This is the second post on GDPR and is based on the paper by Goldberg, Johnson and Shriver titled "Regulating Privacy Online: The Early Impact of the GDPR on European Web Traffic & e-commerce Outcomes." Just to recall from the earlier post, GDPR is the landmark privacy law passed and enforced by the European Union on May 2018. This law in essence gave more rights to consumers on how their information is utilized and increased the liability and costs for firms on handling what is classified as "personal" information.
In this paper, the authors examine the impact of GDPR on web traffic and e-commerce outcomes.
Why should privacy laws affect web traffic and commerce? There are multiple ways this can happen.
First, if you are a marketer, you will undoubtedly believe that web traffic and conversions are driven to some extent by digital marketing and customer analytics. To a large extent, digital marketing prior to GDPR was driven by personal information collected by websites, vendors etc. Given that GDPR presumably lead to a decrease in digital marketing activity or made it less efficient, web traffic and e-commerce could also presumably reduce.
A minor segway here, the majority of people I poll during my interactions on digital marketing want better targeting and segmenting, not less. Better marketing can only occur if firms understand and know consumers better. While privacy is important, it will definitely get in the way of marketing more efficiently. It is important for everyone to recognize these tradeoffs. Now back to the paper..
Second, customers may now be more aware of all the personal information that is being collected and may decide to reduce their online presence. Thus, both of these reasons could lead to a decrease in outcomes. Another important thing to note here is that firms can only measure recorded outcomes, i.e., outcomes to which consumers gave consent for collection. Given that GDPR affects these requirements too, the recorded outcomes could be smaller than the total outcomes. That said, as I mentioned in the previous post, consent requirements don't have much bite. The paper cites a Quantcast report that shows average website consent exceeds 90%.
The paper has some really cool data from Adobe Analytics. For those of you who are not aware, Adobe Analytics is one of the largest onsite analytics vendors by market share according to a Forrester 2017 report. Adobe analytics implements multiple aspects of online management by recording and tracking users as well as aggregating, cleaning and analyzing the collected data ( a link to a technical document if you want to know more is here). The paper contains key information on 4 key outcomes - page views, visits, orders and revenue at the country week level for 1508 global firms. The dataset consists of two time periods - the first from week 2 to week 38 for 2017 and the second from week 2 to week 38 (same weeks as before) for 2018. Recall that GDPR was enforced in May, 2018. So, data from 2018 is the relevant (treatment) year, while data from 2017 can be used as a control.
The primary analysis used by the paper is a difference-in-difference estimation. This method, in essence, will look at the difference in outcomes before and after GDPR was enforced in 2018 (treatment) with the difference in outcomes before and after the same period in 2017(control). An important requirement to apply this technique is the "parallel-trends" assumption which requires that the difference in trends between the treatment (data from year 2018 prior to May 25) and the control (data from year 2017 prior to May 25) is constant. The paper has graphs which lend support to this assumption. It is useful to note here that it is also possible to do a similar analysis with a before-after design and controlling for previous year's trend. One will theoretically get the same results but interpretation of the coefficients will be different.
The paper finds that both page views (9%) and visits (9%) decreased after implementation of GDPR on the entire sample. Looking at e-commerce vendors, orders and revenue decreased by 5.6% and 8.3%. According to the paper, this translates to $8000 drop in weekly revenue. These drops are pretty large and it would be useful to know what drives these outcomes. To investigate that, the paper examines visit quality metrics (page views per visit and time per visit). The underlying assumption is that if consumers were opting out, then one would see an impact on these outcomes. For example, if a customer finds higher value (value defined the way you want to) from a site like adobe.com the customer is less likely to change her behavior on the site compared to someone else who finds lower value from the site. This implies that, if customers are affected by GDPR laws, then one would see the distribution shift towards higher quality consumers (i.e, more page views per visit and time per visit). The paper tests this and finds no evidence of a change in distribution. The paper then interprets this as saying that GDPR had negligible effect on consumer reactions. While this is plausible and I believe the story, I urge readers to decide on their own. This is a null result and the paper is ruling out an explanation based on the lack of evidence.
In addition to the above results, the paper does several robustness checks including placebo test (changing the event date), triple difference-in-difference by using North American data as an additional control, relaxing the timing of implementation and doing a synthetic control method based on Doudchenko and Imbens (2017). While I didn't necessarily see the need for the synthetic control method here, it is always useful to show convergence of results in multiple different ways.
The paper is very useful in understanding the economic outcomes of privacy regulation. The loss in revenue of 8% is pretty high and policy makers must realize these costs while creating such laws. Privacy regulations have an economic cost!
As far as mechanisms that explain this behavior, the paper shows that the impact of the law on consumer behavior is negligible, implying therefore, by elimination that the losses must be accruing because of changes in firm behavior. In other words, digital marketing is becoming less efficient. So for all those who complain of being targeted inefficiently, get used to it because it is going to get a lot worse..:).
On a more serious note, it is important to note three things. First, the economic loss is real. Second, the paper does not provide direct evidence for losses accruing due to firm behavior. Finally, these are short term effects and as industry, consumers and regulators evolve, the law can have potentially different consequences. Interesting times beckon ...