Est.

Communicating Data Use in Plain Language to Users

There is a version of this problem where users are the villains. They don't read. They click "accept" on anything that stands between them and the content they want. That story is…

Senior Writer · · 11 min read
User Trust & Transparency · July 17, 2026 · 11 min read · 2,420 words

There is a version of this problem where users are the villains. They don't read. They click "accept" on anything that stands between them and the content they want. That story is convenient, especially for the organizations writing the notices, because it moves responsibility off the page and onto the person reading it.

The data doesn't support that story. Surveys consistently find that the vast majority of consumers say they struggle to fully understand how their data is handled, and yet privacy concern, across demographic groups, remains high. That's not apathy. That's frustration at a system that keeps asking people to engage with something designed to be impenetrable.

The gap between concern and engagement is where the real problem lives. And plain language is, I'd argue, the most underutilized tool we have for closing it.

Why users skip data notices even when they care about privacy

When I first started working on data governance communications, I assumed the core challenge was convincing people to pay attention. It took six months of watching real users interact with real notices to understand I had it backwards. The attention was often there. The access wasn't.

More than half of U.S. internet users accept privacy policies without reading them, almost always or often, according to a 2023 survey. Among people aged 18 to 29, roughly three in four do the same. These are not uniquely reckless people. Many of them will tell you, if you ask, that they find data privacy important. The paradox is right there on the surface.

What produces it is friction. Not indifference. A privacy policy takes roughly 30 minutes to read properly. Users spend, on average, about 73 seconds on one. That isn't laziness; it's a rational allocation of limited time in the face of a document that signals, from its first paragraph, that it was not written for them. Skimming becomes the only viable strategy, and skimming means missing everything material.

The question worth asking isn't why users skip these notices. It's why we keep writing them in a form that guarantees they will.

How unreadable the documents actually are

A large-scale analysis of nearly 50,000 privacy policies found that the average policy is hard to read. A 2024 analysis of nine major social media platforms found that every one of them requires college-level comprehension to parse meaningfully. Roughly 20% of privacy policies demand near-post-graduate reading ability.

These are documents that the general public is expected to understand and act on.

What makes it worse is that the most privacy-forward category, large language model providers, appears to be moving in the wrong direction. A longitudinal study found that their policies are getting longer and harder to read over time, and that approximately three quarters of sentences in those policies still contain at least one vague, obfuscating word, like "might" or "sometimes," that undermines any appearance of specificity.

The structural problems compound the linguistic ones. Dense paragraphs with no headers. Buried calls to action. No clear hierarchy telling a reader where to look first. Even when individual words are familiar, the absence of navigable structure makes meaning hard to extract. This is not an accident of legal drafting conventions. It is a design outcome, and design outcomes can be changed.

The argument I want to make, and will return to throughout this piece, is that illegibility is a choice. Which means legibility is also a choice.

What users actually fail to understand, and what that costs them

Four in ten consumers believe they have data rights but can't describe what those rights are. In Deloitte's 2025 Connected Consumer Survey, only 20% of respondents said tech providers are "very clear" about what data they collect or how it's used. That number is striking precisely because it's so low after years of GDPR, CCPA, and the attendant wave of privacy notices.

All that disclosure activity, and only one in five users feels well informed.

The consequences aren't abstract. Research from CHI 2024 showed that the specific language used in purpose descriptions — how positively something is framed, how vague or concrete it is — directly influences whether users consent to or decline data processing. Unclear language doesn't just confuse; it distorts the decision. A user who consents because they failed to understand what they were consenting to hasn't exercised autonomy. They've just clicked a button.

The trust signal is moving accordingly. Fewer than half of users now believe the benefits of online services outweigh privacy concerns, down from a majority as recently as 2024, the lowest level recorded since tracking of that sentiment began. Eroding comprehension and eroding trust are not separate phenomena — they move together because they are related. When people can't understand what they've agreed to, they tend to assume the worst, often correctly.

