Balancing act: Protecting privacy, protecting competition
- As consumers worry more about their privacy, governments are responding with more regulations.
- Privacy regulation can be costly to firms, particularly smaller ones, and may benefit incumbent firms.
- Regulation has been effective at reducing some tracking online, but can hurt marketing efforts, making it harder for consumers to find products they want and hurting company profits.
- There are clear lessons from existing regulatory laws that can inform better policy moving forward.
A large majority of Americans — 81 percent — feel a lack of control over their personal data and indicate they are concerned that the risks posed by corporate data collection outweigh any benefits. Governments and regulators are responding to these concerns: In the last five years, privacy laws have been passed in five U.S. states and in 10 countries, with dozens more actively considering new legislation.
While regulation may be able to enhance the privacy of individuals, it may also cost companies a lot of money. Firms use personal data for a variety of purposes, including product recommendations, web development, and advertising. So limiting the use of personal data may harm profits and damage the very products consumers find valuable by both reducing personalization and/or increasing prices.
Thoughtful policy design may help ease the pain of protecting consumers’ privacy online. This policy brief turns to past regulation to draw lessons for future legislation.
The General Data Protection Regulation
The European Union’s General Data Protection Regulation (GDPR) is one of the most significant comprehensive privacy regulations in effect today. The GDPR regulates the collection and processing of any data associated with EU citizens, including processing by both EU and non-EU firms.
Fundamentally, the GDPR presents a vision of the modern economy in which consumers have primary control over their data and their digital lives. Large potential fines of up to 4 percent of global revenue are meant to ensure firm compliance. Two components are particularly relevant for this discussion: data minimization (Article 5(1c)) and lawfulness of processing (Article 6(1)).
The GDPR restricts how, when, and why firms can collect data and incentivizes them to be thoughtful about whom they share it with.
Collectively, the GDPR refers to this as data minimization. Cumulatively, these rules incentivize firms to invest in data protection and limit the number of partners they share data with. Industry reports and firm surveys estimate these costs may be substantial, with many large firms expecting to spend between $1 and $10 million annually on compliance (Pricewaterhousecooper, 2018).
The second cornerstone of the GDPR is consent. Regulators have made clear that consent is the primary basis for data processing online (Article 29 Data Protection Working Party, 2012; Information Commissioners Office, 2019; Data Protection Commission, 2020) and is meant to give consumers the ability to explicitly opt-in to which firms — and for which purposes — they will allow data collection. In practice, firms have more often followed an opt-out approach — assuming consent until consumers specify otherwise (Autoriteit Persoonsgegevens, 2019; Utz et al., 2019). Still, consent directly limits the amount of data firms can collect, potentially harming the firm's revenue-generating personalized marketing and product personalization.
Overall, the regulation makes data collection more costly for the firm, potentially illegal under some new circumstances (if they do not get consent from the user) and potentially more risky to hold (if a mistake happens, they are liable). Thus, firms should choose to record fewer user activities in order to reduce their risk.
How has the GDPR impacted firms?
The implementation of the GDPR should lead to a decrease in recorded outcomes — the information a company chooses to track, such as time spent on a particular website, or what websites are visited.
While recorded outcomes fall, it is important to distinguish why they might fall. There are two reasons. First, firms might change the criteria of when to record data and whose data to record. This can be influenced by users opting out of data collection. Second, recorded outcomes may fall as the underlying real outcome falls — for instance, when fewer users find their way to the firm due to less effective marketing. If fewer customers are being drawn to a website, the company has a smaller pool of people from which to collect data.
In the extreme, if changes to recorded outcomes are entirely due to changes in recording behaviors, we might deem the GDPR to be effectively providing privacy to consumers. On the other hand, if real outcomes suffer and recording is unchanged, then we should be concerned that the GDPR has done little to address privacy concerns and is hurting the online economy.
Along with my co-authors Garrett Johnson at Boston University and Scott Shriver at the University of Colorado, Boulder, I explore this question in the context of the GDPR (Goldberg et al., 2022).
