• Ashley Baker

Privacy Policy and the Economics of Data Collection Rules

Last month, the Committee for Justice filed comments with the Federal Trade Commission (FTC) addressing questions that will be discussed at the February hearing “Competition and Consumer Protection in the 21st Century: Consumer Privacy." These comments were preceded by our recommendations to the National Telecommunications and Information Administration (NTIA) on developing the Administration’s approach to consumer privacy. Additionally, earlier last year, we submitted a letter for the record to members of the House Committee on Energy and Commerce on Facebook, transparency, and use of consumer data

In the new year, online privacy will inevitably remain in the spotlight, resulting in new proposals and additional hearings, and our work on this issue will continue. Therefore, as the new Congress begins to weigh in on data privacy policies, it is worth reiterating a few of our key arguments:

I. Restrictions on data-driven marketing would harm consumers by causing the demise of many of the online resources they rely on. In recent decades, consumers’ personal and professional lives have been transformed for the better by a vast collection of data-driven resources that are subsidized by advertising and made available at no cost. Policies must strike a balance between realistic consumer privacy preferences and access to information.[1]

Exhibit A: The data-driven marketing economy (DDME) is a significant growth sector. The ability to collect and share data with third-parties has allowed businesses to grow. Restrictions on the use of consumer data would stifle the economic growth created by data-driven marketing.

Source: Data-Driven Marketing Institute

II. Broad, one-size-fits-all privacy rules would have negative consequences for every sector that makes use of data and the ripple effect would be felt across the entire economy.[2] These impacts are already being felt in Europe as a result of the EU’s implementation of the General Data Protection Regulation (GDPR) in May.[3] An earlier report commissioned by the U.S. Chamber of Commerce argues that the negative impact on the EU GDP could reach -0.8% to -1.3%. The end result would be a direct negative welfare effect on four-person households of about $1,353 per year.[4]

Exhibit B: Cross-border data flows have a multiplier effect on productivity and growth. To maintain interoperability in light of new privacy regulations, the EU has identified countries with "adequate" privacy protections. Combined, these "adequate" countries represent less than 6% of global services trade.

Source: IMF Study cited by the U.S. Chamber of Commerce

III. When faced with compliance and financial burdens, new technology companies—and the tax revenue and job creation they produce—tend to move to favorable regulatory environments. Since technology, by nature, cannot be confined within state borders, these companies are more likely to choose to operate outside of the United States. Policymakers should pay particular attention to proposed state regulations that threaten to create a patchwork of regulations that could strangle new businesses and technologies with contradictory laws and enforcement.

IV. Public debate is disproportionately focused on large companies, but the vast majority of Internet companies fall in the latter category and include the very companies that might otherwise grow to compete with and even supplant the tech giants of today. Sweeping ex ante regulatory approaches like the GDPR, and the recently-passed California Consumer Privacy Act (CCPA), are likely to create an artificial imbalance in the competitive ecosystem in which many firms operate.[5] Unlike their resource-lean startup counterparts, large companies are far better situated to devote labor costs and time to addressing the increased compliance costs necessitated by broad data protection mandates such as the GDPR. This imbalance is likely to result in anticompetitive lock-in effects for incumbent firms.

Exhibit C: Companies expected to face significant challenges with investments, compliance, vendor relations, reporting, and budgeting after the implementation of the GDPR. Notably, 9% identified "change or close operations in Europe" as an area requiring significant effort.

Source: McDermott Will & Emery LLP and Ponemon Institute LLC

V. Public opinion polls showing support for stronger data protections are misleading because they rarely confront consumers with the monetary and other costs of their choices.[6] A 2016 study found that, despite most participants’ unease with an email provider using automated content analysis to provide more targeted advertisements, 65 percent of them were unwilling to pay providers any amount for a privacy-protecting alternative.[7] Such studies remind us that most consumers do not value data privacy enough to pay anything for it.

Exhibit D: For example, although American consumers have increasingly expressed concerns over data collection, a majority of financial customers would give up data for more banking benefits, while only a tiny percentage would pay for services designed to protect their privacy. Price consequences and other incentives outweigh privacy when factored into consumer decision-making.

Source: American Banker

VI. The Internet has proven useful and valuable in ways that were difficult to imagine over a decade and a half ago, and it has created privacy challenges that were equally difficult to predict. Legislative initiatives in the mid-1990s to heavily regulate the Internet in the name of privacy would have impeded its growth while also failing to address the complex privacy issues that arose years later.[8] As the Congress and regulatory agencies continue to consider the issue of consumer privacy in the digital age, it would do well to embrace a policy of restraint and forbearance.

VII. In short, many of the recent privacy proposals wouldn’t necessarily protect consumers, but would make America more like Europe. The United States’ economic growth and status as a global leader in innovation will depend on a thorough evaluation of risks when crafting our nation’s approach to consumer privacy.[9] As calls for data privacy in the United States echo those heard in Europe, it is important to remember the fate of the European Union’s digital economy at the hands of a strict regulatory regime.[10] We should learn from their mistakes.


Notes and Sources

[1] These resources are an engine of economic growth, even when other sectors experience difficult economic times. Data-driven marketing is estimated to have added more than $200 billion to the U.S. economy in 2014, a 35% increase over just two years earlier. (John Deighton and Peter Johnson, “The Value of Data 2015: Consequences for Insight, Innovation and Efficiency in the U.S. Economy.” Data & Marketing Association. Dec. 2015, https://thedma.org/wp-content/uploads/Value-of-Data-Summary.pdf.)

[2] Data minimization and purpose-limitation mandates make it far more difficult to transmit information between firms, industries, and national borders. (See, e.g., Sarah Wheaton, "5 BIG Reasons Europe Sucks at Curing Cancer," Politico, 12 Oct. 2018, https://www.politico.eu/article/cancer-5-big-reasons-europe-sucks-at-curing/.). The GDPR, for example, would have made it impossible for the Danish Cancer Society to conduct the study that helped dispel the myth of a correlation between mobile cellular phone use and cancer. (See Patrizia Frei et al., "Use of Mobile Phones and Risk of Brain Tumours: Update of Danish Cohort Study,” BMJ, 20 Oct. 2011, https://www.cancer.dk