Klaus M. Miller,Julia Schmitt,Bernd Skiera

2024-11-18

Abstract:Privacy regulations often necessitate a balance between safeguarding consumer privacy and preventing economic losses for firms that utilize consumer data. However, little empirical evidence exists on how such laws affect firm performance. This study aims to fill that gap by quantifying the impact of the European Union's General Data Protection Regulation (GDPR) on online usage behavior over time. We analyzed data from 6,286 websites across 24 industries, covering 10 months before and 18 months after the GDPR's enactment in 2018. Employing a generalized synthetic control estimator, we isolated the short- and long-term effects of the GDPR on user behavior. Our results show that the GDPR negatively affected online usage per website on average; specifically, weekly visits decreased by 4.88% in the first 3 months and 10.02% after 18 months post-enactment. At the 18-month mark, these declines translated into average revenue losses of about USD 7 million for e-commerce websites and nearly USD 2.5 million for ad-based websites. Nonetheless, the GDPR's impact varied across website size, industry, and user origin, with some large websites and industries benefiting from the regulation. Notably, the largest 10% of websites pre-GDPR suffered less, suggesting that the GDPR has increased market concentration.

General Economics

Julia Schmitt,Klaus M. Miller,Bernd Skiera

DOI: https://doi.org/10.48550/arXiv.2101.11366

2021-01-27

General Economics

Abstract:Policymakers worldwide draft privacy laws that require trading-off between safeguarding consumer privacy and preventing economic loss to companies that use consumer data. However, little empirical knowledge exists as to how privacy laws affect companies' performance. Accordingly, this paper empirically quantifies the effects of the enforcement of the EU's General Data Protection Regulation (GDPR) on online user behavior over time, analyzing data from 6,286 websites spanning 24 industries during the 10 months before and 18 months after the GDPR's enforcement in 2018. A panel differences estimator, with a synthetic control group approach, isolates the short- and long-term effects of the GDPR on user behavior. The results show that, on average, the GDPR's effects on user quantity and usage intensity are negative; e.g., the numbers of total visits to a website decrease by 4.9% and 10% due to GDPR in respectively the short- and long-term. These effects could translate into average revenue losses of $7 million for e-commerce websites and almost $2.5 million for ad-based websites 18 months after GDPR. The GDPR's effects vary across websites, with some industries even benefiting from it; moreover, more-popular websites suffer less, suggesting that the GDPR increased market concentration.

Yu Zhao,Pinar Yildirim,Pradeep K. Chintagunta

DOI: https://doi.org/10.2139/ssrn.3903599

2021-01-01

SSRN Electronic Journal

Abstract:How do privacy regulations in the market impact online search for products and information? This paper investigates the impact of the General Data Protection Regulation (GDPR for short) on consumers’ online browsing and search behavior using consumer panels from four countries, United Kingdom, Spain, United States, and Brazil. We find that after GDPR, a panelist exposed to GDPR submits 21.6% more search terms to access information and browses 16.3% more pages to access consumer goods and services compared to a non-exposed panelist, indicating higher friction in online search. The implications of increased friction are heterogeneous across firms: Bigger e-commerce firms see an increase in consumer traffic and more online transactions. The increase in the number of transactions at large websites is about 6 times the increase experienced by smaller firms. Overall, the post-GDPR online environment may be less competitive for online retailers and may be more difficult for EU consumers to navigate through.

Carl Benedikt Frey,Giorgio Presidente

DOI: https://doi.org/10.1111/ecin.13213

2024-03-06

Economic Inquiry

Abstract:This paper examines how privacy regulation shaped firm performance. Controlling for firm and country‐industry‐year unobserved characteristics, we compare the outcomes of firms at different levels of exposure to EU markets, before and after the enforcement of the General Data Protection Regulation (GDPR) in 2018. We find that the GDPR had the unintended consequence of harming the profitability of companies targeting European consumers through the cost channel. Technology firms experienced a 2.1% decline in profits, but not in sales. The GDPR increased extra expenses, added to firms wage bills, and accelerated patenting in GDPR‐related technology fields. The main burdens have been borne by smaller companies.

economics

Klaus M. Miller,Karlo Lukic,Bernd Skiera

2024-11-11

Abstract:This study explores the impact of the General Data Protection Regulation (GDPR), introduced on May 25th, 2018, on online trackers, vital elements in the online advertising ecosystem. Using a difference-in-differences approach with a balanced panel of 294 publishers, we compare publishers subject to the GDPR with those unaffected (the control group). Drawing on data from <a class="link-external link-http" href="http://WhoTracks.me" rel="external noopener nofollow">this http URL</a>, which spans 32 months from May 2017 to December 2019, we analyze how the number of trackers used by publishers changed before and after the GDPR. The findings reveal that although online tracking increased for both groups, the rise was less significant for EU-based publishers subject to the GDPR. Specifically, the GDPR reduced about four trackers per publisher, equating to a 14.79% decrease compared to the control group. The GDPR was particularly effective in curbing privacy invasive trackers that collect and share personal data, thereby strengthening user privacy. However, it had a limited impact on advertising trackers and only slightly reduced the presence of analytics trackers.

