Policy pages may not feel like the most thrilling pages to create or update. However, people do read them when they have questions. When these pages are poorly designed, they erode trust and lead to the impression that the company cares more about freedom from liability than about the wellbeing of its customers.

Definition: A policy page (also known as legal-policy page or policy-disclosure page) is dedicated to disclosing company policies, terms, or agreements by which the company and customer must abide in order to provide, maintain, or continue a service.

Common policies include (but are not limited to):

  • Terms of service (also known as terms of use)
  • Privacy policies
  • User agreements
  • End-user licensing agreements
  • Service-level agreements
  • Disclaimers
  • Liability waivers
  • Return or refund policies
  • Seller or partnership policies
  • Content-creation or sharing policies

Policy pages typically have the following content elements:

  • An overview of the policy or statement
  • A table of contents for the policy’s sections
  • Headers for specific sections
  • Links to policy subsections or related policies

Why Policy Disclosures Matter 

First, certain policy disclosures are required by law. For example, the US Federal Trade Commission (FTC), which governs advertising, marketing, and sales online in the US, requires that disclosures are presented “clearly and conspicuously” and that the language of the disclosure is understandable to the intended audience. It also explicitly states that “disclosures should not be relegated to ‘terms of use’ and similar contractual agreements.”

There is a running joke in online communities that “I have read and agree to these terms and conditions” is the single most commonly told lie. This joke may carry some weight given that only 20–28% of the words on any web page are read at any given time and that many people simply don’t bother even scanning the policy pages. However, every now and then, users do need to read policy pages in search of answers to specific questions about the service, their data, and the communities with which they engage. As for abiding by laws, can we truly say we have informed our customers if they are unable to read the policies we disclose? If we wish to advocate for users, we need to ask ourselves whether these policies (and their pages) are user-centric.

Research Methodology

In order to understand how people find and respond to these types of pages, we conducted a remote moderated usability study on desktop and mobile devices, using a think-aloud protocol. Participants completed a series of stepped tasks (to avoid priming the user) and open-ended tasks, which enabled us to understand users’ mental models, determine discoverability and findability of these pages, and also assess readability and overall sentiment. People in UX, design, legal, and other IT roles were excluded from the study in order to avoid biased responses.

Research Findings: 5 Common Mistakes

Here are some common mistakes we’ve observed both during this study and in previous user studies on privacy-policy and terms-of-service pages, and how to avoid them.

1. Unreadable language that is either too vague or too complex

Policy disclosures are typically either created by legal teams or drafted from templates found on the web. As a result, many policy disclosures end up phrased vaguely and broadly or have particular phrasing intended to minimize potential liability. While these statements may meet specific legal requirements, they are rarely written in plain language.

During our studies, users felt that these pages were hiding important information and were not written for them, but for “other lawyers.” On one privacy-policy page, one user mentioned, “It seems like it’s meant for who knows what to look for because they’ve experienced privacy violations before.”Much like how complex “legalese” terms give the impression of hiding information in plain sight, overly vague wording can also lead users to believe the company is lying by omission or deliberately avoiding or dismissing important user concerns, which include:

  • What behavior is and is not permitted
  • What personal data is collected and why it’s needed
  • Which shared data can be withdrawn or secured
  • How data is used and stored
  • Who has access to this data

Comments about lying by omission came up multiple times during our study, and most commonly arose in the third-party data collection sections. In these sections, users expected to find specifics: who the third parties are, what kind of data is shared with them, and where to find their policies.

To avoid this mistake: Write in plain language whenever possible. While it may not be feasible to completely remove all legal jargon or phrasing, a plain language summary or “translation” of the section can reassure confused users. When possible, give specific illustrative examples of how each policy or subpolicy impacts the user.

Even better:  Display the plain-language version of your policy more prominently than the “legalese” version and provide a link to the appropriate section of the full legal-policy statement (not just the top of the whole statement).  As for providing examples, be as specific as possible. Consider adding a full list of third-party partners and links to their own respective privacy policies.

Screenshot of Ameren's Privacy Policy Page
One user commented on the vague language in Ameren’s privacy statement saying that, “It is so big and so loose, it basically says ‘We can do anything we want.’”
Screenshot of LinkedIn's Privacy Policy Page
While LinkedIn’s legal policy does include some legal phrasing, it also includes a written, plain-language summary and link to a video summary, along with plain-language “translations” throughout the page. This strategy avoids the overwhelming and complicated legalese with which most other policy disclosures lead.

2. No high-level summaries of important information

Users tend to look for different information in different policies, but for every policy, users expected to find a high-level overview of the policy, how recently the policy was updated, and what the most recent updates to the policy were. For example, in every study, we observed that participants expected the Recent Changes section to include a summary of recent changes, not just information on how changes are handled or communicated. They felt disappointed when the list of recent changes wasn’t shown (which was the case for most of the sites studied). Study participants also greatly appreciated high-level bulleted lists for policy or subpolicy details rather than lengthy paragraphs.

To avoid this mistake: Keep a high-level summary of the policy at the top of the policy page, written in plain language. Include information about what the policy pertains to, who the policy is intended for, and what key points can be found in the policy. Add the date of the last update and the date when the policy became effective.

Even better: Consider including a video summary in addition to a written one. Provide summaries of the most recent changes to the policy (or indicate that there are no changes); don’t just announce when it was updated. You may also want to determine the specific policies that might be important to your audience and visually prioritize them on your policy page

Screenshot of eBay's Rules and Policy Page with Listed Subpolicies
eBay has a dedicated page for all its policies and legal disclosures with brief overviews for what users can expect to find in each specific policy. This page was received positively by one of our research participants. “It’s all pretty easy. It certainly has all the different topics that would be interesting… It would answer all your questions on that page.”
Screenshot of Forever21's Terms of Use Page
Large blocks of text with no high-level summaries, like this example on Forever 21’s website, were often received poorly by users, dismissed as “for lawyers” or “for someone who knows what they’re looking for.” 

