This is the first of a two part series on the impact of GDPR.
In this post I will discuss the working paper by Garett Johnson and Scott Shriver titled "Privacy & Market Concentration: Intended & Unintended consequences of the GDPR".
General Data Protection Regulation (GDPR) is a set of data protection rules that was passed by the European Union (EU) on April 2016 and came into force on May 25, 2018. GDPR is heralded as a progressive approach to handling of personal data and privacy issues surrounding data and is the precursor to similar laws like the California Consumer Privacy Act in the U.S and the National Data Protection Act in India. The act contains a lot of regulations but at the crux of it lies personal data and a framework for firms and regulators to deal with issues surrounding it. There are three things that I believe are important here (here is a nice article on wired.uk about GDPR). First, it provides a taxonomy to classify data as personal and other categories. According to GDPR, any information that can be used to identify individuals is considered personal. Besides obvious identifying information like name, address, location, etc., non-obvious information like cookies, ip address are now considered personal (it is less clear if pseudo-anonymized data can also be considered personal). Second, the law confers ownership rights to individuals. Importantly, individuals have the right to know what is collected, what it is used for and the right to provide consent. Third, it shifts accountability from individuals to data collectors and processors. Firms who collect or process personal data are now liable for any loss or misuse of personal data collected from individuals. There are a lots of interesting things that the law sets out to do but I will not get into them here in the interest of time (refer the article mentioned earlier) but needless to say it has important consequences to market structure, consumer welfare and firm profits.
Now to the paper. In this paper, the authors look at the impact of GDPR on concentration of web-technology vendors. When any customer visits a website, the browser interacts with web-technology vendors like facebook, google analytics, comscore etc. (there are a lot of them doing different roles - use disconnect.me if you want to see how many of these vendors are on the sites you visit) and often shares personal identifiers in addition to other details. GDPR designates some of this information as personal information. Therefore, with the enforcement of GDPR, it is clear that this relationship has to undergo a change. This paper essentially evaluates how concentration (the market share of web-vendors) changes with the introduction of GDPR.
To answer this question, the authors collect panel data on more than 27,000 websites and corresponding web-technology vendors. The data starts a couple of days before enforcement of GDPR (May 25, 2018) and continues till the end of 2018. Data is collected weekly for the first six weeks, every other week for the next six weeks and monthly thereafter. To understand market concentration, one must first define a market. This is often a difficult question as markets and firms often overlap in functions and offering. It is no less difficult in this context as website vendors may appear in multiple categories (e.g., google is everywhere, do you treat google as one firm or multiple vendors?). The paper uses a classification system suggested by Libert (2015) for this context to define the market. Website vendors which offer multiple services are coded as appearing in both categories. Now that markets have been defined, concentration metrics are of order. The paper looks at 3 measures of relative concentration HHI, concentration ratios and head-to-head win rate. The first concentration measure is pretty standard in any economic policy analysis. Concentration ratio and head-to-head win rate helps us understand the distribution of market shares across the top or bottom set of firms. The analysis is pretty straightforward. Given these measures, the paper then tracks the evolution of concentration and average web technology vendors from a week before GDPR was enforced till the end of 2018.
GDPR's impact on concentration. The paper finds that in the short-run (1 week later), average web-technology vendor use drops (14.9%) but starts increasing therein. One of the interesting patterns in the results is that the effect on web-technology vendors dissipates by the end of 2018. In other words, the average number of web-technology vendors returns to pre-GDPR numbers by end of 2018.
So what is the true impact of GDPR type laws on relative market concentration? Would you conclude based on the results from a week after GDPR was implemented, till the end of 2018 or any other time period in between? This question is important and something academics ponder over a lot especially in interventions without controls. In the current context, the results go from a sharp drop to no impact, clearly a huge difference in conclusion. A key logic that I use to make an assessment of the right time frame is to think about other factors over time (these are also called confounding factors) that would affect the relationship between GDPR and web-technology vendor concentration. For instance, web sites could learn about the enforcement policies of regulators and may react accordingly over time, technology vendors could also be dynamic in their response over time and react to situations accordingly. All these factors would clearly affect the concentration of web-technology vendors over time but are not related to the short-term impact of the law. In other words, if there was complete enforcement of the law and vendors didn't have ways of adapting, what would the impact of privacy laws be? The paper argues that the best time frame to capture these effects would be the first week and not anything after. There is merit to that argument. However, this is a subjective call and depends on how much you are willing to agree that the other confounding factors will kick in after a week. Another point to note here is that websites and technology vendors had about 2 years to adjust to the law. So, the effects witnessed in the first week could be more conservative than the actual intervention results reported.
The rest of the paper discusses the results from the short term impact and there are interesting insights. Data minimization efforts lead to increased concentration among vendors, i.e., you decrease the number of vendors you work with. Consent requirements which put an onus on personal data that can be captured and shared don't really affect concentration. Finally, google and facebook see an increase in market share. Note that this is relative concentration which means that while overall market went down, google and facebook were able to capture a bigger share of this smaller market.
What are the implications of this paper for policy makers and business. First, it suggests that larger firms will see an increase in market share. So while individual rights or privacy concerns are alleviated, competition concerns are heightened. Current COVID crisis has put the spotlight on the market power of these big players and the paper seems to suggest that these regulations also aid the large players. Second, data minimization laws also lead to higher concentration. It is presumably harder to coordinate and control the actions of multiple vendors when you are now accountable for data security. Finally, the consent requirements appear to have no bite. This effect could be similar to getting people to sign EULA agreements which most people didn't read. Expect proactive policy makers or governments to act on this.
Overall, a nice paper that shows the impact of privacy regulations on relative market concentration. What you win on privacy, you may end up losing on market concentration. Note that these are short term effects. How they pan out in the long-term is tough to predict but interesting to observe. In hindsight, we are all geniuses..:)