General Economics

Mert Demirer,Diego J. Jiménez Hernández,Dean Li,Sida Peng

DOI: https://doi.org/10.2139/ssrn.4731055

2024-01-01

SSRN Electronic Journal

Abstract:By regulating how firms collect, store, and use data, privacy laws may change the role of data in production and alter firm demand for information technology inputs.We study how firms respond to privacy laws in the context of the EU's General Data Protection Regulation (GDPR) by using seven years of data from a large global cloudcomputing provider.Our difference-in-difference estimates indicate that, in response to the GDPR, EU firms decreased data storage by 26% and data processing by 15% relative to comparable US firms, becoming less "data-intensive."To estimate the costs of the GDPR for firms, we propose and estimate a production function where data and computation serve as inputs to the production of "information."We find that data and computation are strong complements in production and that firm responses are consistent with the GDPR representing a 20% increase in the cost of data on average.Variation in the firm-level effects of the GDPR and industry-level exposure to data, however, drives significant heterogeneity in our estimates of the impact of the GDPR on production costs.

Ziru Li,Gunwoong Lee,T. S. Raghu,Zhan (Michael) Shi

DOI: https://doi.org/10.1287/isre.2022.0421

IF: 4.9

2024-06-09

Information Systems Research

Abstract:Although regional data protection and privacy regimes are often cited as major barriers to crossborder digital trade, mitigating consumer privacy concerns through regulations can potentially increase the demand for foreign digital products or services. This study delves into this by assessing the impact of the General Data Protection Regulation (GDPR) on the global mobile app market. Contrary to the belief that such regulations hinder digital trade, our data show a notable post-GDPR increase in top foreign apps in European Union countries, suggesting that the GDPR may alleviate privacy concerns and encourage the adoption of foreign digital products. This finding is crucial for policymakers dealing with data and privacy issues as it indicates the potential of these regulations to balance economic growth with privacy and security protection. The study suggests that data and privacy regulations can address data concerns without significantly harming digital trade. Additionally, it uncovers an opportunity for multinational companies. Although compliance costs are higher, clear privacy regulations could lessen consumer domestic bias, opening doors to international markets. Therefore, evaluating privacy regulations’ impact on global markets means considering both their benefits for demand and their costs for suppliers.

information science & library science,management

Elif Erdemoglu

DOI: https://doi.org/10.1007/978-94-6265-144-9_7

2016-01-01

Abstract:The discussion on the regulation on citizens’ right to privacy grows parallel to the widespread usage and collection of Big Data. This chapter analyses from a law and economics perspective the discussion on the European Union (EU) citizens’ rights to privacy with regards to collection, retention, analysis and transfer of personal data in light of the EU General Data Protection Regulation (GDPR). The GDPR is drafted in coherence with the EU Digital Market Strategy, which aims to create the correct incentives for digital networks and services to flourish by providing trustworthy infrastructure supported by the right regulations. A significant part of achieving this aim would require the EU citizens to trust in using digital services. The GDPR is designed to increase the citizens’ trust to use online and digital services by obliging the service providers to comply with the GDPR. This chapter analyses two key compliance requirements of the GDPR through the economic analysis lens and proposes possible changes to the GDPR in line with the Digital Single Market Strategy of the EU. The scope of this chapter’s analysis is limited to how to cure information asymmetries between the citizens and the data collectors in order to increase the citizens’ trust in using digital services given the fast-changing and delicate legal issues arising from collecting the personal data of the EU citizens. This chapter concludes by suggesting three improvements to the GDPR; more frequent controls for issuing the EU Data Protection Seal, increased independence of the Data Protection Controller and issuance of publicly available, frequent privacy ratings.

