The Economics of Regulating Privacy on the Internet
By Declan McCullagh
“If consumers do care about privacy, websites will have an incentive to offer options that consumers prefer.”
For more information on many original documents on privacy and the Internet, see the U.N.’s Universal Declaration of Human Rights and the Electronic Privacy Information Center.
It’s also, some groups inform us, under attack. In a letter sent to Congress in April, the Electronic Privacy Information Center (EPIC) complained that “Internet users today still have no legal protection against the surreptitious collection of personal information and tracking of their activities online.”
That dark warning neatly summarizes the current thinking in Washington, where detailed discussions of the best way to regulate how corporations compile and use personal information occupy countless lobbyist-hours and encourage regulatory enthusiasts to constantly up their demands. Currently there are few regulations that govern how U.S. web sites collect, store, and use information. This could change soon: The U.S. Congress has convened dozens of hearings on the topic, and most observers expect some kind of legislation to be enacted this year.
As proof of a problem, politicians cite polls saying that Americans are worried about privacy. One survey found that 81 percent of Net users are concerned about threats to privacy online. In another, 72.2 percent of Americans polled said there should be new “Internet privacy laws.”
One problem with such polls, though, is that talking abstractly about privacy is a pointless exercise. If you ask would-be car buyers if they value low prices, you’ll likely get general agreement. But if you broaden your query to include safety, fuel efficiency, performance and reliability, you’ll likely hear that those options easily justify a higher sticker price.
So it is with privacy. The polls do not explain the downside of regulations. Imposing Draconian new rules on marketing and information sharing would raise costs to consumers, particularly the less affluent who rely more on free or low-cost services supported by advertising. By hurting startups that would otherwise rent physical or electronic mailing lists, regulation hands established firms an unfair advantage.
Another problem is that the polls seem internally inconsistent. One Business Week survey says that 57 percent of Americans hope the federal government will pass federal privacy laws for the Internet. But a Jupiter Consumer survey reports that only 14 percent of consumers say that new laws will make them more likely to trust web sites.
Don’t get me wrong. It’s natural to be a little nervous about privacy. But nobody—except the government—can force you against your will to hand over your personal information online. If you don’t feel comfortable giving information to a Web site, you have plenty of other options: Don’t type it in. Don’t go there anymore. Sign up with a service like anonymizer.com. Or lie.
Much of the current debate revolves around what should be the default standard for online data collection: Opt-in or opt-out? Should businesses be able to collect and use information by default unless users object by clicking a box on a web site? Under an opt-out standard, the data you provide to a company is theirs to use unless you say otherwise. Under opt-in, the data is to be kept completely private unless you give your permission. Defaults are important, after all: Some research suggests that when it comes to privacy, only 10 percent of users will alter their privacy profile when given a chance.
For another explanation of the Coase Theorem, see Mark Witte’s summary at Northwestern University. For an interesting classroom exercise, see the Coase Theorem Torts Handout, a syllabus addition to William A. Edmundson’s Georgia State University syllabus.
Economist Ronald Coase won a Nobel prize for an insight that’s relevant here. Simply put, if transaction costs are zero, then any initial definition of rights leads to an efficient outcome. But if transaction costs are not zero, then the initial allocation of rights under the law—in this case, opt-in vs. opt-out—can make a big difference.
If an opt-out standard gives companies rights by default to information they collect, then businesses likely will crop up to educate consumers, rate dot.com firms, or allow privacy-cautious Internet users to shield their identities. But if an opt-in standard is the default, then it’s more likely that firms will err on the side of caution and retard innovation. It might seem that if Internet privacy remains unregulated then consumers will suffer. But if consumers do care about privacy, websites will have an incentive to offer options that consumers prefer. And there will be an incentive for third-parties to provide information about privacy policies.
With the exception of sites targeted at young children, which are regulated, the current market resembles the market for traditional publications: Consumers are able to rely on non-governmental rating and reputation systems to steer them toward desirable destinations. Just as the Michelin Guide reviews restaurants and kosher seals certify foodstuffs, so do these systems rate privacy. TRUSTe, BBBonline, and WebTrust offer “privacy seals” to websites so consumers can take their business to only companies they trust. TRUSTe claims it has 2000 member companies, including many high-profile sites, and BBBonline has awarded its Privacy Seal to over 500 websites.
To earn a TRUSTe seal, for instance, firms sign a contract that requires the site to prominently disclose how it collects, uses, and distributes personally identifiable information about its users. The cost ranges between $300 and $7,000 a year, depending on the company’s size, and participating companies can display a bright green TRUSTe logo.
The Consumers International report can be found at Press Release—25 January 2001.
Add to that an overwhelming number of sites that are now taking a kind of full-disclosure approach to privacy by saying exactly what they’ll do with personal data they collect. Even though Europe has strict regulations in the area, the free-market approach of the U.S.—which requires firms to respond to market demand—seems more effective. A January report from Consumers International, a global association of over 260 pro-regulation groups, concludes that “despite tight EU regulation, sites within the EU are no better at telling users how they use their data than sites based in the U.S. Indeed, some of the best privacy policies were found on U.S. sites.”
