How privacy rights affect personal data markets and firm profit
Striking the right balance between data regulation and consumer benefits is crucial for trust and successful data sharing
Data protection is everything in a world that is run on and by the internet. The enactment of the EU’s General Data Protection Regulation (GDPR) in 2018 heralded a new era of personal data privacy. Its comprehensive framework for protecting individuals’ personal data and ensuring their privacy rights has inspired countries to adopt similar regulations in recent years.
There is a tightrope to walk when it comes to protecting consumers. Data can indicate many things about a person’s information, habits, and activities, which could be misused if they fall into the wrong hands, leading to identity theft, fraud, or other damaging consequences. On the other hand, consumers do enjoy the benefits of data sharing, such as better services and prices.
In the digital realm, where data is currency, the answer beckons. How does GDPR impact the personal data markets? Are there any situations where both companies and consumers can benefit? “GDPR consists of two key components, including endowing consumers with privacy rights – the rights to control their data – and imposing data security mandates on companies,” says Tony Ke, Associate Professor at the Department of Marketing at The Chinese University of Hong Kong (CUHK) Business School.
A new paper by Prof. Ke and Prof. K. Sudhir at Yale School of Management titled Privacy Rights and Data Security: GDPR and Personal Data Markets represents a fascinating dive into this subject of vital importance. The team employed a game theoretic analysis to examine the long-term impact of the GDPR on personal data markets, consumer well-being, and firm profitability.
“We found that the first component [privacy rights] mostly decreases data availability in the market because consumers now have the option of opting out of data collection and some of them will exercise this right,” says Prof. Ke. “On the other hand, the second component [data security mandates] increases data availability in the market because it enables trust between consumers and companies or data collectors.”
Conundrum of equilibrium
While GDPR is recognised as the gold standard on personal data protection, its long-term impact on personal data markets, consumer well-being, and firm profitability is unclear. The likes of British Airways, Google and Marriott have already been hit with massive fines for data breaches. Critics say innovation and consumer welfare are taking a huge hit, while smaller firms are unable to compete, and venture capital funding to tech firms may also be suffering.
Some observers believe that the GDPR hurts digital marketing, and reduces the ability of marketers to effectively work. Other studies show that this has not been the case, suggesting that the legislation and opt-in increased at a European telecommunications firm.
An argument could be made that consumers are being deprived as they are not being effectively targeted, and the personalisation of products and services is lessened. There is a fine balance at play: consumers want it all – personalisation can bring a world of advantages, but privacy lessens the ability by limiting access to purchase, data opt-in, erasure, and transfer decisions.
“Game theory is a useful tool to capture agents’ strategic incentives, be it a consumer or a firm, along with different agents’ interactions in the long run,” says Prof. Ke. “As privacy concerns become more prominent, consumers may be more careful and thoughtful in managing their privacy rights.”
“The firms’ reactions and changes in their decisions will further influence the consumers’ choices over privacy control. This feedback loop will eventually converge to an equilibrium, as predicted by the Nash equilibrium, a general concept in game theory.”
The team’s analysis implies that GDPR effectively reduces consumer opt-in and data availability, which in turn lessens the firm’s ability to personalise product recommendations or services to cater to consumers’ personal interests, and has the additional effect of raising prices for consumers due to higher security mandates.
In terms of the firm profit, the study found that privacy rights and data security mandates have differing effects. “Privacy rights will increase firm profitability when consumers face high data breach costs or have low trust in data collection. In this case, privacy rights help separate goods transactions with data transfer so it ensures trade and benefits the firm,” he adds.
However, when consumers face low data breach costs or have high trust in data collection, privacy rights will decrease firm profit. This is because in the case without privacy rights, the firm cannot help but offer a low-price basic product to those who haven’t bought anything yet as the firm can only easily identify and keep those who have already made a purchase. This makes people less likely to buy something in the beginning, which hurts the firm profits.
People often share data when the benefits outweigh the risks, and there is confidence in data security protection. When this trust is gone, consumers will quickly cancel their relationships with firms. The onus is thus on companies to create an environment where people do trust them, and hence privacy rights and data sharing can be increased in a win-win situation – consumers willingly share data to get benefits, and companies offer the highest standards of protection.
Overall, the research found that GDPR can reduce consumers’ privacy breach risk, benefiting consumers and giving a boost to firm profitability. When firms increase their security capabilities, the result can be an increase in both consumer and firm surplus. Additionally, consumer surplus is increased by data transparency and reduced price discrimination.
While GDPR has a complex impact on consumers, the study showed that it can be beneficial in the right circumstances, protecting consumers and offering the best services and prices. However, the impact on firms is dependent on market conditions and mitigation of breach costs.
“The GDPR works better in competitive markets because in competitive markets, consumers in general benefit from privacy regulations. By contrast, consumers could get hurt from privacy regulations in monopolistic markets,” says Prof Ke.
“This is because the society can benefit from the availability of consumer data,” he adds. “With the data, firms can provide better personalisation or product recommendation, which will better cater to consumers’ preferences. GDPR decreases data availability and thus could hurt both consumers and firms when consumers face relatively low data breach costs.”
Furthermore, Prof. Ke sees the need for more studies on similar regulations being implemented in different regions. For instance, Hong Kong’s Personal Data (Privacy) Ordinance (PDPO), one of Asia’s longest-standing comprehensive data protection laws passed in 1995, share a number of common features with GDPR as it was drafted in reference to the Organisation for Economic Co-operation and Development’s Privacy Guidelines 1980 and the EU Directive.
“Given that the GDPR constitutes significant developments from EU directive, there are also important differences between PDPO and GDPR,” says Prof. Ke. “For example, GDPR is built on the ‘privacy by design’ principle that gives data subjects more specific control of their data, and also imposes wider responsibilities in data protection on data controllers [compared to PDPO].”