87% of VPN privacy policies are too complex for the average American – and that's a problem

Let's face it, nobody likes reading privacy policies. It's about as far from a "fun" activity as you can get. But they contain important information about your personal data and how it's used by websites, companies, apps, and services.

For privacy tools like the best VPNs, these policies are doubly important. They detail how a VPN company protects your data, what it does and doesn't collect, and how it upholds its no-logs policy – if it has one.

But how many VPNs actually make these policies clear and easy to read? Unfortunately, the answer is not many.

Tom's Guide analyzed the privacy policies of some of the biggest names in the VPN industry and found that 87.5% were above the reading age of the average American. The number of sentences varied dramatically, and numerous VPNs had privacy policies with a significant number of sentences deemed "hard to read."

This is a problem, as it means millions of people are at a disadvantage when it comes to fully understanding how their data is used. Complex privacy policies can also put people off reading them entirely.

At Tom's Guide, we encourage people to read and understand all types of privacy policies, especially those of VPNs. So, let's examine a bunch of VPN privacy policies and see which are the most readable.

Key stats at a glance

• Only 12.5% of VPN privacy policies analyzed were written accessibly for the average American
• 40.6% of sentences in the average VPN privacy policy were hard to read
• VPN privacy policies had an average of 195 sentences
• The average VPN privacy policy contained 51.4 "very hard to read" sentences
• The average VPN privacy policy contained 30.1 "hard to read" sentences
• The shortest VPN privacy policy had 19 sentences
• The longest VPN privacy policy had 422 sentences
• The privacy policies of Windscribe, TunnelBear, and AmneziaVPN were the easiest to read
• The privacy policies of CyberGhost and IPVanish were the hardest to read
• Surfshark was the only VPN to provide a summary of the information at the start of each section

This sheet details our full data set.

Privacy Policy Analysis

Three VPNs have readable privacy policies

Data suggests that the average American reads at a 7th-8th grade level – around the final year of middle school in the US (age 13-14).

For our analysis, we have taken Grade 8 as the US average, and used the Hemingway Editor's readability checker to assess the readability of VPN privacy policies. As well as the readability level, we recorded the number of "very hard" and "hard" to read sentences.

Hemingway can sometimes treat lists and headings as sentences, making the sentence count figure higher. However, all VPN privacy policies were subject to the same tests, ensuring a fair and reliable analysis.

We anlayzed the privacy policies of 24 VPNs. These included NordVPN, Surfshark, ExpressVPN, Proton VPN, Mullvad, and Windscribe.

The full list of VPNs can be found on our data sheet.

Only three VPNs had a readability level of Grade 8 and below – 12.5%. These three were Windscribe (Grade 7), AmneziaVPN (Grade 8), and TunnelBear (Grade 8).

Windscribe recorded the lowest grade level out of all the VPNs on this list. Its privacy policy is short, clear, and easy to read. It doesn't overwhelm you with "legalese," and it only contains a total of 46 sentences according to Hemingway.

Of those 46 sentences, four were deemed very hard to read and 10 were deemed hard to read.

AmneziaVPN and TunnelBear's privacy policies were both rated at a Grade 8 level. Their privacy policies were significantly longer than Windscribe's, with AmneziaVPN's policy totalling 155 sentences and TunnelBear's totalling 352 – the fourth highest overall.

Three VPNs had privacy policies slightly above the average US literacy level. The privacy policies of Mullvad, NymVPN, and FastestVPN were deemed to be at Grade 9 level (ages 14-15).

Mullvad's privacy policy had 70 sentences, with 32.9% of those rated as very hard or hard to read. 32.2% of the sentences in NymVPN's privacy policy were very hard or hard to read, out of a total 174 sentences.

Grade 10 was the literacy level that encompassed the largest single number of VPN privacy policies – eight in total. Grade 10 is typically the sophomore year of high school, covering the ages 15-16.

The eight VPNs with Grade 10 privacy policies were:

• AdGuard VPN
• EventVPN
• Hide.me
• Obscura VPN
• PrivadoVPN
• PureVPN
• VPN – Super Unlimited Proxy
• VyprVPN

The length of these policies varied. Obscura VPN's 50-sentence privacy policy was the third-shortest overall, while VPN – Super Unlimited Proxy's 422-sentence privacy policy was the longest out of the 24 VPNs.