What the law actually requires, and why compliance alone doesn't produce clarity

The GDPR uses the phrase "clear and plain language" seven times. Article 12 requires that data communications be concise, transparent, intelligible, easily accessible, and written plainly. The Article 29 Working Party guidance goes further, explicitly calling out overly legalistic, technical, and specialist terminology as non-compliant, and recommending readability testing or user studies to verify that the average member of the intended audience can actually understand a notice.

This is not ambiguous. The legal standard exists. And yet the landscape of privacy communications looks the way it does.

Part of the tension is structural. The GDPR's detailed disclosure requirements and the brevity that plain language demands pull in opposite directions. You must disclose legal bases, retention periods, controller identity, recipient categories, international transfer safeguards, and more. Fitting all of that into something a general audience can read in one sitting is difficult.

Supervisory authorities have said clearly that the solution is graduated presentation, not reduced content. You don't have to choose between comprehensive and readable; you sequence them. The UK's Information Commissioner's Office has noted that getting this wrong exposes organizations to fines and reputational damage. A 2024 tribunal confirmed, significantly, that users' failure to read a notice does not in itself prove it was inaccessible, which means organizations can't point to low engagement as a defense.

The sharpest case is children. When a service is used by minors, vocabulary, tone, and style must be age-appropriate. Readability becomes not aspirational but mandatory. That standard, I'd argue, is a useful lens for thinking about adult communications too, not because adults should be treated like children, but because the design discipline required to communicate with a younger audience produces documents that are notably clearer for everyone.

The layered notice: separating what users need first from what they need later

The layered notice is not a new idea, but it remains underimplemented in practice. The concept is simple: a short, plain-language summary covering controller identity, main purpose, legal basis, key recipients, and retention, followed by full statutory detail in subsequent layers for those who want or need it.

This matches how users actually engage. At average reading speed, a practical first-layer budget is roughly 450 words. That's not much. Every word in that layer has to earn its presence.

The European Data Protection Board has given layering a concrete usability standard for mobile contexts: full detail should be no more than two taps away. That's not just a structural principle; it's a usability test. If a user has to work hard to find the detailed layer, the layering hasn't helped.

One important caveat: layering is a structural solution, not a linguistic one. Research shows that users still have to exert significant effort to understand even well-structured layered policies when the language within each layer is opaque. The architecture creates the opportunity; the writing has to realize it. Structure and language are not substitutes for each other.

Privacy Notice Clarity: Opaque vs. Plain Language

Writing principles that close the comprehension gap at the sentence level

The WP29 guidance references the KISS principle directly: keep it simple. Replace excess nouns with verbs. Use concrete rather than abstract words. Avoid language that permits multiple interpretations.

That last point is doing more work than it appears to. Vague modal verbs, "might," "may," "sometimes," "could," appear in roughly three quarters of sentences in LLM provider policies, as noted above. When an organization's actual practice is specific, using a vague modal is both a writing failure and a trust failure. "We share your email address with our email marketing provider to send you weekly offers" says something specific that a user can evaluate. "We share personal data with third-party service providers for operational purposes" says something vague. Both can be legally compliant. Only one respects the reader.

Active voice and second-person address, "we collect," "you can," lower cognitive load without sacrificing accuracy. Short sentences give readers room to process one idea before encountering the next.

Context matters in ways that go beyond vocabulary. The CHI 2024 research I mentioned earlier showed that even framing, whether a data practice is described in positive or negative terms, shifts user perception and consent behavior. Word choice is rarely neutral. A writer who understands that is in a very different position than one who thinks of privacy language as boilerplate.

Recent research from the Association for Consumer Research, published in 2025, found that plain language summaries in contracts increase willingness to share personal information through improved understanding. The same research surfaced an important nuance: when plain language reveals unfavorable terms, it can reduce trust. That finding sounds like a problem for plain language advocates, but I read it differently. Clarity only reduces trust when the underlying practice is one users would object to if they understood it. Which means the real problem, in those cases, is the practice, not the prose.

