Understanding Privacy Policies: Content, Self-Regulation, and Markets

Florencia Marotta-Wurgler
New York University School of Law

January 3, 2016

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2736513

NYU Law and Economics Research Paper No. 16-18

Abstract:     
The current regulatory approach to consumer information privacy is based on a “notice and choice” self-regulation model, but commentators disagree on its impact. I conduct a comprehensive empirical analysis of 261 privacy policies across seven markets and measure the extent to which they comply with the self-regulatory guidelines of the Federal Trade Commission (FTC), US-EU Safe Harbor Agreement, and others. I track terms involving notice, data collection, sharing, enforcement, security, and other practices, and create a measure of substantive protections. The average policy complies with 39% of the FTC guidelines issued in 2012, and there is no evidence that firms have updated their policies in response to these guidelines. Terms that require firms to bear costs or constrain their behavior are less likely to be included. Protections vary widely across markets, however: Adult sites offer the clearest notice of practices and report less data collection and sharing than other sites, while cloud computing firms report more extensively on data security practices. Overall, the results suggest that privacy policies are being shaped as much by market forces as by the current regulatory regime.

Number of Pages in PDF File: 43

Keywords: privacy, privacy policy, standard form contracts, boilerplate, safe harbor, FTC

JEL Classification: D12, D18, K00, K12, L81

Open PDF in Browser
Download This Paper
Date posted: April 5, 2016 ; Last revised: May 4, 2016