(Bloomberg Businessweek) -- Eleanor Margolis had used PayPal for more than a decade when the online payment provider blocked her account in January. The reason: She was 16 years old when she signed up, and PayPal Holdings Inc. insists she should have known the minimum age is 18, because the rule is clearly stated in terms and conditions she agreed to. Clearly stated, that is, in a document longer than The Great Gatsby—almost 50,000 words spread across 21 separate web pages. “They didn’t have any checks in place to make sure I was over 18,” says Margolis, now 28. “Instead, they contact me 12 years later. It’s completely absurd.”
Personal finance forums online are brimming with complaints from hundreds of PayPal customers who say they’ve been suspended because they signed up before age 18. PayPal declined to comment on any specific cases, but says it’s appropriate to close accounts created by underage people “to ensure our customers have full legal capacity to accept our user agreement.” While that may seem “heavy-handed,” says Sarah Kenshall, a technology attorney with law firm Burges Salmon, the company is within its rights because the users clicked to agree to the rules—however difficult the language might be to understand.
Websites have long required users to plow through pages of dense legalese to use their services, knowing that few ever give the documents more than a cursory glance. In 2005 security-software provider PC Pitstop LLC promised a $1,000 prize to the first user to spot the offer deep in its terms and conditions; it took four months before the reward was claimed. The incomprehensibility of user agreements is poised to change as tech giants such as Uber Technologies Inc. and Facebook Inc. confront pushback for mishandling user information, and the European Union prepares to implement new privacy rules called the General Data Protection Regulation, or GDPR. The measure underscores “the requirement for clear and plain language when explaining consent,” British Information Commissioner Elizabeth Denham wrote on her blog last year.
“I’m a lawyer, and I have no idea what that means”
During two days of testimony before the U.S. Congress this month, Mark Zuckerberg, Facebook’s chief executive officer, was repeatedly chastised for burying important information in text that’s rarely read. Waving a 2-inch-thick printed version of the social network’s user agreement, Senator Lindsey Graham quoted a line from the first page, then intoned: “I’m a lawyer, and I have no idea what that means.” The South Carolina Republican later asked Zuckerberg whether he thinks consumers understand what they’re signing up for. The Facebook CEO’s response: “I don’t think the average person likely reads that whole document.”
GDPR, which comes into force in Europe in May and calls for fines as high as 4 percent of a company’s global revenue for violations, will make it tougher to get away with book-length user agreements, says Eduardo Ustaran, co-director of the cybersecurity practice at law firm Hogan Lovells. He suggests that companies streamline their rules and make sure they’re written in plain English. If a typical user wouldn’t understand the documents, the consent that companies rely on for their business activities would be legally invalid. “Your whole basis for using people’s personal data would disappear,” Ustaran says.
Companies are scrambling to ensure their user agreements comply with the law, says Julian Saunders, founder of Port.im, a British software maker that helps businesses adapt to GDPR. But he says many website owners aren’t yet explicit enough in stating why they’re collecting a consumer’s information, which other companies might gain access to it, and how people can ensure their data are deleted if they request it. Saunders says he’s signed up 100 businesses for the service and urges them to bend over backward in helping users understand the details. “Areas that used to get hidden in the small print of terms and conditions should now be exposed,” he says.
Martin Garner, an analyst at technology consultancy CCS Insight, suggests companies walk readers through their policies step by step. That way they could opt out of selected provisions—limiting, for instance, third parties that can gain access to the data or restricting the kinds of information companies may stockpile. Much of what’s in the terms and conditions might be affected by the settings a user chooses, and including that information in the initial agreement unnecessarily complicates the document. “Users typically only have the choice of accepting the terms and conditions in their entirety or not using the service at all,” Garner says. Companies must “pay much closer attention to explaining to users how their data will be stored and used and getting them to consent to that explicitly.”
To contact the author of this story: Nate Lanxon in London at nlanxon@bloomberg.net.
To contact the editor responsible for this story: David Rocks at drocks1@bloomberg.net.
©2018 Bloomberg L.P.
