Privacy and its Detrimental Economic Consequences
Executive Summary:
Consumer data collection enables firms to identify audiences for advertising, manage stock efficiently, and understand customers’ behaviors, but what rights do consumers have to restrict this mass personal-data collection? In the United States, the answer to this question is unclear. In the absence of federal data privacy laws, states have been left to create legislation themselves, leading to varying degrees of data regulation across the country. This inconsistency poses unnecessary and expensive complications for businesses-particularly those spanning multiple states- costing roughly $112 billion annually, yet the federal government has failed to conduct a full House vote on new provisions (Levine & Belton, 2023). Therefore, numerous states have looked towards existing legislation for quick implementation, with many sourcing their framework from the European Union’s General Data Protection Regulation (GDPR). Alarmingly, states are adopting GDPR regulations purely to have a law in place rather than a truly effective one. The GDPR, while being a benchmark for idealized consumer privacy, is too strict and has led to stifling economic effects that have reduced technological innovation and consumer surplus. In the case of privacy laws, the United States must proceed with moderation and craft a more comprehensive plan that is in line with consumer preferences. There is no reason to implement an imperfect tool rather than devising a federal law which keeps the interests of both consumers and businesses in mind. The United States should look to federally implement a policy closer to that of the already drafted American Data Privacy Protection Act (ADPPA), a far more moderate bill that is awaiting a House vote. Furthermore, a future privacy law should include provisions lessening restrictions on small businesses and adhere to the true wishes of consumers. To navigate the unforgiving political landscape, passing such legislation may require denying consumers a private right to action, delegating legal responsibility to state and federal regulators.
State regulation is inefficient and costly.
The current landscape of data privacy in the United States consists of a confusing and costly patchwork of inconsistent state-level regulations. In the past six years, relevant privacy laws have been introduced in 34 states, encompassing 72 total bills (Castro, Dascoli, & Diebold 2022). The most notable of these bills include the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCPA), both of which have parallels with the EU’s data privacy framework, the General Data Protection Regulation (GDPR). Such similarities include the private right to access and delete data, as well as various transparency provisions (Klosowski 2021). Despite their likeness, these bills have significant differences such as contrasting definitions of “covered entities”, or those affected by privacy law. In 2022, the Information Technology & Innovation Foundation (ITIF) conducted a study on the effect of the diverging privacy laws across the United States by using econometric modeling and a composite index known as the privacy restrictiveness linkage (PRL). This index measures the ramifications that a given industry faces due to a state’s privacy laws. The overall model predicts the cost for each state and for the country with a focus on the out-of-state costs, or the expenses resulting from duplicative and confounding rules applying to out-of-state business given that all states have unique privacy laws. It should be noted that not all states have concrete legislation, and instead some states were assigned “privacy scores” via related policy analysis along with the belief that states that hadn’t previously created privacy legislation are more likely to implement weaker restrictions, making estimates conservative. The study found that without a federal policy law, unique state legislation could cause out-of-state costs of $98 billion to $112 billion annually, meaning that these costs could surpass $1 trillion over the next decade (Castro, Dascoli, & Diebold 2022). Furthermore, small businesses would bear a disproportionate amount of the burden due their lack of infrastructure and capital and would lose between $20 billion and $23 billion annually, or around $200 billion within the next decade. The current privacy legislation landscape does not only cause market inefficiencies but is also anti-competitive and inadvertently harms small businesses. Out-of-state costs combined with basic compliance costs garnered through aligning with data privacy acts accrues an extremely significant and negative economic impact of state privacy laws. The impact of privacy legislation is already harmful to an economy, however having inconsistent national privacy laws further compounds such damage, showcasing the need for federal action.
The GDPR is far from a full success.
Many states adopting privacy laws are basing their policy around that of the GDPR despite the law’s dampening economic effects. The GDPR was implemented in May 2018 with the intention of setting a firm stance on data privacy across the European Union (EU). The legislation grants citizens numerous privacy rights, including the right of access and the right of erasure, along with making consent mandatory before processing an individual’s information. Data-collecting organizations are expected to be perfectly transparent and are accountable for the security and confidentiality of any data they collect. Therefore, consumers are granted total control of their information and data-collectors are mandated to keep any information safe from leaks and hackers. Data-collectors are held accountable through third-party Data Protection Authorities (DPAs) and discouraged by heavy fines (Uzialko 2024). Despite its success in protecting consumer’s data, the framework set forth by the GDPR has had significant adverse effects on the European economy, hampering technological innovation and development as well as increasing business expenses (Bae, Mayya, & Nian 2023). In a study done by the National Bureau of Economic Research (NBER), downloadable applications were used as a case study to demonstrate the effect of the GDPR on technological innovation. Researchers discovered that around one-third of applications on the Google Play Store exited the market following the creation of the GDPR. Furthermore, the entry of new applications decreased by 47.2% in the following periods. Researchers also state that there was not an excess supply of applications before the GDPR, but rather that the GDPR made app development more complicated and costly, raising barriers to entry (Rebecca Janßen 2022). Additionally, by modeling consumer demand, researchers were able to predict consumer surplus where they discovered that the GDPR would reduce the consumer surplus in the app market from $45 billion to $30.6 billion, or by 31.93% (Bae, Mayya, & Nian 2023). Therefore, the GDPR is restricting economic activity that would provide significant benefit to consumers. While consumers may see value in having greater protection for their privacy, it is unlikely that this value outweighs the overall loss in consumer surplus. If the consumer surplus forgone outweighs the value of privacy, then consumers are left worse-off because of the GDPR despite the rights granted by the legislation.
