Filling the Void: How E.U. Privacy Law Spills Over to the U.S.

The Concept of an International Regulatory Spillover

The classic illustration of a regulatory spillover is the adoption of California emission standards by manufacturers of cars that will never be driven in California (Goldsmith and Wu, 2006). This example is best understood as an example of spillovers from California to other U.S. states. Our focus by contrast is on international spillovers.

We define an international regulatory spillover as an instance in which actors consciously comply with a law adopted by a particular nation-state outside of its territory in circumstances when the law is not strictly applicable. This definition excludes compliance with laws that are extraterritorial in scope and actually are applicable to the conduct in question. In addition, a change in behavior in response to foreign law only qualifies as an international regulatory spillovers if the change can be characterized as a shift toward compliance. ¹ Finally, our focus here is on spillovers that affect the compliance behavior of private actors. The ways in which one state’s regulatory behavior influences the regulatory behavior of other states is a distinct topic, although, as we discuss below, the kinds of spillovers we discuss may cause private actors to seek ways to influence public action. ²

International regulatory spillovers from the European Union have attracted considerable attention in recent decades, most notably in Anu Bradford’s seminal work on the Brussels Effect (Bradford, 2020). The most commonly cited source of international regulatory spillovers from the E.U. is European data protection law, but that is not the only source (Bradford, 2020; Frankenreiter, 2022; Goldsmith and Wu, 2006; Shaffer, 2020). Bradford has compiled a slew of other examples of EU laws that have generated international regulatory spillovers, in areas such as antitrust law, animal welfare, health and safety, and online hate speech (Bradford, 2020). For example, she recounts how the EU’s strict regulations on use of genetically modified organisms (“GMOs”) have led producers such as Unilever, Nestlé, Gerber and Heinz to avoid using GMOs in their products, regardless of where they are being sold (174–184). Similarly, US chemical manufacturers have complied with stringent E.U. chemical regulations worldwide, despite the fact that the U.S. has a much laxer regime (196–199). Bradford also provides examples of electronics companies spending large sums to comply with E.U. standards for hazardous substances, even in sectors not covered by the standards (214).

Potential Causes of International Regulatory Spillovers

The examples of international spillovers in the previous section belie the naïve view that firms will automatically avoid the cost of complying with foreign regulations. The existing literature offers several reasons to reject this naïve view and identifies plausible channels through which the effects of regulation may spill over to affect firms operating outside of the source jurisdiction. The magnitude of any spillovers will depend on the nature of the legal regime in the source jurisdiction.

The most straightforward explanation for regulatory spillovers is the fear that failure to comply with the source jurisdiction’s law will lead to legal sanctions. Extraterritorial deterrence will be especially potent when firms find it difficult, from a purely technological perspective, to avoid operating in the source jurisdiction. For example, a company like Google, may find it difficult to determine whether a particular user is a “European Data Subject” and so cannot be sure that its data collection practices in U.S. markets will not affect E.U. residents (Shaffer, 2020, pp. 61–62; Bradford, 2020, p. 143). The key factor in the deterrence account is firms’ perceptions of the risk of liability, which may or may not be accurate. As Shaffer points out, even firms with little exposure to E.U. consumers might be spooked into compliance with E.U. law, particularly if their lawyers and other advisors subtly overstate the risk of liability to drum up business for themselves (Shaffer, 2020, pp. 69–70).

A second set of explanations is based on the costs of differential compliance. These arguments challenge the assumption that it will be prohibitively costly to comply with foreign law, relying on the fact that it often will be uneconomical for firms to comply with different legal standards in different parts of their business. Moreover, when compliance must be documented, it may be uneconomical to draft different documentation for different jurisdictions. In other words, there may be economies of scale in ensuring and documenting compliance with the source jurisdiction’s standards. Anu Bradford emphasizes this point in her writings on the “Brussels Effect.” She argues that E.U. law influences the practices of firms around the world because the E.U. is a large market; its standards are stringent, well-enforced and applicable to all firms that deal with E.U. consumers; and, many firms would find it costly and impractical to comply with different standards inside and outside the E.U., even when it is technologically feasible (Bradford, 2020, pp. 56–57).

A third set of explanations for spillovers focus on the benefits of compliance. Firms might take the opportunity to comply with foreign law as a way of sending a signal to various stakeholders, including consumers, investors and regulators. For instance, firms may fear that their public image – and demand for their products—will suffer if they are seen to be offering U.S. residents less protection than E.U. residents (Shaffer, 2020, pp. 78–79. See also Bradford, 2020, p. 61; Scott, 2009, pp. 927–928; Frankenreiter, 2022, pp. 20–21). ³ Alternatively, firms might comply with E.U. standards in order to signal to U.S. regulators that further U.S. legislation is unnecessary (Shaffer, 2020, p. 58). This theory presumes that firms expect the relevant stakeholders to both observe and reward compliance with foreign law, but that kind of response is not guaranteed. For example, consumers might interpret compliance with E.U. standards on disclosure of privacy risks as a signal that compliant firms are putting their data and risk and so should be avoided. Meanwhile, U.S. regulators might take compliance with E.U. standards as a signal that the associated compliance costs are low and so further U.S. legislation is feasible. Yet another possibility is that compliance generates benefits for individual agents within a firm rather than the firm as a whole. For instance, compliance managers may induce their employers to comply in order to enhance their personal reputations or self-esteem.

The magnitude of spillovers through each of these channels will depend in part on levels of enforcement and compliance in the source jurisdiction, both actual and anticipated First, the risk of legal sanctions will depend on the extent to which enforcement agencies in the source jurisdiction have the capacity and incentives to engage in cross-border enforcement. For instance, well-resourced agencies may have an incentive to pursue cross-border enforcement actions in order to avoid placing firms operating in their territory at a competitive disadvantage. Second, the greater the level of compliance in the source jurisdiction, the more likely it is that consumers and investors in other jurisdictions will become aware of the source jurisdiction’s norms and be in a position to reward firms that signal compliance with them. Third, high levels of compliance in the source jurisdiction may reduce compliance costs. For example, a greater number of compliant firms might induce service providers to develop more effective or lower-cost technologies or generate a larger pool of compliance professionals. Moreover, when the benefits and costs of compliance are uncertain, firms might take the number of compliant firms in the source jurisdiction as a signal of the likely net benefits. Fourth, high levels of compliance in the source jurisdiction may enhance the normative appeal of its laws.

Implications of International Regulatory Spillovers for U.S. Privacy Regulation

International regulatory spillovers may have wide-ranging effects on the interests and behavior of private actors and lawmakers, in both the source and the affected jurisdictions.

As far as private actors are concerned, spillovers by definition involve changes in compliance behavior. For the reasons outlined above, this may yield either costs or benefits for the actor who complies. It is tempting to conclude that spillovers are beneficial when they reflect efforts to capture the benefits of signaling or to conform to appealing norms, and detrimental when they reflect efforts to avoid the costs of liability or incremental compliance measures (Frankenreiter, 2022, pp. 1104–1116). We do not make any presumption of this sort because, at least in principle, even from a purely economic perspective it is possible for firms to engage in excessive signaling or to conform to norms that are inefficient.