Tobias Urban,Dennis Tatang,Martin Degeling,Thorsten Holz,Norbert Pohlmann

DOI: https://doi.org/10.1145/3320269.3372194

2018-11-21

Abstract:The European General Data Protection Regulation (GDPR), which went into effect in May 2018, leads to important changes in this area: companies are now required to ask for users' consent before collecting and sharing personal data and by law users now have the right to gain access to the personal information collected about them. In this paper, we study and evaluate the effect of the GDPR on the online advertising ecosystem. In a first step, we measure the impact of the legislation on the connections (regarding cookie syncing) between third-parties and show that the general structure how the entities are arranged is not affected by the GDPR. However, we find that the new regulation has a statistically significant impact on the number of connections, which shrinks by around 40%. Furthermore, we analyze the right to data portability by evaluating the subject access right process of popular companies in this ecosystem and observe differences between the processes implemented by the companies and how they interpret the new legislation. We exercised our right of access under GDPR with 36 companies that had tracked us online. Although 32 companies (89%) we inquired replied within the period defined by law, only 21 (58%) finished the process by the deadline set in the GDPR. Our work has implications regarding the implementation of privacy law as well as what online tracking companies should do to be more compliant with the new regulation.

Cryptography and Security

Chris Jay Hoofnagle,Bart van der Sloot,Frederik Zuiderveen Borgesius

DOI: https://doi.org/10.1080/13600834.2019.1573501

2019-01-02

Abstract:This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union’s General Data Protection Regulation (‘GDPR’). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

T. Tony Ke,K. Sudhir

DOI: https://doi.org/10.1287/mnsc.2022.4614

IF: 5.4

2022-12-04

Management Science

Abstract:General Data Protection Regulation (GDPR)—the European Union’s data protection regulation—has two key principles. It recognizes that individuals own and control their personal (but not contractual) data in perpetuity, leading to three critical privacy rights, namely, the rights to (i) explicit consent (data opt-in), (ii) to be forgotten (data erasure), and (iii) portability (data transfer). It also includes data security mandates against privacy breaches through unauthorized access. We study GDPR’s equilibrium impact by including these features in a dynamic two-period model of forward-looking firms and consumers. Firms collect consumer data for personalization and price discrimination. Consumers trade off gains from personalization relative to potential losses from privacy breaches and price discrimination in their purchase, data opt-in, erasure, and transfer decisions. Though data security mandates impose fines on firms for privacy breaches, firms can benefit from higher opt-in given lower breach risk. Surprisingly, data security mandates can hurt consumers. The effect of privacy rights is nuanced. Since the right to opt in separates goods exchange from the provision of personal data, it prevents market failure under high breach risk. But it also reduces consumer opt-in and personal data availability. Erasure and portability rights reduce consumers’ hold-up concerns by disciplining firms to provide ongoing value by limiting price discrimination and not slacking off on data security; but they also reduce the incentive to offer lower initial prices that encourages opt-in. Overall, privacy rights always benefit consumers in competitive markets, but they can surprisingly hurt consumers under monopoly, as monopolists have less incentives to subsidize consumer opt-in. They raise (reduce) firm profit and social welfare when breach risk is high (low). Finally, privacy rights increase firm profit most at moderate levels of data transferability. This paper was accepted by Dmitri Kuksov, marketing. Funding: T. T. Ke acknowledges financial support from the General Research Fund of the Hong Kong Research Grants Council [Grant 14500421]. Supplemental Material: The e-companion is available at https://doi.org/10.1287/mnsc.2022.4614 .

management,operations research & management science

Brooke Willis,Tunmin Jai,Mitzi Lauderdale,Tunmin (Catherine) Jai

DOI: https://doi.org/10.1002/cb.1968

IF: 3.199

2021-10-16

Journal of Consumer Behaviour

Abstract:Abstract Applying the Commitment‐Trust Theory, this study investigates how a U.S.‐based online retailer&#x27;s choice to apply (or not to apply) General Data Protection Regulation (GDPR) data subject rights to consumers in the United States affect the retailer‐customer relationship. This study conducted an online survey through Amazon Mechanical Turk (MTurk) with a total of 659 respondents. The findings provide empirical evidence that consumers perceived higher trust and lower privacy concerns toward online retailers when a retailer voluntarily applied the GDPR consumer data rights to U.S. consumers, thereby increasing brand commitment. The post hoc analyzes also revealed that when a global retailer chose to apply the GDPR consumer data rights to U.S. customers, the respondents&#x27; comments exhibited positive emotions and indicated they would be more willing to give the retailer their future business. These results are particularly relevant to international marketers and brands that serve both European and U.S. consumers.

business

Andreas Kotsios,Matteo Magnani,Luca Rossi,Irina Shklovski,Davide Vega

DOI: https://doi.org/10.48550/arXiv.1903.03196

2019-10-06

Abstract:This article examines the principles outlined in the General Data Protection Regulation (GDPR) in the context of social network data. We provide both a practical guide to GDPR-compliant social network data processing, covering aspects such as data collection, consent, anonymization and data analysis, and a broader discussion of the problems emerging when the general principles on which the regulation is based are instantiated to this research area.