Implementation of identical GDPR provisions in the United States would cost 95% more than specific “targeted” legislation.
A further study conducted by the ITIF dives deeper into these “hidden costs” of privacy legislation, or the costs associated with the economic impact of a new privacy law which would reduce productivity for both consumers and businesses as well as restrict innovation. By evaluating factors such as the number of privacy audits, required Data Protection Officers (DPOs), and infrastructure and technology costs amongst others, researchers estimated that the cost of implementing GDPR provisions in the United States is roughly $12.2 billion annually between overt and hidden costs. The GDPR is too broad leading to enormous hidden costs, and instead the ITIF suggests implementing “targeted” or tailored legislation that minimizes the costs of data protection (Johnson & Castro 2022). A targeted law would cost around 650 million, with a more specific breakdown in the table below (McQuinn & Castro 2019).
Figure 1: Specific costs of implementing GDPR policies in the United States versus targeted legislation
The targeted law suggested by the ITIF follows a few key components that are deemed “necessary” for data protection, with the advised legislation being largely lenient: The first key provision is oversight, which would include compliance audits and complaint processing. The second crucial idea is non-overbearing oversight. The ITIF advocates against the right to private action, or against that of individuals suing businesses that they believe are not upholding their rights. Instead, researchers propose delegating this responsibility to federal and state regulators, reducing spending on enforcement actions. Lastly, this tailored legislation would allow consumers to control their data (access, delete, and rectify), but only when necessary. Therefore, lengthy or difficult consumer requests may only be permitted if such information is sensitive or pertains to certain industries, causing citizens to only request such privileges when it is important to do so, limiting duplicative or repetitive requests and reducing costs.
Key Provisions (ITIF)
1. Maintain essential oversight
2. Eliminate overbearing oversight
3. Minimize unnecessary consumer control
While the approach suggested by the ITIF is much cheaper, the slashed cost does come with decreased consumer protections. Even if current privacy standards are too tight, potential legislation such as this may not be enough to appease privacy rights advocates and garner popular appeal.
Consumer Preferences or Consumer Protection?
When devising a federal privacy law, the United States government should look to survey consumers and gain a better understanding of how people value their data privacy. The GDPR was drafted with ideals that reflect full consumer control, and while this may seem entirely beneficial, the resulting loss of consumer surplus, or difference between one’s willingness to pay and actual price of a good, could make consumers worse off depending on their preferences. For example, an individual could lose $1000 worth of consumer surplus over a 5-year period due to privacy legislation such as the GDPR. If this consumer was instead asked at the beginning of the period if they would rather have specific data kept private for 5 years, or have $1000, what would they choose? By conceptualizing this issue in terms of a price to be paid for privacy instead of a loss of unforeseen economic benefit, consumers may be less likely to be in favor of regulation. Through professional survey methods, the government could estimate a mean value of personal data privacy and utilize this information to determine the level of regulation required in data privacy legislation. Ideally, the government could aim to equalize consumer willingness to pay for data privacy and loss of consumer surplus, which would minimize market inefficiencies. Unfortunately, this perfect calculation is unrealistic as these statistics are extremely difficult to quantify.
A 2023 study conducted by UK Research and Innovation attempted to measure the valuation of personal data for citizens of the United Kingdom. Participants were surveyed on their monthly willingness to pay for the protection of specific data types. The most crucially private data was found to be banking transactions with medical records close behind, and 96% of participants were willing to pay to protect at least one data type (Skatova, Anya et al, 2023). Data types were broken into three tiers based on how much and how frequently consumers were willing to pay to protect them.