Compliance may also affect the welfare of other parties, such as people who benefit from cleaner air or greater privacy protection or who lose their jobs as a result of a decline in the complying firm’s activities. In the information privacy context, for example, firms that comply with the GDPR in the U.S. could afford customers the right to access and delete their personal information, which could ease some of the current anxieties about law enforcement officials accessing period and pregnancy tracker applications’ information to prosecute individuals seeking abortions in states where abortion is now illegal. Competitors of the complying firm and their stakeholders may also be affected because compliance with foreign law may result in either a competitive advantage or disadvantage. For example, automobile manufacturers who choose to comply with costly California standards may be at a disadvantage to competitors who choose not to comply.

Spillovers may also affect private actors’ political behavior. Actors who anticipate being affected by spillovers will have an incentive to lobby foreign governments—Bradford cites many examples of US firms trying to shape E.U. to favor their interests by lobbying lawmakers in Brussels (2020, pp. 254–256. See also Scott, 2009). Meanwhile, in the jurisdiction affected by the spillover, firms that are already complying with a foreign standard may drop their objections to local adoption of the standard. They may even go further and actively promote local adoption in order to avoid being placed at a disadvantage to competitors who are not complying (Bradford, 2020, p. 256; Rothenberg, 2018).

As for lawmakers, how they respond to international regulatory spillovers will depend on whether they are responsible for creating or responding to spillovers and whether they care solely about the rights and welfare of people within their territory. Lawmakers in the source jurisdiction who care about the interests of foreigners ought to be eager to create spillovers that benefit foreigners and reluctant to create spillovers that impose undue burdens on them. At the opposite end of the spectrum, lawmakers who care only about the welfare of their fellow nationals still ought to care about how the spillover effects of the laws they adopt will affect the competitiveness of domestic firms. Enacting strict standards might become more appealing if international spillovers ensure that domestic firms’ competitiveness will be unharmed. Meanwhile, lawmakers whose constituents are likely to be affected by spillovers will have to consider those spillovers when assessing the incremental impact of their own laws. For example, if virtually all of the cars being sold in a jurisdiction already comply with California emissions standards then adopting similar local standards will have little impact on compliance and so may be less politically costly than it would be in the absence of spillovers. At the same time, those spillovers may reduce the political benefits of domestic adoption.

Background: Regulation of Information Privacy in the U.S. and the E.U

Information privacy regulation has been hotly debated for the past two decades and different regimes have emerged around the globe. Since the early 1990s, the U.S. has adopted a self-regulatory market-based regime, known as “Notice and Choice.” The regime is overseen by the Federal Trade Commission (FTC) and recommends that firms embrace the FTC’s Fair Information Practice Principles related to the collection, use, sharing, and security of personal information, outline their information practices in privacy policies, and offer individuals some choices regarding particular information privacy practices (Federal Trade Commission, 1998). ⁴ Notice and Choice is a disclosure-based regulatory approach whose goal is to encourage individuals to read privacy policies and engage with firms with desirable information practices. This is in turn supposed to encourage firms to compete on privacy. Over the past two decades, the FTC has updated its recommended information privacy practices in a series of reports to Congress. The most recent are outlined in a 2012 report, Protecting Consumer Privacy in an Era of Rapid Change [FTC 2012].

The FTC takes an active role in enforcement of consumer information privacy: it oversees enforcement of the now temporarily-defunct E.U.-U.S. Privacy Shield, another voluntary framework that allowed participating firms to meet E.U. requirements for transferring personal data to third countries, in accordance with Chapter V of the GDPR. The FTC uses Section 5 of the FTC Act to bring actions against firms that engage in unfair or deceptive information privacy practices, such as violating terms in privacy policies, to encourage compliance with its regime. ⁵ Despite this additional push, commentators and academics have regarded the U.S. regime as toothless and incapable of reigning in firms’ information privacy practices due to its voluntary nature and the FTC’s inability to fine firms for failure to comply with the guidelines (See, e.g., Martin, 2013; Kang, 1998; Schwartz, 2000; Strahilevitz, 2013. But see Ryan Calo, 2013; Bamberger & Mulligan, 2010, p. 288). The empirical literature supports these conclusions: Disclosure regimes generally have failed to promote or increase readership of standard terms, especially when the terms are long and difficult to read—as privacy policies have been shown to be; and studies have documented that firms’ information practices show poor compliance with previous FTC guidelines (Ben-Shahar & Schneider, 2014; Bakos et al., 2014; Electronic Privacy Information Center, 1999; Hoofnagle, 2005; Marotta-Wurgler, 2016; McDonald & Cranor, 2008).

The E.U.’s 2018 GDPR stands in sharp contrast to the U.S.’s regime. Most strikingly, it is a mandatory law which gives enforcement agencies the authority to impose significant sanctions for violations, including up to 4% of a company’s yearly global revenues. Like FTC (2012), it has extensive disclosure requirements that firms must include in their privacy policies. “Data controllers” must inform data subjects about how their data will be used, what categories of data will be collected, how long the data will be kept, and how they can exercise their data-related rights. They must also obtain consent to data processing “in an intelligible and accessible form, using clear and plain language.” (GDPR, 2018, Article 12. See also Becher & Benoliel, 2021) If the controller intends to transfer personal data to a country outside the E.U., this information must be disclosed in the privacy policy. Furthermore, controllers need to disclose any third parties who will handle the data. If the data controller suffers a data breach that creates “a high risk to the rights and freedoms of natural persons,” the data controller must notify the subject (GDPR, 2018, Article 35).

The GDPR also incorporates numerous substantive protections that go well beyond the FTC’s. First, it imposes strict restrictions on use and transfer. Data controllers who retain personal data can only do so for as long as necessary to fulfill the original basis for collection and processing. In addition, the GDPR requires that data controllers implement appropriate security measures and gives data subjects the right to sue for compensation for violations of its directives as well as the right to access and rectify any inaccurate personal data. It also includes substantive rules regarding transfers following the initial collection. The GDPR dictates that transfers from data controllers to processors be governed by a written contract that gives the controllers significant control over the processor’s activities, requires consent to transfers to sub-processors, and requires compliance with the GDPR. With regards to enforcement and termination rights, the GDPR permits data subjects to terminate agreements by withdrawing their consent to processing and encourages collective enforcement by giving data subjects the right to mandate a non-profit to conduct enforcement proceedings on their behalf.

The GDPR seeks to circumvent both the constraints of contractual privity and the traditional limitations on extra-territorial jurisdiction. It applies explicitly to the processing of personal data of E.U. residents by entities located outside the E.U. (Article 3 (2)). It also applies to the processing of personal data “in the context of the activities of” entities located in the E.U., even if the processing itself does not take place in the E.U. (Article 3 (1)). It seems clear that processing of data of non-E.U. residents by entities located outside the E.U. is not covered by the first prong of this formula. There is some uncertainty, however, about the circumstances in which such processing will be deemed to be “in the context of the activities of” an entity located in the E.U. ⁶

Not only does the GDPR clearly apply to firms located outside the E.U., it also expressly reaches instances where the personal information of E.U. residents is transferred outside of the E.U. Article 46 of the GDPR specifically authorizes transfers of this sort when the transferor enters into an agreement with the transferee that incorporates the protections provided under E.U. law and allows the data subject to enforce those rights as a third-party beneficiary of the agreement. This can be done by, among other things, incorporating “standard contractual clauses” approved by the Commission for this purpose. The pre-existing standard contractual clauses were revised by the Commission in June 4, 2021 to make them GDPR-compliant.