Our data comes from Adobe Analytics, a major online technology provider. Our sample provides scale and scope to examine the GDPR. We observe the aggregated recorded outcomes for over a thousand online firms for both 2017 and 2018, constituting almost 4.4 billion recorded pageviews, and $750 million in recorded revenue, per week. Further, we can break these outcomes out by the country of traffic origin — European versus North American traffic, for instance — and the marketing channel through which traffic arrives.
We focus on recorded revenue and page views as these are good proxies for the most popular monetization strategies of online firms: advertising and e-commerce.
Consider Figure 1. The solid black line plots the average recorded outcome per week, in 2018 (the dotted line plots the data from 2017), for our set of firms. The blue line marks the date at which the GDPR went into effect. In panel (a) we can see a distinct decline in the number of recorded pageviews per week. This decline is even more stark when compared with the same outcome in 2017. While somewhat less clear, panel (b) suggests that, relative to the previous year, revenue post-GDPR in 2018 has declined. Our statistical tests confirm these observations: The GDPR is responsible for approximately a 12 percent reduction in our recorded outcomes or about $9,000 dollars (15,000 pageviews) per week.
Still, the policy-relevant question persists: How much of this is due to changes in recording versus a fall in real outcomes? In congruence with the decrease in recorded outcomes, we also observe an increase in pageviews per visit and revenue per visit — evidence that the users who do consent to data collection after the GDPR are more valuable to the firm. Our paper presents a model that — using this insight — allows us to decompose our overall recorded outcome effect into its two constituent parts: a real and recording effect.
We estimate non-consent rates between 0.6 and 11.7 percent, suggesting changes in data recording practices are playing an important role in driving the decline in recorded outcomes. That is, firms have responded to the GDPR by reducing their data collection albeit likely by less than regulators intended. Real outcomes also seem to decline — our lower-bound estimates imply real revenue falls by 0.4 percent per week, or about $360.
This decline in real outcomes is disproportionately driven by declines in traffic from display advertising and email, suggesting that marketing has become harder post-GDPR. This estimate is likely conservative as it does not account for the cumulative effects of marketing, or spillovers to purchases through other channels of arrival. Further, marketing is often more valuable to the smaller firms and direct-to-consumer brands that proliferate across the web — suggesting there may be long-run harms to competition.
Competition & the GDPR
The previous section documented a decline in both real and recorded outcomes for firms online, due to the GDPR. One critical question here is whether all firms are equally worse off. Previous work has suggested that privacy regulation may harm smaller firms (Campbell et al., 2015) and found that the GDPR limited investment in new entrants (Jia et al., 2021). Our work suggests a similar pattern. Larger firms can more effectively gather consent post-GDPR and thus may have an advantage over smaller firms post-GDPR (Goldberg et al., 2022).
The GDPR’s principle of data minimization may also impact competition online. In a companion paper (Johnson et al., 2022), we study how the GDPR changes which partners sites choose to share data with. To do so, we collect data that tracks, for a sample of 27,000 sites, the number and identities of all third parties a site pings when a user arrives.
In Figure 2, panel (a) below, we can see the number of vendors that a site pings declines sharply immediately after the GDPR. In panel (b) we can see that this decline corresponds to an increase in concentration in this market. This concentration increase suggests larger firms are getting a larger share of what is now, due to the GDPR, a smaller pie. Second, both effects dissipate by the end of 2018.
Our work documents several important facts about these patterns. First, they are not an artifact of third parties exiting the market or short-run technology outages. Second, these effects are primarily driven by third parties associated with advertising and other data intensive technology. Third, the bounce back is not primarily driven by the adoption of compliance technologies.
Cumulatively, we believe these insights both add credibility to the association of these patterns with the GDPR and ask an interesting question: Why do we see this pattern of non-compliance where firms add back third parties?
While the limitations of our data make answering this question difficult, patterns of heterogeneity provide some clues. For example, firms located in EU countries with regulators who are perceived to be less strict are more likely to add back third parties and do so quicker than those from countries with stricter regulators. We also see a similar pattern in Goldberg et al., 2022: Traffic from sites located in less strict EU countries is less harmed by the GDPR.
Second, sites with more EU users tend to cut fewer third party vendors. This pattern seems to be congruent with some simple economics: because the GDPR penalizes global revenue sites with less EU users risk more and gain less from monitoring EU users.
What lessons can we learn?