Figure 2 — Consumer willingness to pay by data type (monthly)
For the first tier of data, the willingness to pay to protect bank transaction and medical record data was found to be £22.80 and £22.50 per month respectively. For the tier two data types, the willingness to pay to protect mobile phone GPS data was measured to be £11.80, browsing history data was £12.60, and social media data was £11.40. For tier 3 data types, willingness to pay to protect data was £7.27 for electricity use, £7.74 for loyalty cards £7.17 for physical activity data (Skatova, Anya et al, 2023). The findings of this study help conclude that consumers are willing to pay non-zero amounts to protect their data, and therefore some degree of policy legislation is warranted, Crucially, separate types of data are valued far differently, meaning privacy legislation should ideally be written to reflect these discrepancies with data collectors of tier one data held to a much higher standard than tier three data collectors. This is not the case under current data privacy laws such as the GDPR, where nearly all entities are treated equally leading to dampening economic consequences. Federal data privacy legislation should be based more so on consumer preferences than idealized consumer empowerment as seen within the GDPR.
Current privacy provisions are anticompetitive and disproportionately harm small businesses.
As data privacy legislation often bears a heavier burden on small businesses, a federal data privacy law should be drafted with small business concerns in mind to retain competitive practices. Under the GDPR, small businesses are required to handle data in the same manner as large businesses (Ahmed 2019). This idea forms greater barriers to entry and discourages innovation. Small businesses and start-ups typically lack tremendous capital and resources, making large-scale data regulation much more difficult and costly. To augment this, exemptions should be granted for small businesses, such as not being required to appoint a data security officer or monitor and audit their data as strictly or frequently. Blindly neglecting the concerns of small businesses and start-ups is a primary cause of the negative economic effects of the GDPR as technological developments are less likely to enter the market. Without loosening regulations on growing businesses, privacy regulation is naturally anticompetitive, and therefore small business protection should certainly be drafted into future United States privacy legislation.
The American Data Privacy Protection Act — The Solution?
A tamer view on data privacy has already been discussed by United States lawmakers seen through the bi-partisan American Data Privacy Protection Act (ADPPA). This bill became the first American consumer privacy bill to pass committee markup with a near unanimous vote of 53–2 (Levine & Belton, 2023). The ADPPA focuses on data minimization and consumer control, but is notably less anti-competitive, particularly due to small business exemptions from select obligations. Some of these exemptions include biennial privacy assessments, the designation of a privacy and data security officer, and that from the right of private action. Furthermore, the ADPPA defines and governs “covered data’’ as opposed to the GDPR’s “personal data” which is crucial as covered data has a narrower scope, meaning that less data is subject to costly regulation. For example, de-identified data, or data which is separated from an individual, is not considered covered data and is unregulated by the ADPPA, but it is considered personal data under the GDPR (Sainty, 2022). Therefore, the ADPPA is a stronger option than the GDPR as it is less economically restrictive.
Despite the need for a comprehensive privacy law and the near-complete bipartisan approval of this bill, there is yet to be a full house vote on the ADPPA. This is almost entirely at fault of Maria Cantwell who is the chair of the Senate committee responsible for data privacy, meaning Cantwell has the power to filter what bills eventually come to a House vote (McGill, 2022). Cantwell has been reportedly drafting her own privacy legislation and is strongly opposed to the right to private action, which is guaranteed under the ADPPA. Major firms such as IBM have argued and likely lobbied against details such as the right of private action, making this provision increasingly contested (McGill, 2022). Despite Cantwell’s concerns, legislation such as the ADPPA would be tremendously beneficial for consumers and the economy, and therefore changes and compromises should be made. Perhaps the ITIF ideology of not allowing a private right of action and instead deferring to state regulators is a better way forward, or perhaps Cantwell should back down from her staunch stance for the greater good.
State laws should not preempt government laws with data privacy.
The discussed adoption of the ADPPA highlighted the question of whether a federal data privacy law should supersede existing state laws (Catron & Kibel, 2022). A federal bill will reduce tremendous costs caused by inconsistent state-level regulations; however, this may not be true if states with stricter provisions are allowed to retain their policies above the “floor level” of federal legislation. Allowing more severe laws to remain ultimately defeats the purpose of creating federal legislation and establishing national consistency. Despite this, delegations such as California’s object to any bill that would preempt their own. Currently, the ADPPA preempts most laws, but not all. This is primarily due to definitional differences concerning the types of data covered by various acts. While it may be necessary to investigate these clashes on a case-by-case basis, federal law should generally supersede these pieces of legislation to reduce out-of-state costs resulting from inconsistent policies. The federal government must exercise its supreme power and stop states from protecting imperfect legislation to create a comprehensive landscape of data privacy policy.
What we’ve learned — Policy recommendations:
Going forward, the United States government should implement a federal, supplanting policy framework to prevent unnecessary deadweight loss due to varying regional regulation. At the same time, not all privacy regulation is positive. A drafted solution must not be as economically restrictive as the GDPR which has measurably slowed innovation and reduced consumer surplus. Furthermore, consumer preferences should be prioritized to avoid citizens losing more through forgone economic activity than what they gain through the value of the rights and privileges granted by privacy legislation. Lastly, reducing anticompetitive side effects of new legislation is crucial, particularly minimizing the disproportionate consequences on small businesses. Relevant and effective exemptions such as those granted in the ADPPA should be included in a final piece of legislation.
