Regulatory Compliance with Limited Enforceability: Evidence from Privacy Policies

Law & Economics Seminar Series

Speaker :  Bernhard Ganglmair (Univ. Mannheim)

Room T-024 & by Zoom

Abstract:

The EU General Data Protection Regulation (GDPR) of 2018 introduced stringent transparency rules compelling firms to disclose the nature of their data collection, processing, and use in accessible and readable language. The disclosure requirement is objective, and its compliance is verifiable. However, readability is subjective and vague, making it difficult to enforce. We examine the effect of this asymmetric enforceability of regulatory rules on firms' compliance using a large sample of privacy policies from German firms between 2014 and 2021, matched with firm-level and industry-level information. We use text-as-data techniques to construct measures of disclosure and readability and show that firms responded to the GDPR's transparency requirements by significantly increasing information disclosure. However, the readability of their privacy policies did not improve and, in some cases, worsened. Larger firms and those in concentrated industries demonstrated higher compliance levels with the readability requirement, potentially due to heightened regulatory scrutiny. We emphasize the significance of regulatory capacity, as higher-budget regulators (German state-level data protection authorities) with better enforcement capabilities foster improved compliance with the vague rules and guidance of the readability requirement. This study sheds light on the intricate dynamics between enforceability, compliance, and the role of verifiability within regulatory frameworks."

Joint work with: Julia Kraemer and Jacopo Gambato