Formats that work better than walls of text

An online study of 764 participants found that standardized label formats, the privacy equivalent of a nutrition label, produced significant positive effects on accuracy and speed of information-finding, and on reader enjoyment of privacy policies. That last metric is worth pausing on. Enjoyment. In the context of privacy policies. The baseline for that experience is so low that improvement is measurable.

Apple's App Store privacy labels demonstrate what this looks like at scale: what data is collected, whether it's linked to identity, and for what purpose, surfaced at the point of decision in a consistent visual format. Users don't have to read a document. They compare data practices the way they'd compare nutritional content.

GDPR Recital 58 explicitly endorses visualization alongside plain language when communicating with the general public. Icons and infographics are not a concession to short attention spans; they are a recognized compliance instrument. The European Data Protection Board guidance specifies that privacy links should be visible on every page, labeled plainly as "Privacy" or "Privacy Policy." That's a usability floor, not a design ceiling.

The Center for Plain Language's analysis of major platform privacy policies found that structure, meaning headers, bullets, and navigable sections, is as critical as vocabulary. A clearly written wall of text still fails. The eye needs somewhere to go.

Just-in-time notices work on the same principle from a different angle. A brief, plain-language disclosure delivered at the moment data is captured meets users where context makes the information immediately relevant. You don't need to understand your entire data relationship with a platform upfront. You need to understand what's about to happen when you're about to make a choice.

Where AI tools help users understand notices, and where they don't yet replace better writing

LLM-based tools have shown real promise here. Research published in 2025 by Sun and colleagues demonstrated that LLMs can increase user confidence and decrease cognitive load when navigating privacy policies. A contextual assistant called CLEAR, evaluated across ChatGPT and Gmail's Gemini plugin, helped users identify sensitive information, summarize relevant sections, and surface potential risks. Users rated it accessible and effective.

Chat-based interfaces that let users ask specific questions about a policy, rather than reading it linearly, are a real improvement in the experience of engaging with these documents. I don't want to understate that.

But here's the tension I keep coming back to: these tools help users navigate bad documents. They don't fix the documents. An organization that relies on AI comprehension aids while continuing to publish opaque policies has outsourced a problem of its own making. And the risk calculus is changing. As AI tools raise the floor for user comprehension, the gap between what users now understand and what the underlying practices actually are becomes more visible, not less. Users helped by an AI assistant to understand a policy will, increasingly, notice when the practice described fails to match what they expected.

Better writing eliminates that exposure. AI tools, for now, manage it.

Why clearer data communication translates into measurable trust and engagement

Research consistently finds that users who believe they understand a privacy policy trust the organization behind it more. That relationship holds across company types and user segments — comprehension appears to drive trust, not merely correlate with it.

The State of Digital Trust 2025 report, surveying 10,000 frequent internet users across Europe and the United States, found that 42% read consent banners often or regularly before sharing data. That number is larger than most organizations expect when designing for passive click-through. Rising digital literacy means more users are prepared to engage, when the experience actually invites them to. The same report found that 46% of users accept cookies less often than they did three years ago. Passive acceptance is declining. Informed consent is increasingly what organizations are actually competing for.

First-party data collected with genuine transparency is more durable than data extracted through complexity or dark patterns. Personalization built on it doesn't need to be re-litigated every time a user becomes more sophisticated about their rights. The relational capital is sturdier because the foundation is honest.

The transparency paradox is real, but I think it's frequently misread. Plain language only reduces trust when it reveals practices users would find objectionable if they understood them. That's not an argument against clarity. It's an argument that clarity and defensible practices have to move together. The Forbes expectation, articulated as recently as late 2025, is that organizations tell people exactly what they do with data, why, and what users get in return. Plain language is the mechanism by which that expectation can be met.

The organizations that get there first won't just be more compliant. They'll be more trusted. And in a landscape where trust is the variable that determines whether users engage or abandon, that's not a small advantage.

Sources

  1. techxplore.com
  2. dl.acm.org
  3. sciencedirect.com
  4. usableprivacy.org
  5. arxiv.org
  6. arxiv.org
  7. centerforplainlanguage.org
  8. gdpr-info.eu

More in User Trust & Transparency