Concerns Remain over the Potential to Harm Innovation through Overly-Prescriptive Legislation

As discussions around a new privacy law in the United States continue, policymakers will likely have to confront the fact that some privacy protections may limit or even prohibit the ability of companies to rely on the behavioral advertising business model. While there are preliminary reports that the General Data Protection Regulation (GDPR), the EU law on data protection and privacy implemented in May 2018, is benefiting EU-based companies—through shorter average delays in product sales to customers caused by privacy concerns,¹ for instance—policymakers should consider both the costs and benefits of legislation that may eliminate certain business models.

In particular, if a law is overly prescriptive, it may cause significant disruption online. Lamont specifically cautioned that

ill-drafted or ill-considered privacy law could negatively impact innovation. You can imagine a privacy law that is so prescriptive that small, innovative, disruptive players would have a more difficult time entering the market. You could imagine a privacy law where the standards are so ill-defined, or enforcement is so out of proportion to the risk of harm that it would chill businesses from pursuing new and innovative uses of data.²

Privacy legislation with laborious compliance requirements could hurt businesses that lack the required expertise and adequate resources. While large companies may be better positioned to accommodate these costs, small businesses are at a disadvantage and may find them particularly burdensome. Small businesses are also less likely than large companies to have legal departments or attorneys on-staff to help with compliance or navigating lawsuits.

Studies examining the impact of the GDPR on the European economy also claim that privacy legislation may negatively impact small businesses. A recent study suggested that the GDPR has had a negative effect on small and nascent technology ventures.³ By comparing the differences in technology-venture related funding between pre- and post-GDPR periods in the EU and U.S., the authors found that EU technology firms experienced, on average, declines in the double-digital percentages relative to their U.S. counterparts.⁴ The authors then assumed that, if there are fewer new ventures and less capital per venture after the GDPR went into effect, fewer jobs could also result given that business start-ups often create jobs.⁵ On the other hand, one potential reason for a reduction in venture capital to EU startups is that businesses that were likely to violate privacy rights did not receive funding. Despite these preliminary findings, the long-term effects of the GDPR remain to be seen.

Nonetheless, small businesses are just as likely to engage in privacy intrusions as large companies are. Tien pointed out that

we … traditionally associate innovation with smaller start-ups. We also tend to assume that smaller companies can’t do as much harm in the first place, and yet one of the truths about the app economy is that you can have a very popular app and collect an enormous amount of data. If you are careless with that data, you have a data breach. You might actually have a greater threat of greater security problems and privacy breach issue … associated with very small players.⁶

It is important to recognize that from a privacy perspective, the key variable is not the size of the business, but the amount of personal data the business collects and how it uses that data.

Citations

“Maximizing the value of your data privacy investments,” Cisco (January 2019), source. The study found that GDPR-compliant EU companies experienced fewer data breaches, and when breaches did occur, they affected fewer records and caused shorter system downtime.
Natasha Duarte, Megan Gray, Keir Lamont, Nathalie Maréchal, Gabrielle Rejouis, and Lee Tien, “Paying for Our Privacy,” (Panel, Washington, DC, July 16, 2019), source.
Jian Jia, Ginger Jin, and Liad Wagman, “The short-run effects of GDPR on technology venture investment,” VOX CEPR Policy Portal, January 7, 2019, source.
Jia, Jin, and Wagman, “The short-run effects of GDPR on technology venture investment.”
Jia, Jin, and Wagman, “The short-run effects of GDPR on technology venture investment.”
Natasha Duarte, Megan Gray, Keir Lamont, Nathalie Maréchal, Gabrielle Rejouis, and Lee Tien, “Paying for Our Privacy,” (Panel, Washington, DC, July 16, 2019), source.

Welcome to New America, redesigned for what’s next.

Education & Work

Democratic Futures

Global Security

Technology & Democracy

Thriving Families

Trending Topics

Real Skills, Real Income: Why Youth Apprenticeship Is Resonating Now

Future-Proofing U.S. Nuclear Policy: Forecasting Outcomes of the Nuclear-Armed Sea-Launched Cruise Missile

Debunking Myths on Student Parent Data Collection

The App Store Accountability Act Poses Serious Concerns for Privacy, Security, and Free Expression

Redrawing School Boundaries for Fairer Funding

Reframing Fusion Voting as a Practical, Powerful Reform Strategy

Harnessing Terrorism Data to Reshape U.S. National Security Policy

Establishing a National Housing Loss Rate

New America Fellows

Making Child Care Work for Student Parents

Drinking Water Data for the Nation: Version 1.0 Release Webinar

The Understated Value of Regional Intermediaries for Workforce and Economic Development

The Charleston Regional Youth Apprenticeship Model

Paying for Our Privacy: What Online Business Models Should Be Off-Limits?

Table of Contents

Concerns Remain over the Potential to Harm Innovation through Overly-Prescriptive Legislation

Citations

Concerns Remain over the Potential to Harm Innovation through Overly-Prescriptive Legislation

Paying for Our Privacy: What Online Business Models Should Be Off-Limits?