Self-Regulation and Competition in Privacy Policies

I investigate alternative explanations for the content of privacy policies. Under one model of self-regulation, firms signal their privacy protections to consumers by highlighting compliance with third-party guidelines. However, in a sample of 249 policies, only 27 percent claim compliance with a specific guideline, and the policies that do claim compliance with at least one guideline are generally inconsistent with its requirements. Alternatively, under a market-based mechanism, firms incorporate consumers' preferences directly. Consistent with this influence, there are several intuitive differences in terms across markets. Adult sites-none of which claim certification-are much more likely to give concise and clear notice of privacy practices and limit data sharing with third parties, while cloud-computing sites are particularly likely to follow stringent data security standards. Overall, privacy policy content appears to be shaped at least as much by market forces as by a self-regulatory regime based on external guidelines.