The TLDR Act directs the Federal Trade Commission to promulgate rules within 360 days requiring covered entities that operate commercial websites or online services to publish three things on their permanent terms‑of‑service (TOS) page: (1) a truthful, non‑misleading short‑form summary statement designed for low literacy and accessibility needs; (2) a graphic data‑flow diagram that shows how user sensitive information is shared; and (3) the full TOS in an interactive, machine‑tagged data format.
The bill prescribes specific summary content (categories of sensitive information collected, what is required for core service vs optional features, user rights transferred, reading time, deletion instructions, and a three‑year breach list), requires accessibility and machine‑readability features, and treats violations as unfair or deceptive practices enforceable by the FTC and by State attorneys general (parens patriae actions for at least 1,000 residents). For compliance officers and product teams, the TLDR Act standardizes disclosure location and format while creating concrete tagging, accessibility, and auditability obligations that will affect legal, engineering, and UX resources.
At a Glance
What It Does
The bill requires covered entities to publish on their permanent terms‑of‑service page: (1) a short, accessible summary statement; (2) a graphic data‑flow diagram immediately below the summary; and (3) the full TOS tagged in an interactive data format. The FTC must issue rules and guidance within 360 days to implement these requirements.
Who It Affects
Commercial websites and online services operating for commercial purposes (excluding entities that qualify as a small business under the Small Business Act). Affected teams include legal/compliance, UX/product, engineering (for machine tagging), and third‑party vendors that receive or process sensitive information.
Why It Matters
The law would set a federal, standardized presentation for TOS disclosures, shifting practical compliance from buried prose to structured summaries and machine‑readable tags. That creates both operational costs (tagging, icons, diagrams) and potential enforcement exposure, while increasing transparency for consumers and accessibility for low‑literacy and disabled users.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The TLDR Act tasks the Federal Trade Commission with creating binding rules within 360 days to force clearer, standardized TOS disclosures. Covered entities must place a short‑form terms summary at the top of their permanent TOS page and a graphic data‑flow diagram directly beneath it; the full TOS must also be made available in an interactive, machine‑tagged format.
The statute leaves layout flexibility by device but requires the summary to be machine readable and accessible to people with low literacy and disabilities, and to incorporate visual aids such as tables, icons, hyperlinks, or other Commission‑specified means.
The statute lists specific items the short summary must include: categories of sensitive information processed; which sensitive data are necessary for basic service vs optional features or future development; any legal liabilities or rights a user transfers (for example mandatory arbitration, class‑action waivers, or licensing/sale of user content); historical TOS versions and change logs; user deletion directions; a three‑year list of reported data breaches; and an estimate of reading effort (word count and approximate read time). The bill also delegates to the FTC the power to add additional required items by rule.For the graphic data‑flow diagram, the FTC must publish guidance within the same 360‑day period telling covered entities how to graphically show sharing with subsidiaries, affiliates, and third parties.
For interactive data format requirements, the statute explicitly contemplates a standardized tagging scheme (examples include XML) so that discrete pieces of information in the TOS — the sensitive information categories and other enumerated items — can be programmatically identified and consumed.Enforcement is twofold: the statute treats violations as unfair or deceptive acts under the FTC Act, making them enforceable by the Commission with the full range of FTC remedies; it also authorizes State attorneys general to bring parens patriae civil actions on behalf of at least 1,000 residents, subject to notice to the Commission and the Commission’s right to intervene. The bill excludes “small business concern” entities as defined by the Small Business Act from the definition of covered entity.
Definitions in the statute clarify key terms including “sensitive information,” “interactive data format,” “process,” and “moral rights.”
The Five Things You Need to Know
The FTC must issue rules and guidance within 360 days of enactment to implement the short‑form summary, graphic data‑flow diagram, and interactive data‑format tagging requirements.
The short‑form summary must appear at the top of the permanent TOS page; the graphic data‑flow diagram must be located immediately below that summary.
The summary must enumerate categories of sensitive information processed, distinguish data required for basic service from data used for optional/future features, list legal rights transferred (e.g.
arbitration, content licensing), provide deletion directions, include change logs and historical TOS versions, and list breaches reported in the prior three years.
The full TOS must be published in an interactive data format with portions of the TOS tagged using a standardized interactive data standard (the statute cites XML as an example) so pieces of information are machine‑identifiable.
Violations are treated as unfair or deceptive acts enforceable by the FTC, and State attorneys general may bring parens patriae suits on behalf of at least 1,000 residents; the Commission may intervene in state actions and retains its other statutory authorities.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
360‑day FTC rulemaking: three required disclosures
This subsection compels the FTC to issue rules under the Administrative Procedure Act within 360 days. The rules must obligate covered entities to publish (1) a truthful, non‑misleading short‑form TOS summary, (2) a truthful, non‑misleading graphic data‑flow diagram, and (3) the full TOS in an interactive data format. Practically, this gives the FTC rulemaking authority to set technical and presentation standards (icon sets, machine‑readability, hyperlinks, etc.) during the rule stage and to determine enforcement contours through its existing UDAP authority.
