Privacy Policy and the Economics of Data Collection Rules

Last month, the Committee for Justice filed comments with the Federal Trade Commission (FTC) addressing questions that will be discussed at the February hearing “Competition and Consumer Protection in the 21st Century: Consumer Privacy." These comments were preceded by our recommendations to the National Telecommunications and Information Administration (NTIA) on developing the Administration’s approach to consumer privacy. Additionally, earlier last year, we submitted a letter for the record to members of the House Committee on Energy and Commerce on Facebook, transparency, and use of consumer data

In the new year, online privacy will inevitably remain in the spotlight, resulting in new proposals and additional hearings, and our work on this issue will continue. Therefore, as the new Congress begins to weigh in on data privacy policies, it is worth reiterating a few of our key arguments:

I. Restrictions on data-driven marketing would harm consumers by causing the demise of many of the online resources they rely on. In recent decades, consumers’ personal and professional lives have been transformed for the better by a vast collection of data-driven resources that are subsidized by advertising and made available at no cost. Policies must strike a balance between realistic consumer privacy preferences and access to information.[1]

Exhibit A: The data-driven marketing economy (DDME) is a significant growth sector. The ability to collect and share data with third-parties has allowed businesses to grow. Restrictions on the use of consumer data would stifle the economic growth created by data-driven marketing.

Source: Data-Driven Marketing Institute

II. Broad, one-size-fits-all privacy rules would have negative consequences for every sector that makes use of data and the ripple effect would be felt across the entire economy.[2] These impacts are already being felt in Europe as a result of the EU’s implementation of the General Data Protection Regulation (GDPR) in May.[3] An earlier report commissioned by the U.S. Chamber of Commerce argues that the negative impact on the EU GDP could reach -0.8% to -1.3%. The end result would be a direct negative welfare effect on four-person households of about $1,353 per year.[4]

Exhibit B: Cross-border data flows have a multiplier effect on productivity and growth. To maintain interoperability in light of new privacy regulations, the EU has identified countries with "adequate" privacy protections. Combined, these "adequate" countries represent less than 6% of global services trade.

Source: IMF Study cited by the U.S. Chamber of Commerce

III. When faced with compliance and financial burdens, new technology companies—and the tax revenue and job creation they produce—tend to move to favorable regulatory environments. Since technology, by nature, cannot be confined within state borders, these companies are more likely to choose to operate outside of the United States. Policymakers should pay particular attention to proposed state regulations that threaten to create a patchwork of regulations that could strangle new businesses and technologies with contradictory laws and enforcement.

IV. Public debate is disproportionately focused on large companies, but the vast majority of Internet companies fall in the latter category and include the very companies that might otherwise grow to compete with and even supplant the tech giants of today. Sweeping ex ante regulatory approaches like the GDPR, and the recently-passed California Consumer Privacy Act (CCPA), are likely to create an artificial imbalance in the competitive ecosystem in which many firms operate.[5] Unlike their resource-lean startup counterparts, large companies are far better situated to devote labor costs and time to addressing the increased compliance costs necessitated by broad data protection mandates such as the GDPR. This imbalance is likely to result in anticompetitive lock-in effects for incumbent firms.

Exhibit C: Companies expected to face significant challenges with investments, compliance, vendor relations, reporting, and budgeting after the implementation of the GDPR. Notably, 9% identified "change or close operations in Europe" as an area requiring significant effort.

Source: McDermott Will & Emery LLP and Ponemon Institute LLC

V. Public opinion polls showing support for stronger data protections are misleading because they rarely confront consumers with the monetary and other costs of their choices.[6] A 2016 study found that, despite most participants’ unease with an email provider using automated content analysis to provide more targeted advertisements, 65 percent of them were unwilling to pay providers any amount for a privacy-protecting alternative.[7] Such studies remind us that most consumers do not value data privacy enough to pay anything for it.

Exhibit D: For example, although American consumers have increasingly expressed concerns over data collection, a majority of financial customers would give up data for more banking benefits, while only a tiny percentage would pay for services designed to protect their privacy. Price consequences and other incentives outweigh privacy when factored into consumer decision-making.

Source: American Banker

VI. The Internet has proven useful and valuable in ways that were difficult to imagine over a decade and a half ago, and it has created privacy challenges that were equally difficult to predict. Legislative initiatives in the mid-1990s to heavily regulate the Internet in the name of privacy would have impeded its growth while also failing to address the complex privacy issues that arose years later.[8] As the Congress and regulatory agencies continue to consider the issue of consumer privacy in the digital age, it would do well to embrace a policy of restraint and forbearance.

VII. In short, many of the recent privacy proposals wouldn’t necessarily protect consumers, but would make America more like Europe. The United States’ economic growth and status as a global leader in innovation will depend on a thorough evaluation of risks when crafting our nation’s approach to consumer privacy.[9] As calls for data privacy in the United States echo those heard in Europe, it is important to remember the fate of the European Union’s digital economy at the hands of a strict regulatory regime.[10] We should learn from their mistakes.