The GDPR took the world by storm, even though many of its substantive requirements were not new. In the runup to its enactment, legal news outlets and major newspapers discussed its scope, stiff penalties and likely effects on firms’ information privacy practices and consumers to conducted a record number of privacy-related searches (Economist, 2018; Satariano, 2018). Importantly, the GDPR also had an undeniable effect on the information practices of firms subject to its scope, as shown, for instance, by studies documenting changes in intra-firm data privacy management, the structure of relationships with intermediaries, and connections with technology providers (Bessen et al., 2020; Goldberg et al., 2019; Peukert et al., 2022, pp. 746–768).

In the aftermath of the GDPR, lawmakers in many other jurisdictions have moved to reform their privacy laws, including lawmakers in the U.S. (Greenleaf, 2023; Morton, 2023). To date, over a dozen states have enacted comprehensive consumer data privacy laws to fill the void left by the lack of substantive Federal privacy legislation. The most salient example is California, whose CCPA shares many aspects of the GDPR (including stiff penalties for noncompliance) (see California Consumer Privacy Act, 2018; Connecticut Personal Data Privacy and Online Monitoring, 2022; Utah Consumer Privacy Act, 2022; Virginia Consumer Data Protection Act, 2021). Examining the likelihood and extent of GDPR spillovers is critical to assess the likely impact and political feasibility of these sorts of initiatives.

Existing Evidence of GDPR Spillovers

Studies of the spillover effects of the GDPR have examined its impact on a range of privacy practices. Peukert et al. (2022) examine the influence of the GDPR on data-related practices of more than 110,000 websites. GDPR Article 13 (1) (e) requires data providers to make sure third-party data processing providers also abide by the GDPR. They find that after the GDPR came into effect the websites in their sample reduced the number of requests to third party servers that potentially could involve sharing users’ personal data. The GDPR appeared to affect the practices of websites to which it was not directly applicable, but in a limited way. On the one hand, websites that neither were located in the E.U. nor appeared to cater to people in the E.U. displayed reductions in the numbers of third party requests. On the other hand, those reductions were relatively small and lasted no more than 6 months.

An alternative way to measure the influence of the GDPR is to examine the contents of firms’ privacy policies. The content of firms’ privacy policies is shaped by many factors besides regulatory requirements, including the costs of drafting the policies and the attitudes of the professionals who draft them. Consequently, privacy policies may not fully reflect firms’ actual privacy information practices. However, a sizeable portion of the GDPR’s requirements is disclosure-based which means that compliance ought to be reflected in privacy policies.

Davis and Marotta-Wurgler (2019) investigated the GDPR effect by looking at changes in firms’ privacy policies over time. We compared the information privacy practices outlined in privacy policies facing U.S.-facing consumers from a representative sample of 194 sample of firms’ websites at two points in time: in 2014 and immediately after the GDPR went into effect (Davis & Marotta-Wurgler, 2019). ⁷ We found that a large fraction of sample firms significantly revised their privacy policies right around May, 2018, the month when the GDPR came into effect (Davis & Marotta-Wurgler, 2019). This widespread change in firms’ stated privacy practices was unprecedented in its magnitude and unparalleled by any previous efforts to comply with U.S. regulations or guidelines. If we focus on the 2014 privacy policies, we found an increase in the rate of revisions around 2012 the year when the FTC’s latest information privacy guidelines were issued, followed by another large number of revisions in 2014. This is in sharp contrast to the 2018 sample, where over 70% of firms revised their policies right around the date when the GDPR became effective, and about 15% revised them one to two years prior, when the GDPR was introduced. The effect of the GDPR on the privacy policies is readily apparent and most 2018 sample policies referred to it in varying ways.

Frankenreiter’s contribution to this discussion also contains an empirical study that finds a limited GDPR effect for a small set of terms from a sample of websites’ privacy policies. He finds that the GDPR prompted changes in both U.S. and E.U.-facing privacy policies used on the most frequently visited websites in the U.S. and the E.U. respectively. He also finds that many of the revised U.S.-facing policies granted greater protection to E.U. residents than to non-E.U. residents. By October 2018, 34.7% of U.S.-facing websites complied with more than half of the GDPR requirements that he tracks for E.U. residents, but only 6.7% met that standard for non-E.U. residents (Frankenreiter, 2022, pp. 1201–1202). Meanwhile, 76% of the E.U.-facing websites in the sample complied with the majority of the GDPR requirements (1200). This discrepancy may be the explained by the sample selection; the E.U. and U.S.-facing websites do not belong to corresponding firms and markets. In addition, the sample includes including non-commercial firms, such as universities, making it hard to disentangle whether the differences in compliance between E.U. and U.S.-facing websites is the result of a limited spillover or of differences in compliance across different firms in different markets in each region. Frankenreiter’s quantitative analysis focuses mainly on the role of economies of scale in explaining why firms adopt GDPR-compliant terms in their U.S.-facing privacy policies. He concludes that they play a limited role and so costs of differential compliance are unlikely to explain the spillovers he observes. He suggests that those spillovers are more likely to be explained as attempts to capture benefits that flow from signaling compliance to consumers.

Contribution to the Existing Literature

Our study contributes to the existing literature in three main ways. First, it offers a more granular examination of compliance that extends to a broader set of GDPR requirements to evaluate firms’ general approach to compliance. Second, it offers a robust benchmark against which to measure GDPR compliance and, consequently, the magnitude of any spillover effects outside of the E.U., the jurisdiction where compliance with the law is mandatory. Third, it expands the analysis of the impact of the GDPR on privacy policies by examining compliance in light of both theories of international regulatory spillovers and theories of how documents such as privacy policies are drafted.

Dataset

We measure GDPR compliance in both the U.S.-facing policies (presented to U.S.-based consumers) and E.U.-facing policies (presented to E.U.-based consumers) from 177 representative companies from seven online markets where consumer data is collected and shared at various levels of intensity: adult, cloud computing, dating, gaming, news and reviews, social networks, and special interest message boards. The firms include both major and minor players from each market, as corroborated by various market share reporters. The firm selection process is described in detail in Marotta-Wurgler (2017, S22–26).

The firms in our dataset all conduct business in the United States and have overseas operations, including in the E.U. The sample is the same as the one used in Davis and Marotta-Wurgler (2019), except for three firms that did not have an E.U. presence and therefore were irrelevant for our purposes. It includes the largest firms, such as Amazon, Facebook, and Google, as well as many smaller firms. We ascertained each firm’s E.U. presence by checking for a E.U. based address on the firms’ websites and on public firm directories. We collected E.U. location data in January 2020. Of all the sample firms, 165 are headquartered outside of the E.U., with 141 operating in the United States and the remaining 24 in non-E.U. countries, including Argentina, Australia, Bahamas, India, United Kingdom, Cayman Islands, Norway, the Philippines, Russia, Switzerland, the United Kingdom, and Singapore. Only 12 sample firms are headquartered in the EU. These include one firm in Cyprus, Finland, Hungary, and the Netherlands, respectively: five firms in Luxemburg, and three in Germany.

