Regulatory Compliance With Limited Enforceability: Evidence From Privacy Policies

Bernhard Ganglmair, Julia Krämer, Jacopo Gambato

Research output: Working paperDiscussion paperAcademic

Abstract

The EU General Data Protection Regulation (GDPR) of 2018 introduced stringent transparency rules compelling firms to disclose, in accessible language, details of their data collection, processing, and use. The specifics of the disclosure requirement are objective, and its compliance is easily verifiable; readability, however, is subjective and difficult to enforce. We use a simple inspection model to show how this asymmetric enforceability of regulatory rules and the corresponding firm compliance are linked. We then examine this link empirically using a large sample of privacy policies from German firms. We use text-as-data techniques to construct measures of disclosure and readability and show that firms increased the disclosure volume, but the readability of their privacy policies did not improve. Larger firms in concentrated industries demonstrated a stronger response in readability compliance, potentially due to heightened regulatory scrutiny. Moreover, data protection authorities with larger budgets induce better readability compliance without effects on disclosure.
Original languageEnglish
Place of PublicationMannheim
PublisherZEW - Leibniz-Centre for European Economic Research
Volume12
Publication statusPublished - Mar 2024

Erasmus Sectorplan

  • Sector plan Recht-Public and Private Interests
  • Sector plan Recht-Empirical Legal Studies
  • Sector plan SSH-Breed

Fingerprint

Dive into the research topics of 'Regulatory Compliance With Limited Enforceability: Evidence From Privacy Policies'. Together they form a unique fingerprint.

Cite this