ITEM: A new research paper claims that the EU’s GDPR privacy law is resulting in lower revenue streams for European websites, possibly by as much as 10%. But the real question isn’t whether tough privacy laws like GDPR impact revenues, but whether they’re worth the cost.
Ever since GDPR went into force in May 2018, there has been speculation about the extent to which it would impact online businesses economically, either by directly restricting online advertising and changing user browsing preferences, or indirectly by reducing the amount of web analytics data that companies can collect to make various business decisions.
The working paper [PDF] – published earlier this month by the National Bureau of Economic Research – took web analytics data from Adobe Analytics representing 1,500 content, e-commerce, and corporate sites. That sample includes 128 of the top 1,000 global sites, and constitutes over 1 billion weekly visits by EU residents. Specifically, the researchers looked at analytics data in 2018 before and after GDPR went into effect, and compared that to corresponding data from 2017.
The results: page views, visits, orders, and revenue were roughly down around 10% across the board:
Across all sites, we estimate that recorded page views fall 9.7% and recorded site visits fall 9.9% post-GDPR. Among e-commerce sites, we estimate that recorded site outcomes fall 5.6% and recorded revenue falls 8.3%. For the median site, this corresponds to a $8000 weekly reduction in revenue.
Which might sound dire, especially when remembering that this doesn’t include the operational and infrastructure costs of GDPR compliance. A 2018 PwC report found that GDPR has cost many firms millions of dollars in compliance costs, while another research study found that GDPR has also hurt venture capital investments.
On the other hand, according to MIT Technology Review, an important caveat is that the apparent drop in revenue could also be attributed – ironically – to Adobe Analytics having less data as a result of GDPR:
The Adobe Analytics data the researchers relied on is subject to GDPR too, meaning that just as fewer people are sharing data with other websites since May 2018, fewer are sharing data with Adobe Analytics. In other words, there might be a group of people who are browsing and buying just as much as before, but aren’t showing up in the Adobe data set. If so, they would offset some of that 10% revenue drop—probably not all of it, but the picture is incomplete.
As it happens, the NCER working paper does note that while the Adobe data shows reductions in page views and site visits post-GDPR, it also shows no change in common user-quality metrics such as average time-spent and page views per visit. This suggests that the revenue reductions aren’t necessarily due to users changing their browsing behavior or being more aware of privacy issues – in other words, the cause could be firm-driven rather than consumer-driven.
Understanding the tradeoffs
In any case, a more important point is buried in the paper’s conclusion:
More work needs to be done to quantify the benefit to users of these privacy laws in order to better understand the tradeoffs.
This is worth reiterating because the real issue with GDPR and similar data privacy laws isn’t so much the economic impact on businesses as whether or not the laws are helping to solve the problem they were created to solve.
At the risk of stating the obvious, data privacy isn’t a nice-to-have add-on to the digital economy – it’s mandatory. We know that because we’ve already seen what happens when online companies design their business models around harvesting consumer data unchecked and treating it as a product to be bought and sold to anyone who wants it, with next to no consequences when that data is leaked or stolen. The more our lives become dependent on digital services, the more crucial it is to protect consumer data.
Having said that, data privacy laws need to actually work to justify the cost of compliance. We know that because we’ve seen this before.
Here’s a Forbes article from ten years ago which reported that complying with privacy regulations in the US at the time was expensive, and that privacy protection wasn’t getting any better as a result. This was in part because the data privacy laws in question were state laws, which meant they varied greatly in effectiveness and enforcement, but for the most part they were bad by any measure.
It may be too early to say whether GDPR fits that description – for all the initial horror stories and humorous anecdotes about GDPR compliance, there are other indications that it’s a step in the right direction. The point is that any talk about the economic cost of GDPR is incomplete until we assess whether or not we’re getting our money’s worth.