None of our top five VPNs have privacy policies below Grade 11

It's worth noting that none of the five VPNs featured in our best VPN guide have been mentioned so far. NordVPN, Surfshark, ExpressVPN, Proton VPN, and PIA all have privacy policies that are Grade 11 or above. Known as the junior year, Grade 11 covers 16-17 year olds.

NordVPN, Surfshark, and Proton VPN were all rated as Grade 11, and were three of the six VPNs at this level.

At 19 sentences, Proton VPN's privacy policy was the shortest of the 24 VPNs. However, it is a "sub-policy" of the larger Proton Privacy Policy.

NordVPN's privacy policy was more comprehensive, totalling 107 sentences – but 50.5% of these were very hard or hard to read. Given NordVPN is a hugely popular VPN, this is a disappointing figure.

Surfshark's privacy policy contains a whopping 346 sentences, with 56.4% of them very hard or hard to read – the highest percentage of any VPN analyzed.

Again, this is disappointing. However, a significant amount of the policy is formatted in tables. We converted these tables to sentences in our testing to enable fair comparisons – so this could account for Surfshark's high number.

We preferred the table layout to straight sentences, and the use of tables helps to mitigate the text's difficulty. So, although Surfshark's privacy policy is lengthy, it makes up for this with its formatting.

What Surfshark also does well is provide a simple, clear summary at the start of each section. This covers key details and need-to-know information, meaning you don't always have to trawl through the "legalese." This is something we'd like to see more VPNs adopt.

The privacy policies of ExpressVPN and PIA were rated as Grade 12 – the highest rating for any of our top five VPNs. Grade 12 refers to the final year of high school, where students are aged 17-18. Both saw at least 50% of the sentences in their privacy policies rated as very hard or hard to read.

Grade 13 was the highest rating

Two VPN privacy policies were deemed to be at Grade 13 level. There's no set age bracket for Grade 13, but it is sometimes seen as an "early college" year following graduation from high school (18+ years old).

IPVanish and CyberGhost's privacy policies were deemed to be Grade 13 level. Again, at least 50% of their privacy policies were seen as very hard or hard to read. CyberGhost's hard-to-read rating of 53.4% was the second highest overall.

Hard-to-read sentences

How easy a privacy policy is to read is more important than its length. Users should be able to clearly understand what they're reading, and how their data is being used.

TunnelBear's privacy policy was the easiest to read, with only 22.2% of its sentences deemed very hard or hard to read. EventVPN and AmneziaVPN also scored well, with hard-to-read scores of 22.6% and 23.2% respectively.

Eight VPNs had privacy policies where 30-40% were hard to read. These included Windscribe, Proton VPN, and Mullvad.

However, seven of the biggest VPNs have privacy policies where the majority (50-60%) of the text is hard to read. These VPNs are:

• CyberGhost
• ExpressVPN
• IPVanish
• NordVPN
• PIA
• PrivadoVPN
• Surfshark

Of the 24 VPNs analyzed, 17 VPNs had privacy policies where the majority was easy to read. Seven VPNs had privacy policies where the majority was hard to read.

Simplicity vs Comprehensiveness

There is a debate to be had between the need for simplicity and the need for comprehensiveness when it comes to VPN privacy policies. Having a policy that is too simple risks omitting important information relating to user data privacy. But overly long privacy policies are less likely to be read.

What our analysis shows, however, is the need for privacy policies to be easy to read – regardless of their length.

TunnelBear has 352 sentences in its privacy policy, but only 22.2% are hard to read. On the flip side, PrivadoVPN only has 93 sentences, yet 51.6% are hard to read.

Larger VPNs likely want, and need, to cover more bases in their privacy policies due to the size of their companies and number of users. The fact policies have to include additional cybersecurity features such as NordVPN's Threat Protection Pro or Surfshark's Alternative ID & Alternative Number, could be another reason for the excessive length. But this is no excuse for making these policies overly hard to read.

Most of the major VPNs we analyzed have privacy policies that are both too long, and too complex. Surfshark is the only major VPN to provide summaries of each section of its policy, and it heavily relies on the use of tables. We'd like to see more VPNs follow suit and give users the option to read the full policy or a summary.

Thanks to waves of age verification laws and a rise in internet censorship, millions around the world will be turning to VPNs for the first time. If privacy policies are too hard to read, people won't have a complete understanding of how their data is used and this may lead to assumptions, confusion, and potentially pose a risk to their data.

Now is the perfect time for VPN companies to review their privacy policies, making them easier to read while still detailing the important data privacy information users need to know.