Economic Research on Privacy Regulation: Lessons from the GDPR and Beyond
This paper reviews the economic literature on the European Union's General Data Protection Regulation (GDPR). I highlight key challenges for studying the regulation including the difficulty of finding a suitable control group, variable firm compliance and regulatory enforcement, as well as the regulation's impact on data observability. The economic literature on the GDPR to date has largely—though not universally—documented harms to firms. These harms include firm performance, innovation, competition, the web, and marketing. On the elusive consumer welfare side, the literature documents some objective privacy improvements as well as helpful survey evidence. The literature also examines the consequences of the GDPR's design decisions and illuminates how the GDPR works in practice. Finally, I suggest opportunities for future research on the GDPR as well as privacy regulation and privacy-related innovation more broadly.
I thank Samuel Goldberg and Scott Shriver as well as participants at both the NBER's 2022 Privacy Tutorial and the European Commission's Joint Research Centre (Digital Economy Unit) for providing helpful comments. I thank the NBER for providing funding for this work. I dedicate this work to Luke. The views expressed herein are those of the author and do not necessarily reflect the views of the National Bureau of Economic Research.
Forthcoming: Economic Research on Privacy Regulation: Lessons from the GDPR and Beyond, Garrett A. Johnson. in The Economics of Privacy, Goldfarb and Tucker. 2023