From compliance costs to consumer trust, the economics of data privacy unveil an intricate interplay between safeguarding sensitive data and sustaining a thriving digital economy. As Europe enters its fifth year with a data privacy law, policymakers should note the negative economic impacts the law has had.

The European Union’s General Data Protection Regulation (GDPR) law is a complex system requiring that websites obtain consent for data tracking, offer users a series of “rights” about how their data is used, and mandating particular storage and security requirements. Though intended to increase user privacy, the law has generated a series of new problems, yet may not have achieved its goal.

GDPR’s frequent cookie consent requirements overwhelm web users and create fatigue, adversely affecting the user experience. The ”right” to opt out of targeted advertising, a crucial industry driver, poses challenges for businesses reliant on personalized marketing strategies. It also hurts small businesses’ ability to find new customers using those effective advertising services. The heavy compliance costs, even for non-sensitive data like names and email addresses, disproportionately burden small- and medium-sized enterprises (SMEs), potentially deterring their participation in the digital market and consolidating larger firms’ share in the market.

More than 10 US states have already passed data privacy laws modeled after GDPR with some small differences. For example, Utah’s age verification law claims to target only minors, but in practice it requires a negative proof from all users to show they are not minors, effectively matching the GDPR requirement of universal age verification. Some states like Colorado have removed private rights of action, where users can individually sue firms for violations, but maintain many of the problematic opt-out, compliance, and cookie policies. California’s law is similar to GDPR in many ways. Compliance with these complex data handling, storage, and consent management requirements can divert resources from a firm’s core operations, hinder innovation, and reduce new entries to the market.

This is evidenced by economic data from the EU region. Immediately after the passage of GDPR, 30 percent of US news websites blocked EU access, most of whom were smaller operators unable to comply. A study published in 2021 showed a 36 percent reduction in startup investment and a 20 percent reduction in the number of deals done. Another study estimated a 33 percent reduction in apps available on the Google Play store, roughly 1.33 million out of 4.1 million apps. But this was not the only “Generation of Lost Apps,” as the study notes an ongoing 50 percent reduction in new app entries to the store.

Some studies suggest that larger firms are figuring out how to comply with GDPR, further consolidating the market and weakening SMEs’ ability to compete. However, even as some sites figure out how to navigate GDPR, the series of consent requirements has measurably worsened the consumer experience. A report of 5,000 websites in the EU documented an overall traffic reduction of 15 percent. Clicks on emails and advertising banners also reduced by 29 percent and 28 percent respectively. Overall, GDPR has significantly weakened the ability of SMEs to operate in the content provider space and has consolidated traffic to less enjoyable web experiences where consumers are consistently less likely to interact. It has also reduced the effectiveness of advertising, resulting in less user interaction.

And has GDPR made any data safer? Probably not. Some data suggests that there are fewer cookies overall on the web, but notes that firms have found other ways to identify users which may not be as secure. The Annual Data Breach report shows that there was a 68 percent increase in data breaches in 2021 in the EU. While GDPR may have slightly reduced the practice of cookie usage, it is not clear that GDPR has even achieved its main objective of increasing user privacy.

Advancements in technology offer promising solutions for age verification and enhanced data privacy without unduly burdening businesses. Technologies like blockchain, biometric information, artificial intelligence, and secure identification systems may represent more economically efficient and technologically effective solutions to the problem of internet privacy than rigid mandates like the GDPR.

Restrictive data privacy regulations can impede innovation by limiting access to data and hindering its seamless flow across organizations and sectors. Startups and emerging businesses heavily rely on data access to develop new products and services. Overly burdensome privacy regulations may disproportionately affect their ability to compete with established market players. For those websites that did survive, the user experience has measurably worsened and traffic is down overall.

Striking a balance that protects individuals’ privacy while fostering an environment conducive to innovation is crucial for nurturing a vibrant, competitive marketplace. US policymakers implementing data privacy laws should consider the negative economic impact that overly burdensome frameworks like GDPR could induce. Allowing the market and technology to create a more efficient solution may avoid these consequences. Other policy options like increasing user education and transparency about how data is used may increase privacy in the short run more than a usage law.