Florencia Marotta-Wurgler of NYU has written Understanding Privacy Policies: Content, Self-Regulation, and Markets. Here is the abstract:
The current regulatory approach to consumer information privacy is based on a “notice and choice” self-regulation model, but commentators disagree on its impact. I conduct a comprehensive empirical analysis of 261 privacy policies across seven markets and measure the extent to which they comply with the self-regulatory guidelines of the Federal Trade Commission (FTC), US-EU Safe Harbor Agreement, and others. I track terms involving notice, data collection, sharing, enforcement, security, and other practices, and create a measure of substantive protections. The average policy complies with 39% of the FTC guidelines issued in 2012, and there is no evidence that firms have updated their policies in response to these guidelines. Terms that require firms to bear costs or constrain their behavior are less likely to be included. Protections vary widely across markets, however: Adult sites offer the clearest notice of practices and report less data collection and sharing than other sites, while cloud computing firms report more extensively on data security practices. Overall, the results suggest that privacy policies are being shaped as much by market forces as by the current regulatory regime.