Social and Information Networks

Victoria Chico

DOI: https://doi.org/10.1093/bmb/ldy038

2018-11-17

British Medical Bulletin

Abstract:Background: On the May 25, 2018 the General Data Protection Regulation (hereafter the GDPR or the Regulation) came into force, replacing the Data Protection Directive 95/46/EC (upon which the Data Protection Act 1998 is based), and imposing new responsibilities on organizations which process the data of European Union citizens.Sources of data: This piece examines the impact of the Regulation on health research.Areas of agreement: The Regulation seeks to harmonize data privacy laws across Europe, to protect and empower all EU citizen&#x27;s data privacy and to reshape the way that organizations approach data privacy (See the GDPR portal at: https://www.eugdpr.org/ (accessed 8 May 2018). As a Regulation the GDPR is directly applicable in all member states as opposed to a directive which requires national implementing measures (In the UK the Data Protection Act 1998 was the implementing legislation for the Data Protection Directive 95/46/EC.).Areas of controversy: The Regulation is sector wide, but its impact on organizations us sector specific. In some sectors, the Regulation inhibits the processing of personal data, whilst in others it enables that processing. The Regulation takes the position that the &#x27;processing of data should be designed to serve mankind&#x27; (Recital 4). Whilst it does not spell out what exactly is meant by this, it indicates that a proportionate approach will be taken to the protection of personal data, where that data can be processed for common goods such as healthcare. Thus, the protection of personal data is not absolute, but considered in relation to its function in society and balance with other fundamental rights in accordance with the principle of proportionality (Recital 4). Differing interpretations of proportionality can detract from the harmonization objective of the Regulation.Growing points: Reflecting the commitment to proportionality, scientific research holds a privileged position in the Regulation. Throughout the Regulation provision is made for organizations that process personal data for scientific research purposes to avoid restrictive measures which might impede the increase of knowledge. However, the application of the Regulation differs across health research sectors and across jurisdictions. Transparency and engagement across the health research sector is required to promote alignment.Areas timely for developing research: Research which focuses on the particular problems which arise in the context of the regulation&#x27;s application to health research would be welcome. Particularly in the context of the operation of the Regulation alongside the duty of confidentiality and the variation in approaches across Member States.

medicine, general & internal

Xuehui Hu,Nishanth Sastry

DOI: https://doi.org/10.1145/3292522.3326039

2019-05-04

Abstract:The recently introduced General Data Protection Regulation (GDPR) requires that when obtaining information online that could be used to identify individuals, their consents must be obtained. Among other things, this affects many common forms of cookies, and users in the EU have been presented with notices asking their approvals for data collection. This paper examines the prevalence of third party cookies before and after GDPR by using two datasets: accesses to top 500 websites according to <a class="link-external link-http" href="http://Alexa.com" rel="external noopener nofollow">this http URL</a>, and weekly data of cookies placed in users' browsers by websites accessed by 16 UK and China users across one year. We find that on average the number of third parties dropped by more than 10% after GDPR, but when we examine real users' browsing histories over a year, we find that there is no material reduction in long-term numbers of third party cookies, suggesting that users are not making use of the choices offered by GDPR for increased privacy. Also, among websites which offer users a choice in whether and how they are tracked, accepting the default choices typically ends up storing more cookies on average than on websites which provide a notice of cookies stored but without giving users a choice of which cookies, or those that do not provide a cookie notice at all. We also find that top non-EU websites have fewer cookie notices, suggesting higher levels of tracking when visiting international sites. Our findings have deep implications both for understanding compliance with GDPR as well as understanding the evolution of tracking on the web.

Cryptography and Security,Information Retrieval

Christian Peukert,Stefan Bechtold,Michail Batikas,Tobias Kretschmer

DOI: https://doi.org/10.1287/mksc.2021.1339

2022-02-15

Marketing Science

Abstract:Privacy regulation by the European Union has had effects for websites beyond the European Union and lead to an increase in market concentration of web technology vendors

