The Effect of Privacy Regulation on the Data Industry: Empirical Evidence from GDPR

This paper studies the effects of the EU's General Data Protection Regulation (GDPR) on the ability of firms to collect consumer data, identify consumers over time, accrue revenue via online advertising, and predict their behavior. We utilize a novel dataset that spans many different firms in the online travel industry that allows us to observe consumer visits, purchases, advertisements, and the output of a commercially used algorithm that predicts consumer behavior. We make use of a difference-in-differences analysis that exploits the geographic reach of GDPR. We find a 12.5% drop in observed consumers as a result of GDPR, but at the same time that remaining set of consumers is more persistently identifiable. We provide suggestive evidence that this is driven by a selected set of consumers who substitute from pre-existing privacy means towards those offered as part of GDPR. This substitution affects the ability to predict consumer behavior and preferences as well as improves the ability of advertisers to measure the effectiveness of advertising. In sum, this differential use of privacy tools leads to an increase in the average value of remaining consumers to advertisers, offsetting some of the losses from consumers that opt-out. Our results highlight the externalities that consumer privacy decisions have both on other consumers and for firms.