Minimum content and accessibility requirements for the summary
This subsection enumerates mandatory elements for the short‑form summary: categories of sensitive information, what data are essential versus optional, summaries of legal liabilities and transferred rights, historical versions and change logs, deletion instructions, a three‑year breach list, and a reading‑effort metric (word count and approximate reading time). It also requires accessibility (for low literacy and disabilities) and machine readability, and allows the FTC to require tables, icons, hyperlinks or other means and to add further required items by rule. For compliance teams, this is a prescriptive content checklist that will drive legal reviews and UX design.
Graphic data‑flow guidance and interactive tagging mandate
The FTC must publish guidelines on how to graphically show sharing with subsidiaries, affiliates, and third parties and must separately issue rules requiring that TOS text be tagged in an interactive data format. The statute defines interactive data format to include an XML‑style tagging approach: each required piece of information in the TOS should be programmatically identifiable. That raises implementation work for engineering teams (schema design, legacy content tagging, internationalization) and creates opportunities for standardized APIs and third‑party tooling to consume TOS metadata.
Enforcement, state actions, and definitions
Violations are treated as UDAP violations under the FTC Act, so the FTC can use its full enforcement toolkit (injunctions, civil penalties where authorized, restitution mechanisms). State attorneys general can sue as parens patriae on behalf of at least 1,000 residents, but must notify the FTC and allow Commission intervention; the statute specifies venue and service rules. The definitions section spells out covered entity (commercial websites/online services excluding Small Business Act small businesses), sensitive information categories (a broad list including health, biometrics, precise geolocation, SSNs, online browsing history, recordings, and protected characteristics), and other interpretive terms that will shape coverage and compliance scope.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers with low literacy and disabilities—because the bill requires machine‑readable, accessible summaries, icons, and diagrams that reduce reliance on dense legal prose and improve usability across devices.
- Privacy‑minded users and civil‑society groups—because standardized disclosures, change logs, and a three‑year breach list increase transparency and make it easier to compare practices across services.
- Small businesses that meet the SBA definition—because the statute expressly excludes small business concerns from the covered‑entity definition, leaving them outside the new disclosure obligations.
- Accessibility and compliance tool vendors—because demand will increase for summary‑generation, tagging, diagramming, and automated TOS auditing tools that implement the FTC’s forthcoming standards.
Who Bears the Cost
- Commercial online platforms and websites (non‑small businesses)—they must redesign TOS pages, develop machine‑tagging schemas, produce data‑flow diagrams, and maintain change logs and breach lists, requiring engineering and legal resources.
- Legal and product teams—these groups must interpret requirements, make judgment calls about which data are ‘required’ versus ‘optional,’ and decide how to present legal waivers succinctly without creating new contractual obligations.
- Service providers and affiliates—platforms will need to coordinate with suppliers and affiliates to map and disclose data flows, and third parties may face increased contractual requests for data‑handling details.
- FTC and State attorneys general—while the FTC gains rulemaking and enforcement authority, states’ parens patriae powers and the Commission’s right to intervene will increase investigatory and litigation activity, creating resource demands for both federal and state enforcers.
Key Issues
The Core Tension
The central tension is between meaningful transparency and practical fidelity: the bill aims to simplify and standardize complex legal and technical disclosures so consumers can understand them, but simplification risks obscuring nuance and shifting legal disputes to whether a short summary is ‘truthful and non‑misleading.’ At the same time, implementing machine‑readable tagging and accurate data‑flow diagrams imposes substantial technical and coordination costs on covered entities, particularly for services with broad ecosystems of affiliates and third‑party processors.
The bill trades legal precision for consumer legibility, and that trade creates implementation questions. The defined list of “sensitive information” is broad (it includes online browsing history, audio/video recordings, and protected‑class attributes) and will require companies to make fine‑grained determinations about categorization, particularly where inferred attributes or aggregated behavioral signals are involved.
The statute delegates many hard choices to the FTC (presentation standards, iconography, what additional items to require), so the practical obligations will depend heavily on rule language and any subsequent guidance.
Technical challenges are nontrivial. Retrofitting legacy TOS into an interactive tagged format and designing a reliable, auditable data‑flow diagram across complex vendor ecosystems will require schema design, quality control, internationalization, and ongoing maintenance.
The bill exempts small businesses, but doesn’t set a revenue or user threshold beyond the SBA small‑business definition—companies near that threshold will face edge cases and potential lobbying pressure. The requirement to list breaches reported under existing Federal and State laws raises accuracy and timing problems and could create privacy or security concerns if breach descriptions are mishandled.
Finally, the statute disclaims creation of new contractual obligations for summary statements, but that raises enforcement questions: a misleading short summary triggers UDAP enforcement while the underlying contractual TOS may remain unchanged, potentially producing legal friction between summary disclosures and full contractual text.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.