Mumbai: A year ago, the Facebook-Cambridge Analytica scandal sparked widespread public concern about data privacy. In one of the first such attempts, a new paper, authored by Tarun Ramadorai of Imperial College in London and others, provides insights into the "market for data privacy" by analysing the privacy policies of more than 4,000 firms in the US.

The authors find that privacy policies vary considerably in terms of text—even within industries. Their textual analysis also reveals that privacy policies are highly unreadable. Using an index of readability, the authors suggest that at least a college degree is required to fully comprehend the average privacy policy.

More interestingly, the authors find that privacy policies vary by the size of a company. Larger firms have longer and more complex policies, but these policies are more legally sound, based on a score of parameters such as data collection, user consent, responsible use, third-party sharing and user rights.

Ironically, despite the tighter policies, larger firms are also found to be more likely to share data on their users’ browsing history with third parties (through cookies on their websites).

However, very large firms, with a higher degree of technical sophistication and knowledge capital, have shorter, less complex and less legally watertight policies. These firms also engage in less third-party sharing of user data from their websites.

The authors theorize that it might be more cost-effective for large companies with very high technical sophistication to process data “in-house" rather than to sell it to a third-party data intermediary for processing.

On the other hand, for smaller firms with intermediate knowledge capital, it might make more sense to involve third-party intermediaries but invest in high-quality privacy policies to insure themselves against future legal liabilities.

Read: The Market for Data Privacy