For each of the 177 sample firms, we collected three policies: A 2014 U.S-facing privacy policy (before the GDPR), a 2018 U.S.-facing policy collected in August 2018 (after the GDPR), and a 2018 E.U.-facing policy which we gathered in January 2020 (after the GDPR). We were able to collect the 2018 version of about half these policies using the Wayback machine or through direct communication with the firms. For firms that did not respond, we obtained the policies using a VPN located in Ireland and verified that the policy obtained was one data subjects in Ireland would see. As we explain in the following section, we do not believe this difference in collection timing is likely to bias our results in any meaningful way. Each policy was coded by two coders who are lawyers or had at least completed the first year of law school (Marotta-Wurgler, 2017).

Strikingly, 75% of the sample firms (133 of 177) offered precisely the same privacy policy to their E.U. and their U.S. users in 2018. The remaining 25% (44 of 177) either offered a distinct policy (28 firms) or included a “carveout” referring to additional GDPR-related rights for data subjects in E.U.-member states (16 firms). In only six cases does the carveout explicitly confer additional rights on data subjects in the E.U., in other cases the “carveout” consists of a general statement that data subjects in the E.U. have rights conferred by the GDPR.

Table 1 summarizes the characteristics of our firms. About 5% of the firms in the sample are nonprofits, and 27% are publicly traded. 40% of the firms have a physical presence in a E.U.-member state, including headquarters or offices. 46% of sample firms offer at least a portion of their services for a fee but the incidence of firms offering free versus paid services differs widely across markets. Almost all dating sites, about half of cloud computing and gaming sites, and a quarter of all adult sites operate on a subscription basis. Firms in the remaining markets do not offer subscriptions but offer premium access or the ability to purchase items for a price. The mean Alexa rank – a ranking of websites’ in terms of popularity – in 2014 was 122,143 (246,638 for 2018 U.S.-facing, and 228,758 for 2018 E.U-facing websites) and a median rank of 4562 in 2014 (22,372 for 2018 U.S.-facing and E.U-based websites). ⁸ In a separate analysis we found that firms with paid products are more likely to maintain separate policies, but otherwise there is little relation between firms’ observable characteristics and whether they used distinct U.S. and E.U. policies in 2018. ⁹

OPEN IN VIEWER

Table 1.

Summary Statistics by Policy Type.

		2014 U.S. - all	2018 U.S. - all	2018 E.U. - all
N contracts		177	177	177
Nonprofit (0–1)		.05
Public (0–1)		.27
Has E.U. Headquarters (0–1)		0.4
Paid service (0–1)		.46
Alexa rank	Mean	122,143	246,638	228,758
	Median	4,562	22,372	22,372
	SD	270,789	378,486	365,422
	min	1	1	1
	Max	1,000,000	1,000,000	1,000,000
Certification is claimed (0–1)		.26	.16	.16
Year last updated	Mean	2011.2	2017	2017
	Median	2012	2018	2018
	SD	2.2	2.4	2.5
Number of words	Mean	2125	4150	3944
	Median	2015	2970	2648
	SD	1342	5623	5648
Industry: Adult		.09
Cloud		.08
Dating		.16
Gaming		0.1
News		.07
Social network		.27
Special interest message board		.21

Table 1 also summarizes the characteristics of the privacy policies we collected. On average, the privacy policies from 2014 were last updated in 2011 (median 2012). The mean date of last update is 2017 for the policies collected in 2018, while the median date of last update is 2018 for both the U.S-facing and E.U.-facing policies. Most firms updated both their E.U.-facing and U.S.-facing policies around the time when the GDPR came into effect, as evidenced by the date of last update.

Measures of GDPR Compliance

Much of our analysis relies on measures of the extent to which the terms of firms’ privacy policies suggest that the firm complies with GDPR requirements. We track compliance for 62 terms across 15 categories of GDPR requirements governing a wide range of information privacy practices. The terms tracked are comprehensive of the practices usually described in privacy policies, which correspond to a substantial number of GDPR requirements, although they are not exhaustive. The terms we track include, among others, requirements that firms provide a legal basis for processing personal data, allow data subjects to exercise rights guaranteed by the GDPR, comply with data processing requirements (including data security and protection), adopt security measures, and offer specific means of redress. In addition, to measure compliance with the GDPR’s consent requirements, we track how the terms are presented to users and the types of consent mechanisms are used. Further details regarding the terms, their purpose, and their correspondence with GDPR articles are provided in Appendix B.

Our coding strategy was to be as granular as possible in order to capture differences across firms and minimize coder discretion (Marotta-Wurgler, 2017). For example, when tracking whether the privacy policy has a consent mechanism for the sharing of users’ personally identifiable information, we first track whether such information is collected. If so, we measure whether the mechanism is opt-in (requiring the user to take an affirmative to action to share such information), opt-out (requiring the user to take an action to stop such sharing), or mandatory. When measuring how the firm will communicate changes in privacy policies, we measure all the possible ways in which a firm can communicate this to users (email, notice on the site, no notice, new affirmative consent requirement), as well as whether the firm is silent on the issue, or the firm promises not to change the contract.

One of the terms we code is the one disclosing whether the firm has a “Data Privacy Officer,” which was introduced in response to novel provisions of the GDPR and so was not present in the 2014 policies. We treat the presence of this “novel term” in a privacy policy as an indication that it was influenced by the GDPR.

For similar reasons, we also code and track 2018 policies that include the Standard Contractual Clauses. Those clauses predated the GDPR. The required content was amended by the new regulation, but the new requirements did not go into effect until 2021, years after we collected our sample policies. Accordingly, the presence of Standard Contractual Clauses in a privacy policy is an indication that it was influenced by E.U. privacy law, though not necessarily the GDPR.

Table 2 provides a comprehensive overview of the extent to which our firms’ privacy policies contain terms that comply with the GDPR. For each term, the rightmost columns report GDPR compliance levels in 2014 and 2018 for U.S-facing policies as well as for E.U-facing polices in 2018. Note that the cell values report the fraction of policies that comply with the GDPR rules regarding the term in question, not the fraction of policies that contain a particular value of the term. The bottom rows of Table 2 set out (unweighted) average compliance rates across non-novel terms, novel terms and all terms, respectively. Table 3 also reports average compliance rates for these categories of terms but divides firms into those that use common and differentiated policies in the U.S. and the E.U. We classify firms as offering differentiated policies if they either use distinct policies on their U.S. and E.U.-facing websites, or offer a carveout for E.U. residents in the policy on their U.S.-facing Web site.

OPEN IN VIEWER

Table 2.

Policy Compliance With GDPR.

