and 39,799 policy words, respectively, each requiring more than 3.2 hours to read.
  • Unique reading speed for total policy words (TOS + PP) ranged from 197 wpm (Scotiabank) to 212 wpm (TD Bank).
  • Average TOS length 18,310 words; average PP 7,195 words.
  • Average total policy words = 25,505 words, would take 2.1 hours to read based on a unique reading speed of 205 words per minute.
  • Most banks had a TOS longer than its PP, except for Scotiabank, Laurentian Bank, and Manulife.
  • 8 of 10 Canadian banks require an hour or more to read their policies.

Fig-6-words-Canada-banks
Table 6: Banks Canada terms of service reading time

Banks (USA)

  • Wells Fargo has the most policy words, with 54,539 words, requiring 4.3 hours to read.
  • Bank of America was the only other bank whose policy words was close to this figure, with 50,250 words.
  • 7 of 10 American banks had TOS with 6,255 words or fewer, and 4 with fewer than 2,000 words in the TOS.
  • Bank of NY Mellon and PNC had PPs with fewer than 2,000 words.
  • U.S. Bank did not have a TOS accessible from its corporate website.
  • Citibank’s TOS was 1,723 words, but its PP was 13,618 words.
  • Unique reading speed for total policy words (TOS + PP) ranged from 188 wpm (Citibank) to 215 wpm (Bank of America).

Figure 7
Table 7: Banks USA terms of service reading time

Conclusion

Offer too much to read and people will be overwhelmed. Provide too little, and important details will likely be hidden. Nissenbaum calls this the “transparency paradox”8. The current report asserts that most digital services assessed provide individuals with a lot of policy text to read, likely a prohibitive amount. It is important to emphasize not only that the length of policies for individual services can be prohibitive, but as individuals use multiple services, there are multiple policies to read, which creates a difficult scenario for individuals to navigate successfully9.

Beyond the length of privacy policies and terms of service, it is important to emphasize that the amount of text, a lot or a little, does not necessarily correspond with whether the reader will understand both the words on the page as well as the implications of agreement10. For this reason, assessments of policy complexity (see this report) are also necessary. The challenges associated with ensuring meaningful online consent go beyond questions of policy length and available reading time.

While shorter policies may sound appealing11, questions remain about whether shorter policies encourage people to read, or present enough information to support meaningful online consent12. Indeed, further research is necessary.

The current effort aimed to provide an empirical snapshot of two issues associated with “the biggest lie on the internet”: 1) How long are policies for digital services? and 2) How long will they take to read? With these components of an empirical foundation, hopefully efforts to address “the biggest lie on the internet” will proceed with a greater understanding of the challenges associated with digital service policy length and policy reading time.

Notes

1. Lannerö, P. (2012, January 27). Previewing online terms and conditions: CommonTerms alpha proposal. http://commonterms.org/commonterms_alpha_proposal.pdf; TOS;DR. (2022). Terms of service; didn’t read. https://tosdr.org.

2. See: Obar, J. A. & Oeldorf-Hirsch, A. (Forthcoming). Older adults and “the biggest lie on the internet”: From ignoring social media policies to the privacy paradox. International Journal of Communication.

3. McDonald, A. M., & Cranor, L. F. (2008). The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society, 540-565; Fiesler, C., Lampe, C., & Bruckman, A. S. (2016). Reality and perception of copyright terms of service for online content creation. In Proceedings of the 19th ACM Conference on Computer-Supported Cooperative Work & Social Computing (pp. 1450-1461); Amos, R., Acar, G., Lucherini, E., Kshirsagar, M., Narayanan, A., & Mayer, J. (2021, April). Privacy policies over time: Curation and analysis of a million-document dataset. In Proceedings of the Web Conference 2021 (pp. 2165-2176).

4. Obar, J. A., & Oeldorf-Hirsch, A. (2020). The biggest lie on the internet: Ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society, 23(1), 128-147.

5. Brysbaert, M. (2019). How many words do we read per minute? A review and meta-analysis of reading rate. Journal of Memory and Language, 109, 1-30.

6. The formula from Brysbaert (see note 5 above) is: 238 * 4.6/X. The number 238 is said to be the average adult reading speed for non-fiction texts, 4.6 is said to be the average word length for non-fiction texts, and X is the average character count per word per unique document.

7. Brysbaert, M. (2019). How many words do we read per minute? A review and meta-analysis of reading rate. Journal of Memory and Language, 109, 1-30.

8. Nissenbaum, H. (2011). A contextual approach to privacy online. Daedalus, 140(4), 32–48

9. See: Kröger, J. L., Lutz, O. H. M., & Ullrich, S. (2021). The myth of individual control: Mapping the limitations of privacy self-management. SSRN; Obar, J. A. (2019). Searching for data privacy self-management: Individual data control and Canada’s digital strategy. Canadian Journal of Communication, 44(2); Solove, D. J. (2012). Introduction: Privacy self-management and the consent dilemma. Harvard Law Review, 126, 1880–1903.

10. See: Reidenberg, J. R., Breaux, T., Cranor, L. F., French, B., Grannis, A., Graves, J. T., Liu, F., McDonald, A., Norton, T. B., Ramanath, R., Russell, N. C., Sadeh, N., & Schaub, F. (2015). Disagreeable privacy policies: Mismatches between meaning and users’ understanding. Berkeley Technology Law Journal, 30(1), 39-68.

11. Kelley, P. G., Cesca, L., Bresee, J., & Cranor, L. F. (2010). Standardizing privacy notices: an online study of the nutrition label approach. In Proceedings of the SIGCHI Conference on Human factors in Computing Systems (pp. 1573-1582); Emami-Naeini, P., Dheenadhayalan, J., Agarwal, Y., & Cranor, L. F. (2021). An informative security and privacy “nutrition” label for internet of things devices. IEEE Security & Privacy, 20(2), 31-39.

12. Ananny, M., & Crawford, K. (2018). Seeing without knowing: Limitations of the transparency ideal and its application to algorithmic accountability. New Media & Society, 20(3), 973–989; Obar, J. A., & Pan, J. (2021). Open communication about network neutrality? Assessing the internet traffic management transparency of Canadian internet carriers. Canadian Journal of Communication, 46(3), 629-644; Obar, J. A. (2022). Defining and assessing data privacy transparency: A third study of Canadian internet carriers. International Journal of Communication, 16, 1688-1712; Schaub, F., Balebako, R., & Cranor, L. F. (2017). Designing effective privacy notices and controls. IEEE Internet Computing, 21(3), 70–77.

Acknowledgements

Thank you to Andrew Hatelt for the research assistance and to Valeta Wensloff for the graphic design. This project received funding from the Office of the Privacy Commissioner of Canada and York University.

ISPs policy length