For good reason, American adults are outraged in light of the Equifax breach. Not only has their personal data been compromised, but the company’s communications, or lack thereof, have compounded the frustration. The delay in disclosure, the lack of breach details, and the unclear language about enrollees in its monitoring service giving up their legal rights has raised even more ire.

The unfortunate lack of federal regulations protecting consumers in the US doesn’t help. On the other hand, in the EU the General Data Protection Regulation (GDPR) that goes into effect May 28, 2018 puts teeth into its data protection requirements. US companies doing business that involves processing the data of individual EU citizens risk forfeiting between 2%-4% of top line revenue if they are not compliant.

One of the core requirements of the GDPR is that companies are transparent, and use clear and plain language about how they use personal data. In fact, there are 7 separate references to ‘clear and plain language’ in the regulation.

Here’s one example,

The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.

What does this mean for you?

Companies must state in ‘clear and plain language’ how they will handle data, for what purpose and by whom. For example, if a company holds data related to children, then the reading level of the content must be accessible for those children.

Here’s what the regulation says:

Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Companies must test all privacy policies and related content for clarity. In this article, we’ll look at how you can test content.

A little about Clarity and Readability

The good news is that there are well established readability tests. The two most widely used are the Flesch Reading Ease Index and Flesch-Kincaid. They score reading difficulty using two factors; average number of syllables per word and sentence length.

  • The Flesch Readability score is a number between 0 and 100. The higher the score, the easier the text is to read.
  • Flesch Kincaid is similar, but inverse. It approximates the number of years of education required to easily understand the content. The lower the grade level, the easier to read.

The following table helps to understand the score for Flesch Reading Ease:

90-100: Very Easy

80-89: Easy

70-79: Fairly Easy

60-69: Standard

50-59: Fairly Difficult

30-49: Difficult

0-29: Very Confusing

How do you score your content?

There are a few options available. For example, MS Word has both scores built in. That’s useful as you can see how difficult a document is. But Word does not score down to the paragraph level. So, you can’t easily see which sections have issues, making it hard to fix.

We went online and analyzed privacy statements from some international companies operating in the UK, including AIG, BNP Paribas, Amazon, and Siemens.

For our analysis, we used a lightweight readability tool for documents, web, and text (VisibleThread Readability). It flags issues at paragraph level & it’s free.

Here are the Clarity results:

Some quick takeaways:

  1. Readability – The grade level ranges from grade 11 to grade 19. Meaning, you would need 19 years of education to easily understand the Siemens summary of 3rd party rights — the equivalent to an advanced 3rd level degree.
  2. Word Count and Spread of Content – Of the 4 companies, 3 have more than 2,500 words. Siemens has 554 words. But its auxiliary document contains 3,711 words.
  3. What drives poor readability? When you look at the Siemens doc, 69% of sentences are long, meaning more than 20 words. The average sentence length is a whopping 33 words. These characteristics make the content very dense. The score for passive voice is extremely high at 48%.

Based on this sample set, these companies need to rewrite their privacy statements in ‘clear and plain language’. Otherwise they will fall afoul of the GDPR.

How do you fix the content?

The first step is to break down the content to see the troublesome areas. We’ll use an extract from the AIG privacy policy. (

In this report, we flag very long sentences, passive voice, adverbs and hidden verbs. This report color-codes the issues, so it’s simple to diagnose.

Imagine a person with disabilities reading this. Or someone with only a high school level education. Or a person without English as a first language. Or a child. Intuitively, we can tell it’s too complex.

Even with the most technical subject matter, it is always possible to simplify. This long-winded, verbose language needs to be pared down.

In a simple rewrite of the first statement, we reduced the word count from 53 to 36 and removed the passive voice. We did not dilute the meaning or lose any legal impact.

Comparing the before and after versions, brevity and clarity are improving:

This technique of splitting sentences, removing passive voice and editing verbose language dramatically improves readability.

Most importantly, it allows you to comply with your GDPR ‘plain and clear language’ obligations. And that’s the law.


  1. The GDPR (General Data Protection Regulation) mandates clear and plain language for any company operating in the EU. It becomes law in May 2018.
  2. US companies operating in the EU also fall under this regulation.
  3. We analyzed the privacy statements for four companies operating in the EU. All were non-transparent and failed to use clear and plain language.
  4. You can easily score content for plain language using software tools. Some provide instant reports on problematic content and suggest fixes.

You can use tools like this not just for GDPR and privacy related content, but to score and improve the clarity of any content, whether blogs, marketing materials, brochures, and more.

You can test your privacy policy for free here.