That law/regulation would seem difficult for a court to uphold – e.g. a company being diligent and detailed in explaining its complicated policies, but getting dinged when someone is misled by their arbitrarily word-count-limited summary. But in any case, the example provided by the article does have a top summary [0] (it's the very prompt that the author investigates). And the individual line item settings are each summarized in a single sentence [1].
That said, the actual example summaries given seem to IMHO make a case for mandating specific and explicit language, akin the "Surgeon General's" warning text on cigarette packs, to accompany whatever euphemistic language companies continue to use. We're far enough into the Internet age to be pretty confident that the vast majority of people just do not and cannot comprehend that "We use cookies to improve the site, measure performance, understand our audience, enhance our experience and provide you with advertising based on your browsing activities" means actual tracking.
Not a summary, the whole legally binding thing. But I'd allow 280 characters.
It would be good to define some phrases in the law that then have unambiguous legal meaning so that privacy policies don't have to spend time defining things in full.
I like the open source license pattern. Anyone can make any agreement they want, but most of the time you just need to see "Apache" or "GPL" and you know the deal. And when you see a new one you wonder what exactly is going on here.
But really, most of the time the cookie deal is "do you agree to have all kinds of information gathered about you and sold at will to other companies, our future management, and mysterious government entities in perpetuity, in exchange for seeing a few cat pictures? oh, and also we can make this even more unfair at any time without your agreement." They really should just be illegal, period.
> Why not have a law that your policy must have a summary that is less than 140 characters long?
Not as explicit as 140 characters, but it's already covered the GDPR
From the preamble, paragraph 32:
> If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
From article 7, paragraph 2:
> 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