	2014	2018	2018 E.U.-Facing
N contracts	177	177	177
Legal basis – Notice/Consent: Conditions for consent
PP Accessible through a direct link from the homepage	.88	.86	.89
Asked to manifest consent when signing up via clickwrap	.21	.25	.28
Uses cookies	.02	.01	.01
Legal basis – Notice/Consent: Type of data collected
Contact data collected and stored	1	1	1
Computer data collected and stored	.90	.94	.94
Interactive data collected and stored	.85	.92	.92
Financial data collected and stored	.75	.92	.92
Content data collected and stored	.58	.93	.93
Sensitive data collected and stored	.39	.61	.59
Geolocation data collected and stored	1	.92	.92
Legal basis – Notice/Consent: Third parties; use of data
User’s profile/picture/data may be used in direct ads	.92	.58	.64
Allows third parties to place ads that may track user behavior	.16	.09	.10
Identifies recipients of shared or sold data	.10	.16	.16
Defines words such as ‘affiliates’ or ‘third parties’ if applicable	.06	.11	.13
Legal basis – Necessary processing; legal obligation
Personally identifiable information (PII) used internally only for business purposes	.31	.56	.54
PII Used only for stated context-specific purposes (e.g., for service to work)	.27	.29	.30
Reserves right to disclose protected data to comply with law/prevent crime	.84	.91	.90
Gives notice of government requests for data about the user	.04	.02	.02
Controllers’ obligations – Data processors
Binds affiliates and subsidiaries by the same PP	.18	.52	.50
Binds contractors (e.g., payment process companies) by the same PP	.19	.54	.55
Controllers’ obligations – Third parties and processors
Binds third parties by the same PP	.05	.13	.14
Entity performs due diligence regarding third parties with data access	.02	.21	.20
Rights of the data subject – Third parties
Has consent mechanism for sharing/selling PII or sensitive data	.37	.08	.09
Rights of the data subject – Control
User can adjust privacy settings	.52	.21	.27
User allowed to access and correct personal data	.63	.78	.78
User can request data be deleted or anonymized	.52	.65	.74
Gives user choice what happens to data if company is sold or ceases to exist	.02	.06	.05
Rights of the data subject – Data retention
States time limit for data retention	.02	.08	.11
Company has a procedure for safely disposing unused data	.02	.09	.09
Rights of the data subject – Accuracy
Guarantees data accuracy	.02	.02	.03
Specifies reasonable procedures in place to ensure accuracy	.31	.09	.12
Rights of the data subject – Transparency
Entity has contract with third parties regarding how data can be used	.09	.45	.48
Discloses what happens to data if entity ceases to exist	.93	.67	.69
Personal data modified/deleted/anonymized if user quits site	.29	.56	.53
Rights of the data subject – Change of terms
Alerts users to material changes to the PP	.39	.36	.38
User specifically notified of change to PP (e.g., email)	.10	.28	.26
Requires user to explicitly assent to material changes	.11	.04	.05
States that material changes are retroactive	.93	.96	.96
Security – Security of processing; data breach
Notifies user of a data breach	.04	.08	.09
Describes privacy and security protections in entity’s managerial procedures	.43	.26	.31
Identifies means of technological security (e.g., encryption)	.42	.48	.51
Disclaims liability for failure of security measures	.39	.23	.27
Requires periodic compliance review of data security measures	.11	.07	.09
Contains self-reporting measures in case of privacy violation	.03	.05	.05
Redress – Dispute resolution – Availability of remedies and liability
Has arbitration clause	.70	.53	.53
Has class action waiver	.79	.60	.61
Redress – Data privacy officer
Provides means by which user can express privacy concerns or complaints	.93	.92	.92
Designates data privacy officer		.20	.25
Standard contractual clauses
E.U. std. Clauses for transfer of personal data to processors in third countries incorporated verbatim		.08	.12
E.U. std. Clauses for transfer of personal data to controllers in third countries incorporated verbatim		.06	.06
Policy gives subject the right to be represented by ‘an association or other body'		0	0
Entity promises submission to an audit of data proceeding facilities		.01	.04
Entity liable for breach by a third party (e.g., a subprocessor)		0	.01
Third party data subjects given rights enforceable against the transferor		.01	.01
Third party data subjects given rights enforceable against the transferee		.01	.01
Third party data subjects given rights enforceable against subsequent transferees (e.g., subprocessors)		0	0
Gives consent to class action (including any form of collective representation in dispute resolution)		1	.98
Disputes subject to mediation		.41	.37
Bars recovery of punitive damages		.34	.39
Stipulates damages for breach		.39	.43
Commits not to vary or modify specified terms		.01	.01
Agrees to submit to an audit for termination measures		0	.01
Mean (excluding standard contractual clauses and DPO)	.40	.43	.44
Mean (standard contractual clauses and DPO)		.17	.18
Mean (all GDPR terms)		.36	.38

OPEN IN VIEWER

Table 3.

U.S. Policy Compliance With GDPR: Firms With Common Versus Distinct E.U. Policies.

	U.S. Same as E.U. Policy		Has distinct E.U. Policy
	2014	2018	2014	2018
N contracts	133	133	44	44
Terms excl. Standard contractual clauses and DPO (47)	.40	.42	.37	.44
Redress – Data privacy officer
Designates data privacy officer (DPO)		.14		.36
Standard contractual clauses
E.U. std. Clauses for transfer of personal data to processors in third countries incorporated verbatim		.03		.23
E.U. std. Clauses for transfer of personal data to controllers in third countries incorporated verbatim		.02		.18
Policy gives subject the right to be represented by ‘an association or other body'		0		0
Entity promises submission to an audit of data proceeding facilities		.01		.03
Entity liable for breach by a third party (e.g., a subprocessor)		0		0
Third party data subjects given rights enforceable against the transferor		.01		0
Third party data subjects given rights enforceable against the transferee		.01		0
Third party data subjects given rights enforceable against subsequent transferees (e.g., subprocessors)		0		0
Gives consent to class action (including any form of collective representation in dispute resolution)		.99		1
Disputes subject to mediation		0.4		.43
Bars recovery of punitive damages		.36		.27
Stipulates damages for breach		.41		.32
Commits not to vary or modify specified terms		.01		0
Agrees to submit to an audit for termination measures		0		0
Mean (excluding standard contractual clauses and DPO)	.40	.42	.37	.44
Mean (standard contractual clauses and DPO)		.16		.19
Mean (all GDPR terms)		.36		.38

Novel GDPR terms are blank for 2014 contracts. All cell values report the fraction of contracts that comply with the GDPR rules regarding the term in question, not the fraction of contracts that contain a particular value of the term. There are 44 firms that have distinct terms for E.U. Residents in 2018, whether made distinct by a separate document or by a GDPR/E.U. Carveout.

Tables 2 and 3 allow us to compare levels of compliance in three ways: between U.S.-facing policies in 2014 and 2018, between U.S.-facing and E.U.-facing policies in 2018 (we use the latter as a benchmark to measure the magnitude of GDPR compliance in the U.S.), and between terms. These comparisons reveal four key points.

First, there was a modest increase between 2014 and 2018 in the average level of compliance reflected in the terms of U.S.-facing policies, but that trend was not consistent across terms. The average level of compliance with non-novel GDPR terms in U.S.-facing privacy policies increased from 40% in 2014 to 43% in 2018. Firms that use the same policy in 2018 (as reported in Table 3) showed relatively little increase in GDPR compliance between 2014 and 2018: 40%–42%. Meanwhile, firms with distinct policies in 2018 went from lower GDPR compliance in 2014 to greater compliance in 2018: 37%–44%.

Second, the average aggregate compliance levels reported in Tables 2 and 3 conceal considerable variation across terms. For instance, firms greatly increased compliance with requirements to disclose the collection of content data and sensitive information (from 58% to 93% and from 39% to 61%, respectively) and to bind third party processors contractually (from 18% to 52%). Not all terms became more protective, however. For example, between 2014 and 2018, the proportion of firms that allowed users to adjust privacy settings decreased from 52% to 21%.