There is evidence here that privacy regulation, if enforced, can lead to substantial changes in firm behaviors. Firms will change which and how many partners they share data with and offer consumers the ability to opt-out of data collection. Consumers with strong preferences for privacy will opt-out of data collection, even if the process is not as streamlined as many advocate for. It is unfortunately difficult to quantify the value of these changes to consumers, but their use of opt-out options and stated preferences suggest privacy regulation (and the GDPR) has the potential to increase consumer welfare.
Still, our results do point to some adverse effects. Privacy regulation is likely costly for firms, both in terms of real outcomes and recorded data. Privacy regulation makes marketing less effective, making it harder for consumers to find the products they are looking for and decreasing revenue for firms. These findings do not account for two potentially significant harms. First, reduced data recording may lead to quality degradation in the products that consumers value. Second, firms must continuously invest in compliance technologies. Both observations suggest the harms, to both consumers and firms, may be understated here.
There is clear evidence that the GDPR benefits larger firms at the expense of smaller firms. Large sites are more successful at collecting data post-GDPR and see smaller decreases in revenue. This could lead to a sustained competitive advantage for larger sites. Further, sites herd toward the largest third-party vendors — in practice this means that Google and Facebook increase their market shares immediately post-GDPR (28.8 percent to 31.9 percent, and 3.4 percent to 3.6 percent, respectively). Thus, privacy regulation is likely to exacerbate already pressing concerns of market power in the online advertising space.
A particularly perverse consequence of market concentration here is that it corresponds to a concentration of data (Johnson et al., 2022). While there may be fewer firms collecting your data, the larger firms are collecting a larger share of it!
Finally, the variation in outcomes and compliance strategies across geographies points to the reality of regulating global data flows — it requires cooperation. For the United States, this suggests national regulation is likely to be much more effective at minimizing costs for firms, guaranteeing compliance, and ultimately protecting consumer privacy.
Samuel Goldberg is a SIEPR Postdoctoral Fellow working on topics in industrial organization and quantitative marketing. His current work focuses on the role of privacy and monitoring technologies in markets. He holds a PhD from Kellogg School of Management at Northwestern University.
 Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information
 US State Privacy Legislation Tracker
 Aridor et al. (2020) also observe advantageous selection into recording post-GDPR.
 As measured by the Herfindahl-Hirschman Index (U.S. Department of Justice (2010)).
 The Hidden Failure of the World’s Biggest Privacy Law.
US Department of Justice and the Federal Trade Commission (2010). Horizontal merger guidelines.
Article 29 Data Protection Working Party (2012, June). Opinion 04/2012 on cookie consent exemption. Technical report, Article 29 Data Protection Working Party
Autoriteit Persoonsgegevens (2019, December). Ap: veel websites vragen op onjuiste wijze toestemming voor plaatsen tracking cookies.
PricewaterhouseCoopers (2018). Pulse survey: GDPR budgets top $10 million for 40% of surveyed companies.
Data Protection Commission (2020, April). Guidance note: Cookies and other tracking technologies. Technical report, Data Protection Commission.
Aridor, G., Y.-K. Che, W. Nelson, and T. Salz (2020). The Effect of Privacy Regulation on the Data Industry: Empirical Evidence from GDPR, NBER Working Paper 26900, National Bureau of Economic Research, Inc.
Campbell, J., A. Goldfarb, and C. Tucker (2015). Privacy regulation and market structure. Journal of Economics & Management Strategy 24 (1), 47–73.
Utz, C., M. Degeling, S. Fahl, F. Schaub, and T. Holz (2019). (un) informed consent: Studying GDPR consent notices in the field. In Proceedings of the 2019 acm sigsac conference on computer and communications security, pp. 973–990.
Jia, J., G. Z. Jin, and L. Wagman (2021). The short-run effects of the General Data Protection Regulation on technology venture investment. Marketing Science 40 (4), 661–684.
Johnson, G. A., S. K. Shriver, and S. G. Goldberg (2022). Privacy & market concentration: intended and unintended consequences of the GDPR. Working paper.
Goldberg, S. G., G. A. Johnson, and S. K. Shriver (2022). Regulating Privacy Online: An Economic Evaluation of the GDPR. Working Paper.