“Please Respect Our Terms and Conditions”: A Causal Analysis of GDPR Impact on Privacy Policies

Abstract

The General Data Protection Regulation (GDPR) has been widely praised as the most consequential privacy law in history. However, GDPR causal effects have never been formally analyzed, and all GDPR praises are largely unsubstantiated. This thesis constructs a database of 317,396 privacy policies to overcome previous data limitations and formally quantifies the causal impact of GDPR regulation on privacy policies.

The thesis begins by addressing the open question of whether GDPR regulation has significantly changed privacy policies. I find that the GDPR has substantially changed privacy policies since its adoption: GDPR websites, on average, have changed their privacy policies 12.45% more and updated their privacy policies 25.43% more frequently than a non-GDPR control, ceteris paribus. The thesis next addresses the more nuanced question of how GDPR regulation has changed privacy policies. I identify a clear tension between the GDPR mandate for “concise and readable” privacy policies and additional GDPR Article disclosure requirements: the GDPR has made privacy policies more compliant with various GDPR articles but also less accessible.

Questions of GDPR efficacy are becoming particularly relevant to policy discussions. Many countries including New Zealand, India, South Africa, and the United States are modeling national privacy developments off of GDPR legislature. Further research on the nuanced effects of GDPR regulation on privacy policies is necessary for the GDPR to serve as a global paragon of privacy law successfully.