Third, the privacy policies manifest very low levels of compliance with certain requirements, but this does not necessarily mean that all firms’ actual practices are not GDPR-compliant, or that firms did not respond to GDPR. For instance, although the proportion of U.S.-facing privacy policies containing promises to notify users in case of data breaches doubled, from 4% to 8%, between 2014 and 2018, the absolute level of compliance was still low. However, as mentioned earlier, the failure to make such promises in a privacy policy does not necessarily mean that a firm will not comply with data breach disclosure mandates in the event of a breach. Unlike many other terms we track, the GDPR does not require firms to include disclosures regarding their data breach notification practices. It only imposes an obligation to notify when the event arises. Therefore, the absence of a data breach notification term does not mean that a firm has failed to comply with the GDPR. That may also explain why only 9% of firms’ E.U.-facing policies contain such a term.

Fourth, the level of compliance for most sample terms is higher than documented levels of compliance with the FTC’s non-binding “Notice and Choice” guidelines (Marotta-Wurgler, 2017).

Indicators of GDPR Spillovers

Our central questions are how and why firms’ U.S.-facing privacy policies exhibit GDPR spillovers. Privacy policies can be modified for all sorts of reasons. Our data does not allow us to measure directly when they change as a result of the GDPR. We thus create a range of indicators to increase the likelihood of identifying such changes. Ascertaining this kind of spillover effect is straightforward when the privacy policy refers explicitly to GDPR. In other cases we can infer the influence of the GDPR from the time at which the policy was amended or the fact that it incorporates terms that are peculiar to the GDPR. Rather than nominate a single indicator of GDPR spillover, we use six somewhat overlapping alternatives, ranging from strictest to loosest. Table 4 describes these as S1-S6.

OPEN IN VIEWER

Table 4.

Indicators of GDPR Influence and Spillovers on 2018 U.S. Policies.

Panel A. Indicators	All	U.S. Same as E.U. Policy	Has distinct E.U. Policy
N Contracts	177	133	44
S1. GDPR claimed	.23	.13	.52
S2. GDPR claimed, mentioned, or referenced	.50	.35	.93
S3. Policy last updated Apr or May 2018	.46	.38	.68
S4. Designates data privacy officer or incorporates verbatim the E.U. SCCs for transfer of personal data to controllers or processors in third countries	.29	.16	.70
S5. Compliance with at least three terms among DPO term and 14 SCC terms	.39	.36	.48
S6. Net increase in compliance of at least three of the 47 Pre-GDPR terms since the 2014 contract	.42	.43	.41

Panel B. Correlations (all 177 policies)	S1	S2	S3	S4	S5	S6
S1	1
S2	.54***	1
S3	.43***	.54***	1
S4	.24***	.55***	.25***	1
S5	.12	.11	0.1	.37***	1
S6	.11	.11	.11	.07	.14*	1

The most straightforward, and in some ways the most compelling, indicator of a spillover is simply whether the U.S. policy states that it is GDPR-compliant. We call this indicator S1. 23% of U.S.-facing policies contain such a statement. Our indicator S2 is less strict and more encompassing, merely indicating whether the GDPR is mentioned, rather than claimed, in the U.S.-facing policy. This simply represents an explicit acknowledgement that a set of rules known as GDPR exists. Indicator S3 is based on whether the 2018 U.S.-facing policy was last updated in April or May 2018.

Our next two indicators, S4 and S5, identify spillovers with use of novel terms and Standard Contractual Clauses. S4 identifies spillover with the appearance of at least one of three terms particular to European privacy law: the designation of a DPO, the verbatim incorporation of the E.U. standard contractual clauses for transfer of personal data to controllers in third countries, or the same with respect to transfer of personal data to processors in third countries. S5 identifies spillover with U.S.-facing policies’ compliance with at least three of the 15 ‘European’ terms. Like S4 above and S6 below, this is an arbitrary threshold that appears to divide the sample but could be changed somewhat without a major effect on interpretation.

Our last spillover indicator, S6, identifies spillover with a net increase in compliance among at least three of the terms that are not particular to GDPR. We use this mostly as a control measure, since these terms may have changed prior to the adoption of GDPR and without reference to its requirements. The second panel of Table 4 shows correlations between these spillover indicators. The first two, S1 and S2, are positively correlated by definition because S1 = 1 automatically implies S2 = 1. S4 and S5 also have this sort of mechanical positive correlation. More compelling are the statistically significant positive correlations between S3 (updating around GDPR introduction) and spillover indicators based on content, such as S1 and S4. There is also a weakly statistically significant correlation between compliance in European terms (S5) and changes in compliance among non-novel (S6) terms. The positive correlations throughout the table suggest that to a greater or lesser degree, the spillover indicators are highlighting the same firms.

Which Policies Exhibit Evidence of Spillovers?

Table 4 suggests that a substantial fraction of U.S.-facing policies was influenced by GDPR. Our most strictly defined indicators of the spillover effect suggest that the GDPR influenced 23% and 29% of U.S.-facing policies respectively. The more broadly defined indicators suggest that anywhere from 39% to 50% of policies were influenced.

Almost all of our indicators suggest that GDPR spillovers are much more prevalent among firms that maintained distinct policies in the U.S. and the E.U. as of 2018. For instance, overall, 29% of U.S.-facing policies feature at least one European term (S4), but this is driven by the 70% prevalence of those terms in firms that maintain distinct U.S.-E.U. policies. Only our most loosely defined indicator of spillovers, S6, suggests that spillovers are less prevalent among firms with distinct policies.

Our dataset permits us to explore whether other factors besides use of a distinct E.U. policy are associated with spillovers. To investigate this question we use the spillover measures S1, S4, and S6 as 0-1 dependent variables and some of the firm and industry characteristics summarized in Table 1 as independent variables. We hesitate to call these independent variables “determinants” of spillovers because identifying causality is always challenging.

The first three columns of Table 5 use S1 (whether GDPR compliance is claimed) as the spillover indicator of interest. The regression in the first column does not include industry dummies, the second column does, and the third column includes an additional dummy variable for whether the firm maintains a distinct E.U. policy. The results across all three specifications show that a major predictor of whether the GDPR spills over is whether the firm maintains a physical presence in an E.U. country (as of 2018), among both firms that do and do not maintain distinct policies. Having an E.U presence increases the probability of claiming GDPR in the U.S.-facing policy by a full 20% in our first two specifications, and 19% in the third specification. That third specification reveals that both having an E.U. presence and maintaing a distinct E.U. policy are significant predictors of claiming GDPR compliance. We stress, however, that these are not necessarily causal relationships, especially because the causal factors that influence the maintainance of a distinct E.U. policy may overlap with those that influence the drafting of the U.S.-facing policy.

OPEN IN VIEWER

Table 5.

Regressions to Explain GDPR Influence and Spillovers.