business

Gerard Buckley,Tristan Caulfield,Ingolf Becker

DOI: https://doi.org/10.48550/arXiv.2110.11905

2021-10-22

Computers and Society

Abstract:The General Data Protection Regulation (GDPR) came into effect in May 2018 and is designed to safeguard EU citizens' data privacy. The benefits of the regulation to consumers' rights and to regulators' powers are well known. The benefits to regulated businesses are less obvious and under-researched. The aim of this study is to investigate if GDPR is all pain and no gain for business. Using semi-structured interviews, we survey 14 C-level executives responsible for business, finance, marketing, legal and technology drawn from six small, medium and large companies in the UK and Ireland. We find the threat of fines has focused the corporate mind and made business more privacy aware. Organisationally, it has created new power bases within companies to advocate GDPR. It has forced companies, in varying degrees, to modernise their platforms and indirectly benefited them with better risk management processes, information security infrastructure and up to date customer databases. Compliance, for some, is used as a reputational signal of trustworthiness. We find many implementation challenges remain. New business development and intra-company communication is more constrained. Regulation has increased costs and internal bureaucracy. Grey areas remain due to a lack of case law. Disgruntled customers and ex-employees weaponise Subject Access Requests (SAR) as a tool of retaliation. Small businesses see GDPR as overkill and overwhelming. We conclude GDPR may be regarded as a pain by business but it has made it more careful with data. We recommend the EU consider tailoring a version of the regulation that is better suited to SMEs and modifying the messaging to be more positive whilst still exploiting news of fines to reinforce corporate data discipline.

Fadye Saud Al-Fayad

DOI: https://doi.org/10.5539/ijms.v12n1p39

2020-02-24

International Journal of Marketing Studies

Abstract:This research paper analyzes the developing effect that the European Union&rsquo;s (EU) recently developed General Data Protection Regulation (GDPR) will have on the marketing strategies of firms that rely on big data. Big data is identified as consisting of data and data analytics involving a huge volume of data, a diverse variety of data, and a high velocity of data capture and collection. This analysis begins with some discussion of the concept of big data and follows this up with overviews of both the GDPR and big data use in the marketplace. The EU replaced its older Data Protection Directive or DPD with the GDPR. The GDPR consists of a series of chapters and articles that require, among other things, consent to collect and store data, the anonymization of data, announcement in 72 hours of a data breach, provision of encryption and the identification of a Data Protection Officer. Marketing and the marketing function can implement emergent technologies that augment big data and its analysis while simultaneously achieving compliance with regulatory frameworks like the GDPR. These marketing related solutions are those such as blockchain marketing applications like Brave Browser and Blockstack among others. The report also examines the way in which enterprises use big data in their marketing strategies and how they are affected by it now that it has come into effect. Some of the more marketing-oriented uses and applications of big data are found in sophisticated loyalty programs, demand forecasting and customization either of experience or product/service. This study also offers some final recommendations related to GDPR compliant marketing strategies. These include the development of a comprehensive program to purchase consumer data directly from consumers and the introduction of blockchain as a means to facilitate a smoother transition to GDPR compliance.

Gauthier Chassang

DOI: https://doi.org/10.3332/ecancer.2017.709

2017-01-03

ecancermedicalscience

Abstract:The use of personal data is critical to ensure quality and reliability in scientific research. The new Regulation [European Union (EU)] 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [general data protection regulation (GDPR)], repealing Directive 95/46/EC, strengthens and harmonises the rules for protecting individuals&#x27; privacy rights and freedoms within and, under certain conditions, outside the EU territory. This new and historic legal milestone both prolongs and updates the EU acquis of the previous Data Protection Directive 95/46/EC. The GDPR fixes both general rules applying to any kind of personal data processing and specific rules applying to the processing of special categories of personal data such as health data taking place in the context of scientific research, this including clinical and translational research areas. This article aims to provide an overview of the new rules to consider where scientific projects include the processing of personal health data, genetic data or biometric data and other kinds of sensitive information whose use is strictly regulated by the GDPR in order to give the main key facts to researchers to adapt their practices and ensure compliance to the EU law to be enforced in May 2018.

Gerard Buckley,Tristan Caulfield,Ingolf Becker

2024-05-17

Abstract:The General Data Protection Regulation (GDPR) remains the gold standard in privacy and security regulation. We investigate how the cost and effort required to implement GDPR is viewed by workers who have also experienced the regulations' benefits as citizens: is it worth it? In a multi-stage study, we survey N = 273 & 102 individuals who remained working in the same companies before, during, and after the implementation of GDPR. The survey finds that participants recognise their rights when prompted but know little about their regulator. They have observed concrete changes to data practices in their workplaces and appreciate the trade-offs. They take comfort that their personal data is handled as carefully as their employers' client data. The very people who comply with and execute the GDPR consider it to be positive for their company, positive for privacy and not a pointless, bureaucratic regulation. This is rare as it contradicts the conventional negative narrative about regulation. Policymakers may wish to build upon this public support while it lasts and consider early feedback from a similar dual professional-consumer group as the GDPR evolves.

Computers and Society