Self-Regulation and Competition in Privacy Policies

I investigate alternative explanations for the content of privacy policies. Under one model of self-regulation, firms signal their privacy protections to consumers by highlighting compliance with third-party guidelines. However, in a sample of 249 policies, only 27 percent claim compliance with a specific guideline, and the policies that do claim compliance with at least one guideline are generally inconsistent with its requirements. Alternatively, under a market-based mechanism, firms incorporate consumers’ preferences directly. Consistent with this influence, there are several intuitive differences in terms across markets. Adult sites—none of which claim certification—are much more likely to give concise and clear notice of privacy practices and limit data sharing with third parties, while cloud-computing sites are particularly likely to follow stringent data security standards. Overall, privacy policy content appears to be shaped at least as much by market forces as by a self-regulatory regime based on external guidelines.

[1]  Peter P. Swire Markets, Self-Regulation, and Government Enforcement in the Protection of Personal Information, in Privacy and Self-Regulation in the Information Age by the U.S. Department of Commerce. , 1997 .

[2]  Jerry Kang Information Privacy in Cyberspace Transactions , 1998 .

[3]  M. Culnan Protecting Privacy Online: Is Self-Regulation Working? , 2000 .

[4]  Paul M. Schwartz,et al.  Internet Privacy and the State , 2000 .

[5]  Anthony D. Miyazaki,et al.  Internet Seals of Approval: Effects on Online Privacy Policies and Consumer Perceptions , 2002 .

[6]  Michael D. Smith,et al.  Protecting Personal Information: Obstacles and Directions , 2005, WEIS.

[7]  Robert LaRose,et al.  Your privacy is assured - of being disturbed: websites with and without privacy seals , 2006, New Media Soc..

[8]  Chris Jay Hoofnagle,et al.  Research Report: What Californians Understand About Privacy Offline , 2008 .

[9]  I. Rubinstein Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes , 2010 .

[10]  Benjamin Edelman,et al.  Adverse selection in online "trust" certifications and search results , 2011, Electron. Commer. Res. Appl..

[11]  Deirdre K. Mulligan,et al.  Privacy on the Books and on the Ground , 2011 .

[12]  Ralf Lämmel,et al.  Understanding privacy policies , 2012, Empirical Software Engineering.

[13]  Alessandro Acquisti,et al.  Silent Listeners: The Evolution of Privacy and Disclosure on Facebook , 2013, J. Priv. Confidentiality.

[14]  Daniel J. Solove,et al.  The FTC and the New Common Law of Privacy , 2013 .

[15]  Tal Z. Zarsky Transparent Predictions , 2013 .

[16]  Siona Listokin Industry Self-Regulation of Consumer Data Privacy and Security, 32 J. Marshall J. Info. Tech. & Privacy L. 15 (2015) , 2015 .

[17]  Federal Trade Commission Privacy Law and Policy , 2016 .