	S1. GDPR claimed			S4. Designates data privacy officer or incorporates verbatim the E.U. SCCs for transfer of personal data to controllers or processors in third countries			S6. Net increase in compliance of at least three of the 47 Pre-GDPR terms since the 2014 contract
Nonprofit (0–1)	.01 (.15)	.04 (.16)	.06 (.14)	−.06 (.16)	−.06 (.16)	−.04 (.14)	−.05 (.18)	−.02 (.19)	−.02 (.19)
Public (0–1)	−.03 (−.07)	.01 (.08)	−.02 (.07)	−.03 (.08)	−.06 (.08)	−.10 (.07)	−.20** (.09)	−.19** (.09)	−.19** (.09)
Has E.U. Headquarters (0–1)	.20** (.08)	.20** (.08)	.19** (.08)	.27*** (.08)	.25*** (.09)	.24*** (.07)	.15* (.09)	.13 (.10)	.13 (.10)
Paid service (0–1)	.08 (.06)	.11 (.08)	.06 (.07)	.13* (.07)	.09 (.08)	.02 (.07)	.08 (.08)	.14 (.09)	.14 (.09)
Popularity (-ln [Alexa rank])	.01 (.01)	.00 (.01)	−.00 (.01)	.02 (.01)	.02 (.01)	.01 (.01)	−.01 (.01)	−.01 (.01)	−.01 (.01)
Distinct E.U. Policy			.39*** (.07)			.51*** (.07)			−.02 (.09)
Constant	.24** (.12)	.15 (.13)	.04 (.12)	.33*** (.12)	.38*** (.13)	.23** (.12)	.35** (.14)	.28* (.15)	.28* (.15)
Industry dummies	No	Yes	Yes	No	Yes	Yes	No	Yes	Yes
Adjusted R2	.03	.03	.18	.08	.12	.34	.02	0	0
N	177	177	177	177	177	177	177	177	177

We obtain the same finding when using S4 (the presence of at least one of three novel GDPR terms) as the spillover indicator. Across all three specifications in the middle columns, the most robust factor is an E.U. physical presence, raising the probability of S4 = 1 by about 25%. There is weak evidence that companies with a paid service are also more likely to exhibit a spillover by this measure. Companies without paid services tend to have ad-based business models. Those firms may find it relatively costly to comply with the more restrictive data collection and retention practices imposed by the GDPR.

The last three columns use S6 (an increase in compliance with non-novel GDPR terms) as the spillover indicator. As mentioned above, this is the least definitive GDPR-spillover indicator, since it involves changes that may have happened for other reasons. In any event, we find that public firms are about 20% less likely to increase GDPR compliance in three or more non-novel terms. One might speculate that public firms are more sophisticated about “needlessly” increasing GDPR compliance in this way, but the same view could not explain the lack of this relationship with respect to S1 and S4. Here there is weak evidence that having an E.U. physical presence is a factor influencing spillovers.

Which Terms Exhibit Evidence of Spillovers?

Our data provide hints that the GDPR may have had greater effects on some terms of privacy policies than others. First, some terms of U.S.-facing policies exhibited greater changes from 2014 to 2018 than others. Second, some terms of U.S.-facing policies manifest greater divergence from E.U.-facing policies than others. We suggest that the terms whose levels of compliance in 2018 were both significantly higher than in 2014 and close to the levels of compliance in the E.U. are the ones that were most strongly affected by the GDPR, even if the 2018 level of compliance was less than 100%. Terms of U.S.-facing policies whose levels of compliance in 2018 were significantly higher than in 2014 but still lower than in the E.U.-facing policies appear to have been influenced less strongly.

Table 6 shows the non-novel terms that evidenced the greatest change in the level of compliance from 2014 to 2018. The terms that had the most significant revisions are those that are specifically targeted by the GDPR and relate to practices that vary at the wholesale level for firms, including third-party contracts to ensure data security, binding contractors to contractual limitations on how data can be used, and introducing data retention limits; and various terms related to disclosures regarding the type of information collected and ways in which it is used and shared.

OPEN IN VIEWER

Table 6.

Terms With the Greatest Increase in Compliance.

Terms with the greatest increase in compliance over time	2014	2018	2018 E.U.-facing	2014 v. 2018	2018 U.S. Facing v. 2018 E.U.-Facing
Entity has contract with third parties regarding how data can be used	.09	.45	.48	.36	.03
Content data collected and stored	.58	.93	.93	.35	0
Binds contractors (e.g., payment process companies) by the same PP	.19	.54	.55	.35	.01
Binds affiliates and subsidiaries by the same PP	.18	.52	0.5	.34	−.02
Personal data modified/deleted/anonymized if user quits site	.29	.56	.53	.27	−.03
Personally identifiable information (PII) used internally only for business purposes	.31	.56	.54	.25	−.02
Sensitive data collected and stored	.39	.61	.59	.22	−.02
Entity performs due diligence regarding third parties with data access	.02	.21	0.2	.19	−.01
User specifically notified of change to PP (e.g., email)	0.1	.28	.26	.18	−.02
Financial data collected and stored	.75	.92	.92	.17	0
User allowed to access and correct personal data	.63	.78	.78	.15	0
User can request data be deleted or anonymized	.52	.65	.74	.13	.09
Binds third parties by the same PP	.05	.13	.14	.08	.01

Table 7 reports differences in compliance between U.S.-facing and E.U.-facing policies for non-novel terms. The term that affords data subjects the right to delete information is at the top of the list, which is not surprising given the relatively high cost of complying with the “right to be forgotten”. There are also significant differences in terms of disclosing specific security practices, which are also costly.

OPEN IN VIEWER

Table 7.

Terms With the Greatest Difference in Compliance.

	2018 U.S.– Facing	2018 E.U.-facing	2018 U.S. Facing v. 2018 E.U.-Facing
User can request data be deleted or anonymized	.65	.74	.09
User’s PII may be used in direct ads	.58	.64	.06
User can adjust privacy settings	.21	.27	.06
Describes privacy and security protections in entity’s managerial procedures	.26	.31	.05
Disclaims liability for failure of security measures	.23	.27	.04
Identifies means of technological security (e.g., encryption)	.48	.51	.03
Asked to manifest consent when signing up via clickwrap	.25	.28	.03
PP accessible through a direct link from the homepage	.86	.89	.03
States time limit for data retention	.08	.11	.03
Specifies reasonable procedures in place to ensure accuracy	.09	.12	.03
Entity has contract with third parties regarding how data can be used	.45	.48	.03

Compliance Costs

We examine the compliance costs hypothesis by leveraging our granular data set. Compliance costs tend to differ at the term level. We focus on those terms that have been identified as having relatively higher compliance costs and that can be measured by examining privacy policies (Deloitte, 2017; Presthus et al., 2018). These include the requirement that gives subjects the rights of data portability and deletion. We classify terms related to disclosures of information collected and used as well as related privacy practices as relatively low cost.

Our analysis of which terms manifest the least spillover effects bears out the view that the costs of complying with the GDPR limit the extent of GDPR spillovers. Commentary from 2017 and 2018 suggests that it was relatively costly for firms to comply with the requirement to give subjects the rights of data portability and deletion. ¹⁰ By contrast, terms related to disclosure of information collected and used and related privacy practices appear to be relatively low cost (Deloitte, 2017; Presthus et al., 2018). Table 7 reveals that when firms chose to opt for U.S.-facing policies with lower levels of compliance than in the E.U. they did it most frequently by failing to comply with the GDPR’s requirements to give users the right to delete information, to use the information in direct ads, and to adjust privacy settings. Compliance with all three of these requirements requires incurring costs that vary with the number of users to whom the rights are granted. This supports the inference that firms eschewed compliance with these requirements in their U.S.-facing policies in order to reduce their compliance costs, consistent with the compliance cost theory.

Extraterritorial Deterrence

We examine the extraterritorial deterrence hypothesis by measuring the extent to which firms include carveouts in their privacy policies. These carveouts are common contractual tools used to tailor standard form contracts to specific contracting parties (Frankenreiter, 2021; Zarsky, 2014). Common examples include warranty provisions that only apply to residents of states that have mandatory warranty terms and California Consumers Privacy Act (CCPA)-related provisions that apply only to residents of California. Firms concerned about potential penalties for failure to comply with the GDPR for E.U.-based subjects or citizens can easily extend such protections with carveouts in their U.S.-facing policies without extending compliance more generally.

