posted on 2006-01-01, 00:00authored bySteve Sheng, Lorrie Faith Cranor
Little research exists measuring the effectiveness of privacy legislation
as compared to self-regulation. As policy makers, advocates and
industry groups debate new privacy legislation, empirical research on
the effectiveness of existing privacy legislation is needed to help
inform the debate.
We conducted a longitudinal study of the privacy policies posted
online between 1999 and 2005 for 50 companies in the US financial
industry. We analyzed these policies to determine how they changed
over this time period and what changes were likely prompted by
compliance requirements of the Gramm-Leach-Bliley Act (GLB)
privacy rule. We also conducted a similar analysis of the privacy
policies from 10 retailers over the same time period. The retailers
were not subject to US privacy regulation and thus serve as a control
group.
Our research shows that since the GLB Act has gone into effect,
financial privacy notices are more complete, however we have not
found a significant change in the privacy choices offered to
consumers. We observed that large banks and credit card companies
minimally comply with GLB. While complying with the regulation,
they are still able to collect large amounts of information about
customers and share the information extensively with affiliates. They
also take advantage of the exceptions provided by the law to share
with third parties without giving consumers choices. Finally, we
observe that choices about third party sharing offered by financial
institutions tend not be as good as those available from retailers.