Notes and Sources

[1] These resources are an engine of economic growth, even when other sectors experience difficult economic times. Data-driven marketing is estimated to have added more than $200 billion to the U.S. economy in 2014, a 35% increase over just two years earlier. (John Deighton and Peter Johnson, “The Value of Data 2015: Consequences for Insight, Innovation and Efficiency in the U.S. Economy.” Data & Marketing Association. Dec. 2015,

[2] Data minimization and purpose-limitation mandates make it far more difficult to transmit information between firms, industries, and national borders. (See, e.g., Sarah Wheaton, "5 BIG Reasons Europe Sucks at Curing Cancer," Politico, 12 Oct. 2018, The GDPR, for example, would have made it impossible for the Danish Cancer Society to conduct the study that helped dispel the myth of a correlation between mobile cellular phone use and cancer. (See Patrizia Frei et al., "Use of Mobile Phones and Risk of Brain Tumours: Update of Danish Cohort Study,” BMJ, 20 Oct. 2011,

[3] Writing at the American Enterprise Institute months after GDPR’s implementation, Daniel Lyons notes the effects such a rule would be likely to have on diminished consumer welfare: "The chilling effect on digital products available to European consumers could be significant. Even if companies are not actively marketing to European residents, they may have European visitors interacting with their webpage, taking advantage of marketing offers, or subscribing to newsletters. If these interactions result in retention of personally identifiable information, the company is subject to the GDPR. The ease with which a company may find itself bound, coupled with the cost of compliance and potentially draconian penalties for violation, creates strong incentives for companies to withdraw -- aggressively -- from European markets." (Daniel Lyons, “GDPR: Privacy as Europe’s tariff by other means?,” American Enterprise Institute, 3 July 2018,

[4] The report continues, "EU services exports to the United States drop by -6.7% due to loss of competitiveness. As goods exports are highly dependent on efficient provision of services (up to 30% of manufacturing input values come from services), EU manufacturing exports to the United States could decrease by up to -11%, depending on the industry. In such case, the export benefits produced by the EU-U.S. FTA are eradicated by a good margin." (Matthia Bauer, et. al., “The Economic Importance of Getting Data Protection Right: Protecting Privacy, Transmitting Data, Moving Commerce,” European Centre for International Political Economy, report commissioned by the U.S. Chamber of Commerce, Mar. 2013, p. 3,

[5] A recent report from Columbia University explained, "As of 2017, Google and Facebook claim seventy-seven cents of every dollar spent on digital advertising in the United States, with no other single company claiming even as much as three percent of the total market share. While the GDPR may hinder some of these companies’ data collection and/or sharing activities, the regulation may well squeeze smaller advertising networks even more, potentially magnifying the dominance of this duopoly in online advertising. These smaller ad networks, for example, typically lack the direct consumer relationships needed to secure consent from users on their own behalf, but may also find that media publishers and other website hosts are reluctant to ask for user consent for the broad range and volume of data that these advertisers can presently access without hindrance. Without access to the data on which they currently rely, smaller advertising networks may be simply cut out of the online market altogether unless they can find a way to gain some advantage over the platforms in compliance, user-friendliness, or rates. In this environment, platform companies and website hosts—such as media companies—that have a brand-name relationship to their users are likely to have more success in persuading individuals to give up their information, and therefore may have increased power in the advertising market under the GDPR." (Susan E. McGregor and Hugo Zylberberg, “Understanding the General Data Protection Regulation: A Primer for Global Publishers,” Tow Center for Digital Journalism at Columbia University (New York, NY: Mar. 2018), pp. 37-38,

[6] Privacy is just one component of a more complex bundle of values -- the contextual nature of consumer valuations that occur in the moment and are subject to change on a whim -- and a general lack of consensus regarding what constitutes the “boundaries” of ownership over individual data. As summarized by Alec Stapp and Ryan Hagemann in comments to the NTIA, "Most research and behavioral studies conclude that privacy is highly context-dependent. Privacy valuations are subject to cognitive biases, including social desirability bias (e.g., people are less likely to share embarrassing information) and the endowment effect. Most people care a great deal about privacy harms that result in material and financial costs, such as identity theft, or the revelation of sensitive personal information to their close social circles. They tend to care far less about data collected about their purchasing patterns and website browsing activity by companies storing that information on distant, largely-inaccessible data server farms. This is especially true when consumers receive what they judge to be considerable benefits at a functional cost to them of zero dollars and zero cents." (Alec Stapp and Ryan Hagemann, Comments submitted to the National Telecommunications and Information Administration in the Matter of: Request for Comments on Developing the Administration’s Approach to Consumer Privacy, Docket Number 180821780-8780-01, submitted 8 Nov. 2018, p. 10,

[7] Lior Jacob Strahilevitz and Matthew B. Kugler. “Is Privacy Policy Language Irrelevant to Consumers?" The Journal of Legal Studies 45, no. S2. Sept. 9, 2016.

[8] In a 2014 Foreign Affairs essay, Craig Mundie considers what might have become of the digital economy “if, in 1995, comprehensive legislation to protect Internet privacy had been enacted.” Such policies, Mundie concludes, would have utterly failed to anticipate the complexities that arose after the turn of the century with the growth of social networking and location-based wireless services. (Craig Mundie, “Privacy Pragmatism,” Foreign Affairs, Vol. 93, No. 2 (March/April 2014), p. 517,

[9] Technological advancement and global leadership in innovation is largely driven by startups. Restrictive regulations are the primary reason for the dearth of tech startups in Europe, as the inability to generate online revenue and to develop new products forms a roadblock for venture capital investments. (Mark Scott. "For Tech Start-Ups in Europe, an Oceanic Divide in Funding." The New York Times. 19 January 2018.

[10] For example, following the implementation of the opt-in model mandated in the EU’s Privacy and Electronic Communications Directive (2002/58/EC), online ads became 65 percent less effective. (Alan McQuinn. "The Economics of 'Opt-Out' Versus 'Opt-In' Privacy Rules." Information Technology and Innovation Foundation. 6 Oct. 2017,

Related Posts