3. Poor formatting

Policy pages tend to violate good text formatting, by using:

  • Small text
  • Large, unbroken paragraphs
  • Narrow column widths
  • All-caps sentences/paragraphs

While poor formatting can be found on both desktop and mobile policy pages, formatting is naturally more challenging with less screen real estate, so complaints are more likely to arise on mobile versions of your policy pages.

While both Instagram and Spotify’s policies were well-formatted on desktop, certain styling choices which did not render well on mobile. The long, narrow text columns on Instagram’s mobile privacy policy (left) wasted space and made the page longer than it needed to be. On Spotify’s Terms and Conditions page (right), one user commented “Why is this all capitals? I don’t understand that…”

When users encountered poor formatting, they assumed that the page was carelessly or mindlessly put together. One study participant commented, “This looks copied and pasted from some legal document.” Others felt that small text indicated something nefarious, like the company hiding information from its customers.

To avoid this mistake: Use a minimum of 14pt font, bold important phrases and headlines, use sentence case, and avoid run-on sentences. Check that your pages render well on all screen sizes. Paragraphs of all upper-case letters are less readable than sentence-case paragraphs, not to mention that “THEY CAN BE PERCEIVED AS YELLING.”

Even better: Progressively disclose relevant content via accordions or multiple levels of pages, rather than displaying it all at once.

Mobile and Desktop Screenshots of Google's Privacy and Terms Pages
Google’s mobile (top) and desktop (bottom) privacy-policy pages were received positively by our study participants. While some users expressed some trepidation about the amount of data the company had, none of them mentioned the length or complexity of the policy, and often remarked on how “easy” to understand and “straightforward” the policy was.

4. Lack of functional navigation

Many of the policy disclosures studied did not include a functional table of contents or links to specific sections of the policies. This was problematic because most users were looking for specific pieces of information instead of being interested in entire policy disclosure. For example, one user was okay with having cookies used, but not with unknown “third-party partners” accessing his information. Not being able to easily access these specific items gave the impression that the policy was complicated or that the information wasn’t transparent.

To avoid this mistake: Use a detailed and functional table of contents with links to specific sections of the policy. Users reacted positively to having the ability to see all of the policy in one place. It gave a sense of transparency without having to read the entire policy.

Even better: Show this table of contents in the left rail, as a navigational pane.  Consider deferring specific or technical details to secondary pages and linking to these pages from the main page.

Screenshot of Eventbrite's Terms Page
Eventbrite’s Legal Terms page was organized first by audience, then by topic, which helped participants understand exactly for whom each policy was intended.
Screenshot of Eventbrite's Privacy Policy Page
While Eventbrite’s Terms page was well-organized by audience and topic, the in-page table of contents for their privacy policy, while functional, offered no information scent, and was it impossible to navigate in a meaningful way.

5. Information not displayed in expected locations

The FTC guidance for disclosure statements is that they appear near any claim that they relate to. For example, when users sought information about how their data was managed, they often looked to the Settings or Preferences section of the site, hoping to find summaries of this specific policy information — probably because they expected to have control over what is shared outside of the organization.  When they found the links to the privacy policy and terms of service on these pages, they often felt the company was being transparent. Users also expected dense policy information to appear in the footer. When, for various reason, they did not find it there, people resorted to external search engines to find it. Unfortunately, this behavior was often suboptimal for the company, because it caused them to leave the site or app or find an incorrect answer from an external or unreliable source. In some cases, users gave up and assumed the policy simply did not exist in the interface.

To avoid this mistake: Keep a consistent footer on all pages of your site and include your policy information in it. If there is no footer, make it available in the Settings and Preferences section of your interface.

Even better: Don’t just link to the main policy in the Settings or Preferences page, but also link to the specific subsection of the policy. In this case, the redundancy is helpful and necessary. For example, if the policy pertains to the specific reasons why mobile notifications are sent, consider showing a summary of the policy and link to the specific policy section on the notification-settings page.

ClearCare Web App Screenshot
Clear Care web app: A study participant struggled to find a privacy policy because the app did not have a utility footer in a logged-in state. After some exhaustive inspection, she resorted to search. She ended up on a page on best practices, but did not locate the official policy.
Four Screenshots of different pages of Facebook's Application with links to the privacy policy.
When users in our study tried to access Facebook’s privacy policy, they could do so through multiple routes: through the main menu (top left), via the Settings menu (top right), and on the top (bottom left) and bottom (bottom right) of the Privacy Shortcuts page.

How to Evaluate Policy Pages

As with many things, the best way to evaluate policy pages is through usability testing. The same rules as always apply: recruit representative users, ask them to perform representative tasks, and avoid biasing their behavior by mainly keeping quiet during the test. Here, “representative tasks” will usually be to ask users to find the answers to common questions. You can see whether they can find those answers and whether they interpret them correctly.

Besides user testing, you can also use specialized tests of content legibility, readability, and comprehension, including automatically generated readability scores. It can also be useful to conduct targeted studies of the credibility of your policy content and whether it hurts customers’ trust in your organization.

Conclusion

It’s easy to simply “check the box” on legal-policy disclosures, but failing to craft well-designed policy disclosures is a missed opportunity. Many users are uneasy about these policies and feel that companies are hiding something when they are written in a complex manner. The companies that explain their policies well reassure users and bolster confidence in their products and services. Transparency may seem like a frightening prospect for organizations, but it is one of the few key strategies that distinguish average organizations from those that are truly user-centered.