Our data do not support the claim that GDPR spillovers are solely attributable to firms that fear being sanctioned for failing to comply with the GDPR if EU users visit their US-facing websites. According to that view, firms would tend to adopt compliant provisions whose scope was limited to users in the E.U., i.e. carveouts. This would allow them to save on the costs of adopting GDPR-compliant information practices in the US (or risking FTC liability for deceptively claiming GDPR compliance). The fact that only 6 of the U.S.-facing policies in our sample included carveouts that granted superior rights to subjects in the E.U. suggests that this theory is not the principal explanation of the spillovers we observe. Or to put it another way, fear of being sanctioned in the E.U. for targeting subjects in the E.U. does not explain the substantial evidence that the GDPR has affected the terms of U.S.-facing policies that explicitly apply to U.S. residents.

The relatively high level of spillovers among firms with an E.U. physical presence is, however, consistent with the idea that those firms fear being sanctioned for processing the data of people outside the E.U. on the grounds that the processing takes place “in the context of” their establishment’s activities in the E.U. Overall though, our data do not provide compelling evidence that extraterritorial deterrence is the primary driver of the spillovers we observe.

Costs of Differential Compliance

We explore this hypothesis in two ways. First, we consider whether firms adopt different privacy policies on their U.S. and E.U.-facing websites. Second, we classify terms into those that are likely to govern firm information practices in a wholesale manner and are therefore harder to tailor to individual markets or subjects, and into those can be more easily tailored at the regional or individual level (Bradford, 2020).

Our analysis partly supports the theory that spillovers are driven by the costs of differential compliance. The simple fact that 75% of the firms in our sample use the same U.S. and E.U.-facing policies is consistent with the idea that differentiated compliance is costly. However, the fact that 25% of the firms used different policies on their U.S. and E.U.-facing websites suggests that the costs of differential compliance are not always prohibitive.

Our analysis of which terms manifest the greatest spillover effects also offers some support for the prediction that spillovers will be prevalent when compliance entails low incremental costs in the U.S. once a firm has complied in the E.U. GDPR requirements that may be uneconomical to comply with on a purely regional as opposed to firm-wide basis include provisions relating to third party contracts, and requirements to adopt “privacy by design” (which involves hiring personnel and adopting information privacy-sensitive information practices at the operational and product or service design level), security practices such as encryption, or limits on data processing (Bradford, 2020). Terms related to the processing of information, which appear under the “Controllers’ Obligations- Data Processors” and “Third Party Processor” categories, all show marked improvements in compliance. For example, compliance among terms relating to due diligence on third parties with data access increased from 2% in 2014 to 21% in 2018 and closely tracked compliance in E.U.-facing policies. However, compliance among terms related to technological security measures increased slightly, from 42% in 2014 to 48% in 2018 but diverged significantly from E.U. levels of compliance. Moreover, overall compliance with terms related to privacy by design decreased from 43% to 26% and also diverged significantly from the level of compliance in the E.U.

One possibility is that the privacy policies may not reflect actual information practices: firms may be complying with “privacy by design” and security measures by implementing more safeguards in their operations and information practices but failing to mention those practices in their privacy policies – even the GDPR does not mandate such disclosure. Data processor contracts, in contrast, must be disclosed in privacy policies. This may explain the difference across these categories and thus offer stronger support for the hypothesis that spillovers are more likely when regional compliance is costly.

Benefits of Compliance, Norms, and Resources

Neither extraterritorial deterrence nor costs of differential compliance explains the appearance of spillover in policies used by firms with distinct U.S and E.U.-facing policies. Nor do these theories explain why spillovers appear to be more common in firms with a physical presence in the E.U. We conjecture that several additional factors explain these findings.

Broadly speaking, our findings suggest that firms, or actors within those firms, benefit from adopting GDPR-compliant terms, but the nature of those benefits is unclear. It has been suggested that firms may adopt such terms to send a signal to potential counterparties whose data might be subject to the policy. Privacy policies are rarely read, so this effect is unlikely to be material (Bakos et al., 2014). More material is the fact that these policies often are published, and so any signals they contain also will be sent to investors, regulators, and the general public. In principle, however, the impact on a firm of sending such a signal could be negative, as in the case in which a robust privacy policy – or just one that is unusually prominent – alerts previously unconcerned consumers to the risk of privacy violations and so scares them away (Brough et al., 2022).

Our data are most consistent with a somewhat different conjecture about the benefits of GDPR compliance: decisionmakers within firms may ‘benefit’ from GDPR compliance because of its normative appeal rather than because of its purely economic consequences. Sociologists who study institutional isomorphism – the tendency of organizations to become like one another – suggest that normative considerations are most likely to induce conformity in organizational settings where managers charged with compliance decisions are highly professionalized (DiMaggio & Powell, 1983, pp. 152–155). For these purposes, professionalization means the existence of a group of practitioners who, by virtue of some combination of education and socialization, claim unique expertise and status in relation to a particular set of tasks (Kharuna, 2007, pp. 8–11). Professionalization inculcates a common sense of which policies and procedures are normatively sanctioned and legitimated, in other words, ‘the right way to do things’ (DiMaggio & Powell, 1983, p. 154). This implies that firms and sectors in which key compliance personnel have strong cross-border professional ties will be particularly susceptible to cross-border spillovers. Several commentators have suggested that privacy professionals exert a significant influence over firms’ information practices, that they transmit ideas about privacy practices through their institutional networks, and that they generally had a positive view of the GDPR (Shaffer, 2000, pp. 66–69; Waldman, 2020, pp. 807–808). Our findings are consistent with the conjecture that firms with E.U. locations were particularly likely to have compliance professionals with close ties to compliance professionals in the E.U. who were influenced by the normative appeal of the GDPR.

Our findings are also consistent with the possibility that firms with E.U. locations find it less costly than other firms to adopt GDPR-compliant provisions in their privacy policies, even when they choose different terms for their U.S. and E.U.-facing websites. It seems reasonable to presume that a firm’s ability to select terms that reflect their organizational objectives will depend on the firm’s access to both legal expertise and copies of policies that it can use as templates. ¹¹ These resources should be particularly accessible for firms that are already operating in the E.U. and have drafted compliant privacy policies. Those firms may have better working relationships with internal and external privacy experts in the E.U. and greater familiarity with E.U. debates around privacy.

The limitations of our study include the following. One is that we do not have 2014 E.U.-facing privacy policies to determine the changes in such privacy policies before and after GDPR. Such data would offer a more thorough account of how policies in the E.U. have changed because of the GDPR, although our focus is on the effects of the E.U. law in U.S.-facing policies. Another potential concern is the size of our sample, which is smaller than those used in other studies and only covers six markets. But we do cover the largest e-commerce players and our results are often strong enough that they seem unlikely to be overturned with additional data, at least within the markets we consider. Another potential concern is that our four-year collection windows to compare information practices in the U.S. may capture only changes in privacy policies that are not due to the GDPR. Yet our Nou & Nyarko six GDPR compliance measures, including some which track precisely whether the policy claims GDPR compliance and the type of terms and language used that are novel to GDPR, give us confidence that we are indeed capturing changes that are targeted toward GDPR compliance—particularly given that most changes occur in May, 2018, precisely when the GDPR came into effect.