Passing the ADPPA into law and superseding existing legislation is the most efficient and straightforward solution. It is less economically restrictive when compared to the GDPR and has exemptions for small businesses that should help reduce the predatory burden of privacy legislation. While many policymakers and citizens believe the right of private action should be at the heart of any privacy legislation, the ADPPA may never be passed with it due to lobbying from big businesses. Congress should look to find a compromise regarding this right to pass a much-needed bill.
If it is not feasible to adopt the ADPPA, future legislation should be built around the principles of maintaining essential oversight, eliminating overbearing oversight, and granting consumer control only when required. A privacy law must protect consumers, however existing acts are oppressive and accrue large unnecessary costs. Significant expenses of the GDPR and related privacy laws, such as DPOs and complete data accessibility, are responsible for significant cost while not being imperative. Ultimately, the best solution is to balance economic cost with consumer rights and data privacy, and policymakers should consider ideas ranging from the overbearing GDPR to the cost minimizing ITIF suggestions if implementation of the ADPPA is not possible.
Works Cited
Ahmed, Raad. “Council Post: GDPR: What Small Businesses Need to Know.” Forbes, Forbes Magazine, 4 Mar. 2019, www.forbes.com/sites/theyec/2019/03/04/gdpr-what-small-businesses-need-to-know/?sh=15a1add73197.
Bae, Donghwa, et al. “Privacy Regulation and Its Unintended Consequence On …” Privacy Regulation and Its Unintended Consequence on Consumption Behaviors: Evidence From CCPA, 22 Apr. 2023, questromworld.bu.edu/platformstrategy/wp-content/uploads/sites/49/2023/06/PlatStrat2023_paper_108.pdf.
Catron, Emily, and Gary Kibel. “Federal data privacy legislation: differences with state laws raise preemption.” Reuters Legal, 10 Aug. 2022, https://www.reuters.com/legal/legalindustry/federal-data-privacy-legislation-differences-with-state-laws-raise-preemption-2022-08-10/.
Castro, Daniel, et al. “The Looming Cost of a Patchwork of State Privacy Laws.” Information Technology and Innovation Foundation — the Leading Think Tank for Science and Technology Policy., 24 Jan. 2022, itif.org/publications/2022/01/24/looming-cost-patchwork-state-privacy-laws/.
Janßen, Rebecca, et al. “GDPR and the Lost Generation of Innovative Apps.” NBER Working Papers, NBER, May 2022, www.nber.org/system/files/working_papers/w30028/w30028.pdf.
Janßen, Rebecca, et al. “GDPR and the Lost Generation of Innovative Apps.” NBER Working Papers, NBER, May 2022, www.nber.org/system/files/working_papers/w30028/w30028.pdf.
Johnson, Ashley, and Daniel Castro. “Maintaining a Light-Touch Approach to Data Protection in the United States.” RSS, Information Technology and Innovation Foundation | ITIF, 30 May 2023, itif.org/publications/2022/08/08/maintaining-a-light-touch-approach-to-data-protection-in-the-united-states/.
Klosowski, Thorin. “The State of Consumer Data Privacy Laws in the US (and Why It Matters).” The New York Times, The New York Times, 6 Sept. 2021, www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.
Levine, Joshua, and John Belton. “Assessing the State of U.S. Privacy Laws.” AAF, 30 Aug. 2023, www.americanactionforum.org/insight/assessing-the-state-of-u-s-privacy-laws/.
McGill, Margaret Harding. “Online Privacy Bill Faces Daunting Roadblocks.” AXIOS, 4 Aug. 2022, www.axios.com/2022/08/04/online-privacy-bill-roadblocks-congress.
McQuinn, Alan, and Daniel Castro. “The Costs of an Unnecessarily Stringent Federal Data Privacy Law.” RSS, Information Technology and Innovation Foundation | ITIF, 3 June 2022, itif.org/publications/2019/08/05/costs-unnecessarily-stringent-federal-data-privacy-law/#_edn110.
Sainty, Katherine. “International: Comparing the ADPPA and the GDPR from an Australian Legal Perspective.” DataGuidance, 19 Dec. 2022, www.dataguidance.com/opinion/international-comparing-adppa-and-gdpr-australian.
Skatova, Anya et al. “Unpacking privacy: Valuation of personal data protection.” PloS one vol. 18,5 e0284581. 3 May. 2023, doi:10.1371/journal.pone.0284581
Uzialko, Adam. “How Has the GDPR Affected Business?” Business News Daily, 30 Jan. 2024, www.businessnewsdaily.com/15510-gdpr-in-review-data-privacy.html.
