The 'TLDR Act' Forces Tech Companies to Summarize Terms of Service, Detail Data Breaches, and Map Data Flow

The newly proposed Terms-of-service Labeling, Design, and Readability Act—mercifully nicknamed the “TLDR Act”—aims to end the era of clicking “I Agree” to 50 pages of legalese you didn’t read. This legislation mandates that the Federal Trade Commission (FTC) create rules within 360 days requiring most for-profit online services to fundamentally change how they present their Terms of Service (TOS). Essentially, if you run a website or app that makes money, you’ll have to provide a short, clear summary of your TOS, a graphic diagram showing exactly how user data moves around, and make the full text readable by computers—all placed right at the top of the TOS page. This is a direct response to the fact that nobody, including lawyers, actually reads the full contract before using an app.

The Fine Print, Simplified: What the Summary Must Cover

This isn’t just about making the text shorter; it’s about forcing companies to be transparent on the key issues that actually matter to users. The required summary must cover specific, crucial details that most companies currently bury deep in the document. For instance, the summary has to clearly state whether you’re giving up your right to join a class action lawsuit or agreeing to mandatory arbitration. It also needs to list what “sensitive information” the company handles—and that definition is broad, covering everything from your precise location and health data to your online browsing history, even on sites the company doesn’t own. If you’ve ever wondered how to delete your data, the summary must now tell you exactly how to stop the company from using your sensitive information or how to request deletion, if that option exists.

The Data Flow Map and Breach History

One of the most powerful provisions is the requirement for a graphic diagram that visually maps out how your sensitive information is shared with subsidiaries, corporate affiliates, and third parties. Think of it like a subway map for your data: you can see exactly where it goes after you hit ‘submit.’ Furthermore, the summary must include a log of any data breaches reported to consumers over the last three years. This means if a company has a history of security lapses, that information will now be front and center, right next to the estimated reading time for the full TOS—a feature that will likely be humbling for some services.

New Teeth for Enforcement

Compliance with the TLDR Act will be treated as an unfair or deceptive practice under the Federal Trade Commission Act, giving the FTC its full investigative and enforcement powers. But the bill also gives a powerful new tool to State Attorneys General (AGs). If an AG believes a company’s non-compliance is harming at least 1,000 residents in their state, they can now sue that company in federal court. This dual enforcement mechanism means tech companies will be watched not just by federal regulators in Washington, but also by state officials closer to home. The only groups catching a break here are small businesses, which are specifically excluded from these new requirements, likely to avoid burdening them with the high compliance costs associated with overhauling their legal disclosure systems.