The conventional wisdom in policy circles is that the best way to grow the digital economy is by increasing consumer trust. Privacy regulations, we are told, will boost trust and more trust will lead to more technology adoption — more apps downloaded, more time spent online, more e-commerce. For regulation-inclined lawmakers, this scenario is a win-win: They can regulate online companies as they please and still claim credit for growing the digital economy. Unfortunately, they are wrong: Policies designed to increase trust would likely weaken the U.S. digital ecosystem and lower consumer welfare.
Many privacy advocacy organizations justify their calls for European-style privacy regulations by arguing that strong privacy regulations will boost consumers’ trust and therefore use of digital services. For example, Marc Rotenberg, president of the Electronic Privacy Information Center, writes, “Trust exists where data protection is established and enforced.” Similarly, advocates from the Center for Democracy and Technology have argued, in the context of health information technology, that “enhanced privacy and security built into health IT systems will bolster the public trust and confidence that are critical to the rapid adoption of health IT and realization of its benefits.”
But a new report from the Information Technology and Innovation Foundation shows otherwise. It analyzes survey data on the strength of data protection regulations in 21 countries and the levels of consumer trust. The report finds that, while a reasonable baseline of data protections can promote trust and spur adoption of digital services, there is no evidence that continuing to strengthen regulation beyond baseline levels will build additional trust or encourage further adoption.
In fact, Europeans (who often claim their data protection rules are superior to those in the U.S.) had a lower level of consumer trust than the U.S., perhaps signaling that people may interpret heavy regulations as signs that technology cannot be trusted. Past a baseline level of data protection, there is little to no evidence to suggest that increasing the strength of regulation always increases trust.
But even if stronger regulations do not increase trust or usage, some policymakers may not see any downsides to enacting them anyway. After all, many consumers say they are increasingly wary of sharing their personal data online. The reason to avoid these regulations is that the costs outweigh the benefits.
This is the same principle that applies to regulations in every industry. For example, take cycling: The current safety standard for bike helmets is that they withstand a two-meter fall onto an anvil. Increasing that standard to a three-meter fall would not increase trust in cycling because the higher standard would do nothing to protects cyclists’ heads, but it would make helmets more expensive. More expensive helmets would reduce consumer welfare by depriving them of money that could be spent elsewhere. Furthermore, the costlier helmets may even hurt safety, as some consumers would forgo the more-costly purchase and ride without a helmet.
Stringent data protection regulations are the digital equivalent of the three-meter helmet standard. More stringent standards raise compliance costs for companies that provide online services, which ultimately raises the costs of digital services for consumers, leaving them with less money to spend on other things. And for businesses that fund free digital services with online advertising, these regulations reduce their revenues. Higher costs and lower revenues mean less money for investments in new and better online services. This reduction in supply of innovative products and services will deprive consumers of the rapidly-developing services and technologies that characterize the Internet age.
The lesson for U.S. policymakers is clear: Do not get seduced by the idea that you can have the proverbial free lunch. Going down Europe’s path for strict data protections will come with costs that will hurt both the U.S. digital ecosystem and consumers. In short, it is time to end the spurious claims that stronger privacy regulation is pro-innovation and pro-consumer. It is not.
Alan McQuinn (@AlanMcQuinn) is a senior policy analyst at the Information Technology and Innovation Foundation. Daniel Castro (@castrotech) is vice president at ITIF and director of ITIF’s Center for Data Innovation.