But pro-regulation groups rarely take into account how much it will cost firms to comply with privacy laws, and how those costs will affect Internet users and a technology sector already stumbling from a market downturn. “Nobody has a vested emotional interest in debunking these arguments,” says Eugene Volokh, a UCLA law professor. Volokh says that businesses care more “about the bottom line,” and not political or constitutional principles.
For the summary of the study, and a link to the original in full .pdf format, see An Assessment of the Costs of Proposed Online Privacy Legislation by Robert Hahn of the American Enterprise Institute.
A recent study by Robert Hahn of the American Enterprise Institute tries to shine some light into the darkness. Hahn estimated how many companies would be regulated by draft legislation, then surveyed consulting companies to learn how much it would cost for an average web site to comply with the rules. Depending on the assumptions used in the estimates, Hahn concluded the total cost ranges between $9 billion and $36 billion. If Hahn’s estimates are anywhere near correct, that means marginal tech companies will be required to lay off workers, or in some cases, be driven to bankruptcy.
That’s one more reason why, in a free society, government regulation should be a last resort. Economists generally agree that the government should step in only when the free market has a glaringly obvious problem. They even have a term for this: market failure.
But when it comes to privacy, so-called market failures are typically federal bureaucrats or privacy advocates disagreeing with choices consumers have made. By and large, the bulk of consumers do not care as much about online privacy as they claim in polls. Web sites without privacy policies have received thousands of e-mail addresses typed in by people hoping to get daily or weekly updates on topics they care about.
Most large companies, however, do tell you what they will do with information you provide. It should be obvious that the goals of Internet entrepreneurs are pretty simple: To become profitable, to burnish their firm’s reputation, to boost its market valuation. Measures that that helps them lure consumers to Web sites and keep them there will help during the current downturn—and entrepreneurs are smart enough to puzzle out if privacy policies and limits on reselling personal information will be attractive or not. In the Internet economy, stock prices are valued with an eye to future visits and future traffic—and there is no single better way to prevent that from happening than losing your customers’ confidence by misusing their personal data.
In other words, more than most businesses, Web sites are unusually subject to the supremacy of consumers. Every day, companies are forced to adjust their content and business model so visitors will find their Web site alluring. As Austrian economist Ludwig von Mises wrote: “If they fail in these endeavors, they suffer losses and must, if they do not succeed in amending their methods, go out of business.” Or at least watch their stock price plummet as a flood of e-mail and lawsuits from angry investors begins.
European-style regulations of information collection would have a tremendous negative economic impact. It is no accident that the Internet has flourished the most in the U.S., a country with limited regulation compared to European states, and certainly nothing as invasive as the European Data Directive. Adopted in 1995, the directive requires European member states to enact laws regulating businesses that collect, hold, or transmit personally identifiable data.
Jacob Palme, Stockholm University, has documented various implementations gone awry, and maintains information on the laws and its consequences at Internet Law in Sweden. For the text of the original directive, see the European Data Directive, July 25, 1995, available in a choice of languages.
This well-intentioned rule has led to some unexpected side effects that have hurt activists, consumers, and the less-powerful. Jacob Palme, a full professor at Stockholm University, has documented how Sweden’s implementation of the directive has imperiled free speech. Swedish regulators have prevented American Airlines from transferring customer information from Europe to its SABRE reservation system in the U.S. They also prosecuted an activist who set up a web page critical of a large bank and named bank directors, and an animal-rights activist who published a list of fur producers. Concludes Palme: “Looking at the way the law is used, one can see that unpopular or controversial opinions are suppressed.”
Arguments for intervention aren’t supported by either theory or experience. Much-reviled “privacy intrusions” by corporations generally are far from the enemy of the consumer. In many cases, they are essential to providing the zero-cost content Internet users have come to expect. Compiling personal information lets businesses become more efficient and produce only products that people want. It reduces waste—who really wants to get tons of glossy catalogs about topics they care nothing about? It also helps in customization, as anyone who uses my.yahoo.com knows.
Don Boudreaux, president of the Foundation for Economic Education, likens customization to a good tailor. “Wealthy people get custom shirts, custom made shoes, and a lot of custom-made items. They take your measurements and keep your name on file,” he says. “What this new technology is doing is making it easier for merchants to give the same benefits of customization that were only available to the wealthy before.”
Government collection of information is a different matter. When the Feds step in, consumers don’t have a choice—they get a one-size-fits-all rule. Government plans like the creation of an air traveler profiling system, the FBI’s Carnivore surveillance system, and the trend toward larger and more intrusive government databases should give any thoughtful person cause for concern. But entirely-appropriate worries about government data collection should not be used as an excuse to rush to regulate the private sector.
For more articles by Declan McCullagh, see the Archive.