The Impact of Privacy Laws on Online User Behavior

TL;DR

This study empirically assesses how the GDPR privacy law impacts online user behavior and website performance, revealing overall decreases in visits and revenue, with effects varying across industries and website popularity.

Contribution

It provides the first empirical analysis of GDPR's effects on user behavior and website performance across multiple industries using a synthetic control approach.

Findings

Average visits decreased by 4.9% short-term and 10% long-term.

Estimated revenue losses of $7 million for e-commerce and $2.5 million for ad-based sites.

Market concentration increased as more popular websites were less affected.

Abstract

Policymakers worldwide draft privacy laws that require trading-off between safeguarding consumer privacy and preventing economic loss to companies that use consumer data. However, little empirical knowledge exists as to how privacy laws affect companies' performance. Accordingly, this paper empirically quantifies the effects of the enforcement of the EU's General Data Protection Regulation (GDPR) on online user behavior over time, analyzing data from 6,286 websites spanning 24 industries during the 10 months before and 18 months after the GDPR's enforcement in 2018. A panel differences estimator, with a synthetic control group approach, isolates the short- and long-term effects of the GDPR on user behavior. The results show that, on average, the GDPR's effects on user quantity and usage intensity are negative; e.g., the numbers of total visits to a website decrease by 4.9% and 10% due to GDPR in respectively the short- and long-term. These effects could translate into average revenue losses of $7 million for e-commerce websites and almost $2.5 million for ad-based websites 18 months after GDPR. The GDPR's effects vary across websites, with some industries even benefiting from it; moreover, more-popular websites suffer less, suggesting that the GDPR increased market concentration.