Lawmakers propose TLDR Act because no one reads Terms of Service agreements
The bill calls for concise, machine readable summaries of how websites and apps use client data
Almost no one bothers to read the Terms of Service agreements on websites so a group of US lawmakers on Thursday proposed a bill to require that commercial websites and mobile apps translate their legalese into summaries that can be more easily read by people and by machines.
The bill, titled the Terms-of-service Labeling, Design and Readability (TLDR) Act [PDF], was introduced by Lori Trahan (D-MA-03), Senator Bill Cassidy, (R-LA), and Senator Ben Ray Luján (D-NM), making it technically a bipartisan effort – something of a rarity at a time when the two major US political parties can't agree on basic facts like who was lawfully elected President in 2020.
"For far too long, blanket terms of service agreements have forced consumers to either ‘agree’ to all of a company’s conditions or lose access to a website or app entirely," said Congresswoman Trahan, a member of the House Subcommittee on Consumer Protection and Commerce, in a statement. "No negotiation, no alternative, and no real choice."
"To further slant the decision in their favor, many companies design unnecessarily long and complicated contracts, knowing that users don’t have the bandwidth to read lengthy legal documents when they’re simply trying to message a loved one or make a quick purchase."
"The potential for abuse is obvious, and some bad actors have chosen to exploit these agreements to expand their control over users’ personal data and shield themselves from liability."
"Users should not have to comb through pages of legal jargon in a website’s terms of services to know how their data will be used," said Senator Cassidy in a statement. "Requiring companies to provide an easy-to-understand summary of their terms should be mandatory and is long overdue."
US citizens and residents will continue to wade through – and be bound by – obtuse legal language when it comes to property transactions, employment agreements, non-disclosure agreements, loans, tax forms, medical forms, and other contracts. But at least if this bill becomes law, egregious Terms of Service like the "Herod clause" – through which London Wi Fi users in 2014 unwittingly signed away their eldest child to F-Secure – will not be a concern.
It's not a new problem
Terms of Service agreements – similar but not the same as End User License agreements – have long troubled advocacy groups. The Electronic Frontier Foundation, for example, has referred to them as Terms of Abuse, arguing that they let online service providers rewrite their legal relationship with customers, which should be governed by established laws.
The TLDR Act, fittingly enough, comes with a summary [PDF] because even reading a nine-page bill can be a bit much when distracted by social media, app notifications, and all the people who are wrong on the internet and must be dealt with. It exempts "small businesses" under the section 3 of the Small Business Act (15 U.S.C. 632), which itself isn't easily summarized. There's a table [PDF] that lists specific employee and/or revenue criteria, if you're really interested.
For a company in the "Internet Publishing and Broadcasting and Web Search Portals" sector to be exempt, it must have fewer than 1,000 employees. Per the Treasury Department, "if you were selling Computer Programming Services under NAICS code 541511 your average annual receipts over the past three years would have to be below $21m to qualify as a small business concern."
So assuming the bill becomes law, companies large enough to be covered will be required to include concise summaries of the Terms of Service atop their Terms of Service pages.
Our bipartisan & bicameral legislation gives power back to consumers by requiring that online companies make their terms of service contracts more accessible, transparent & understandable (like this! ⬇️). pic.twitter.com/uejb7zcoxN— Congresswoman Lori Trahan (@RepLoriTrahan) January 13, 2022
These summaries should spell out: the categories of data collected and whether said data is necessary for the service; whether that data can be deleted and, if so, how to do so; legal requirements, such as the use of arbitration for disputes; a change log; and a list of data breaches for the past three years.
Summaries "shall be easy to understand, machine readable, and may include tables, graphic icons, hyperlinks, or other means determined by the [Federal Trade Commission," the bill says.
And the full Terms of Service document must be displayed and marked up in an "interactive data format" such as XML, so contractual terms can be more easily analyzed.
- CLOUD Act hits Senate to lube up US access to data stored abroad
- Social networks have already violated the spirit of GDPR
- AT&T, Sprint, Verizon, T-Mobile US pledge, again, to not sell your location to shady geezers. Sorry, we don't believe them
- When it comes to privacy, everyone says America needs a new federal law ASAP. As for mass spying, well, um… huh what’s that over there?
The law does not require companies to identify all the third-parties that might receive user data, perhaps because summaries listing third-party data partners and tracking hosts in apps could get too long to read.
Though the median number of ad trackers per website and per app tends to be low – e.g. 7 and 10 [PDF] respectively – some websites, like news sites, have 40 or more trackers and some apps have more than 30. The App Privacy disclosure forced on Meta's (Facebook's) Messenger by Apple's App Store rules goes on for pages if you click the See Details link.
The TLDR Act isn't a substitute for robust federal privacy regulation, but perhaps it will help move the US in that direction. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Federal government of the United States
- Government of the United Kingdom
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Trusted Platform Module
- Zero trust