Florencia Marotta-Wurgler of NYU has written Self-Regulation and Competition in Privacy Policies, 45 Journal of Legal Studies (2016). Here's the abstract
I investigate alternative explanations for the content of privacy policies. Under one model of self-regulation, firms signal their privacy protections to consumers by highlighting compliance with third-party guidelines. However, in a sample of 249 privacy policies, only 27% claim compliance with a specific guideline and the terms of policies that do claim compliance with at least one are generally inconsistent with its requirements. Alternatively, under a market-based mechanism, firms incorporate consumer preferences directly. Consistent with this influence, there are several intuitive differences in terms across markets. Adult sites — none of which claim certification — are much more likely to give concise and clear notice of privacy practices and limit data sharing with third parties, while cloud computing sites are particularly likely to follow stringent data security standards. Overall, privacy policy content appears to be shaped at least as much by market forces as by a self-regulatory regime based on external guidelines.