Impacts of the European Union’s Data Protection Regulations

The European Union enacted its General Data Protection Regulation (GDPR) to protect the personal data of citizens and harmonize privacy policies across member states. The regulation strengthened consumers’ privacy rights and required app developers to ask customers’ permission before they could use their data to, say, target online ads or conduct other revenue-producing activities. Developers also had to guarantee that customers could access, rectify, erase, and restrict the processing and portability of personal data. The law was enacted in 2016 and implemented two years later.

GDPR has made European apps less intrusive, but sharply reduced the introduction of new ones and led to many being withdrawn. In GDPR and the Lost Generation of Innovative Apps (NBER Working Paper 30028), Rebecca Janßen, Reinhold Kesler, Michael E. Kummer, and Joel Waldfogel detail the effects of the privacy improvements by studying the set of apps that were available on Google’s Play Store between July 2016 and October 2019.

New rules made European apps less intrusive, but entry of new apps fell 47 percent and the number of new entrants that became successful fell by more than 40 percent.

The new law made app development more time-consuming and costly, according to the researchers, who surveyed 650 German app developers for Google’s Android platform. Eighty-five percent of the developers said administrative burdens to comply with the law posed a challenge, 48 percent mentioned additional costs, and 36 percent indicated a lack of knowledge about the regulation’s details. One in seven reported they removed an app from the market because of the new requirements and costs, and one in 11 said they chose not to launch a developed app. These estimates may be conservative since the survey only contacted developers who were still operating in 2019; some pre-GDPR developers may have withdrawn from the market.

In mid-2016, 2.1 million apps were available on the Google Play Store platform. That rose to 2.8 million near the end of 2017, then dropped by nearly 1 million by the end of 2018 — six months after GDPR went into effect. In the year before GDPR took effect, exits or disappearances of apps averaged about 100,000 per quarter. In the immediate aftermath of GDPR taking effect, that number jumped to 600,000 exits per quarter. 

Apps that requested privacy-sensitive information were more likely to exit than other apps. A third of all such apps disappeared around the enactment of GDPR. The disappearances were concentrated among marginal apps: the combined market share of those that disappeared was only about 3.3 percent. The researchers find that apps that offered within-app purchases and relied less on intrusive data practices for revenue were less likely to disappear than those that relied on sensitive personal data.

More important than GDPR’s effect on exit is its effect on new entry. When it is difficult to predict which new products will succeed, then the volume of entry has an important effect on the benefit that consumers receive: larger cohorts of entering products include both more eventual winners (successful products) and more eventual losers. Entry of new apps fell 47 percent after GDPR took effect. Not only did entry fall overall, but the smaller post-GDPR entry cohorts included 40 percent fewer apps eventually reaching substantial success with consumers.

The law also appears to have accelerated a trend away from new intrusive apps. Weighted by usage, the share of new apps requesting one or more pieces of privacy-sensitive data fell from 57 percent before the law to 47 percent afterwards.

The researchers conclude that evaluating privacy regulations such as GDPR requires balancing their privacy benefits against the potential cost of forgone innovation.

— Laurent Belsie