Little research exists measuring the effectiveness of privacy legislation as compared to self-regulation. As policy makers, advocates and industry groups debate new privacy legislation, empirical research on the effectiveness of existing privacy legislation is needed to help inform the debate.
We conducted a longitudinal study of the privacy policies posted online between 1999 and 2005 for 50 companies in the US financial industry. We analyzed these policies to determine how they changed over this time period and what changes were likely prompted by compliance requirements of the Gramm-Leach-Bliley Act (GLB) privacy rule. We also conducted a similar analysis of the privacy policies from 10 retailers over the same time period. The retailers were not subject to US privacy regulation and thus serve as a control group.
Our research shows that since the GLB Act has gone into effect, financial privacy notices are more complete, however we have not found a significant change in the privacy choices offered to consumers. We observed that large banks and credit card companies minimally comply with GLB. While complying with the regulation, they are still able to collect large amounts of information about customers and share the information extensively with affiliates. They also take advantage of the exceptions provided by the law to share with third parties without giving consumers choices. Finally, we observe that choices about third party sharing offered by financial institutions tend not be as good as those available from retailers.
Available at: http://works.bepress.com/lorrie_cranor/48/