Abstract
There is mounting evidence that the EU’s General Data Protection Regulation (GDPR) has influenced the information privacy policies and practices that firms adopt in relation to people outside of the E.U., even when that is not required by the E.U. regulation. We use a hand-coded dataset of privacy policies from firms’ U.S. and E.U.-facing websites to document and explain these kinds of international regulatory spillovers. Our findings are consistent with the hypothesis that spillovers are driven by the costs of complying with different standards in different parts of the same firm. In fact, 75% of the firms in our sample use the same privacy policy for their U.S. and E.U.-facing websites. At the same time, our findings do not support the conclusion that firms comply with the GDPR in their U.S.-facing privacy policies out of fear of being sanctioned if the policy is somehow applied to E.U. residents. Finally, we find that spillovers are more prevalent among firms with a physical presence in the E.U. This suggests that international networks of compliance professionals may play a significant and understudied role in regulatory compliance, perhaps by providing channels for norms and resources to move across borders.
Keywords
Introduction
Protection of information privacy is more important than ever in the United States. Release of personal information has long been associated with concerns about identity theft and embarrassment. Every day the regular conduct of internet commerce—the creation of accounts, the collection and resale of online search and purchase behavior, the entry of personal and credit card information, and so on—adds to unimaginably large databases of consumers and behavior and corresponding opportunities for abuse.
U.S. privacy law offers relatively limited responses to these concerns. There is still no comprehensive federal privacy law and only a minority of states have such legislation. In certain sectors, such as healthcare and education, personal data are subject to more robust protections, but in most areas the protection of personal data is subject to a “notice and choice” regime which offers no guarantee that consumers can make meaningful choices about how their personal data is used. Moreover, public enforcement is limited and penalties are lenient. These gaps in the federal regime have prompted numerous proposals for reform, including the American Data Privacy and Protection Act (ADPPA), the Federal Trade Commission’s proposed rulemaking on commercial surveillance and data security, and numerous pieces of state legislation along the lines of California’s California Consumer Privacy Act of 2018 (“CCPA”). Both the prospects for success and the impact of these proposals are uncertain.
In contrast, European law offers much more extensive protection for personal data. The central pillar of the European regime is the European Union’s General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. The GDPR requires firms to write readable and complete privacy policies, give consumers meaningful notices and rights (including the right to delete their information), and ensure that the data they collect is limited and not misused or used beyond stated specific purposes. Importantly, it imposes large penalties for noncompliance.
The GDPR generally protects only E.U.-based entities, and so it is not obvious that the GDPR should affect firms’ information practices in relation to U.S. residents. In fact, conventional profit-maximization logic suggests that firms will avoid costly regulation like the GDPR whenever possible. Therefore, one might expect firms dealing with U.S. residents to take advantage of the relatively lenient U.S. privacy regime with respect to such consumers, as opposed to adopting practices that comply with the GDPR.
Yet, this is not exactly what we see. In 2019, we published an article which found that many firms significantly revised their U.S.-facing privacy policies, that is to say, the policies they applied to their U.S. customers, right around the time that the GDPR came into effect, seemingly to comply with the GDPR (Davis & Marotta-Wurgler, 2019). The policies, which govern the relationship regarding personal information between individuals and firms, also grew much longer. These patterns hinted that there may have been a ratcheting up of privacy protections for U.S. residents; the GDPR may be an example of a law whose influence has spilled over across international borders to induce extraterritorial compliance. This phenomenon is sometimes referred to as the “California Effect” or the “Brussels Effect,” depending on the source of the laws in question (see, e.g., Bradford, 2012; Goldsmith and Wu, 2006). We use the more geographically neutral term, “international regulatory spillover.” Such spillovers have been discussed in laws concerned with topics as varied as antitrust, animal welfare, data protection, environmental protection and health and safety.
In this article we examine why and to what extent the GDPR generated international regulatory spillovers in the U.S. Among other things, we analyze all terms of the privacy policies that might have been affected, measure the magnitude of the effects, and, drawing on the broader literature on international regulatory spillovers, attempt to explain why these foreign regulations influenced firms’ U.S.-facing privacy policies. We also discuss the implications of such spillovers for the political economy of privacy regulation in the U.S.
We seek to identify the influence of the GDPR in a robust, comprehensive way, by measuring firms’ U.S. information privacy practices along numerous dimensions against meaningful benchmarks. To this end, we examine the responses to the GDPR from 177 sample firms across seven different markets. To have benchmarks for the post-GDPR U.S.-facing policies, we analyze each firm’s U.S.-facing privacy policies as of four years before and immediately after the GDPR went into effect, as well as their E.U.-facing privacy policy after the GDPR went into effect. In addition, we collect firm and market information to help explain differences in compliance. We track 62 privacy policy terms across 15 categories loosely based on the GDPR’s principles governing firms’ information privacy practices and catalog whether each term complies with the GDPR. We also track features of the privacy policies that indicate they were influenced by the GDPR, including explicit references to the GDPR in the text of the policy, use of language peculiar to the GDPR and other EU privacy legislation, and revision of the policy close to the date on which the GDPR came into effect.
Our analysis suggests that while most policies are not fully GDPR-compliant, the GDPR had meaningful spillover effects in the U.S., especially when those effects are benchmarked against effects in the E.U. Perhaps our most striking finding is that most firms in our sample (75%) use exactly the same privacy policy for residents of the U.S. and the E.U. This means that for most firms, whatever effect the GDPR had on their E.U.-facing privacy policy, it had the same effect on their U.S.-facing policy. While we find some evidence that the GDPR influenced the terms of these undifferentiated policies, we find stronger evidence of spillovers among the 25% of firms that wrote different privacy policies for their U.S.-facing and E.U.-facing websites. We also find that firms with a physical presence in the E.U. are more likely to have privacy policies that exhibit spillover effects, an association which does not appear to have been previously documented.
The fine-grained data allow us to explore variations in GDPR compliance across different categories of terms of privacy policies as well as across firms. Generally, compliance varies according to the type of information practice being regulated. We find that spillovers are less common when extending GDPR protection to U.S. subjects would entail significant additional compliance costs. They are more common in circumstances when it is impractical to adopt different information privacy practices in different regions.
These findings are consistent with several theories about the determinants of international regulatory spillovers. To begin, they are consistent with the intuitive idea that compliance costs limit the extent of spillovers. They are also consistent with the theory that spillovers are driven by the costs of differential compliance, perhaps the best-known explanation for the Brussels and California Effects. However, our findings do not support the conclusion that firms comply with the GDPR in their U.S.-facing privacy policies out of fear of being sanctioned if the policy is somehow applied to E.U. residents. Finally, our findings about the prevalence of spillovers among firms with a physical presence in the E.U. raise the possibility that international networks of compliance professionals play a significant and understudied role in regulatory compliance, perhaps by providing channels for norms and resources to move across borders.
The fact that the GDPR has meaningful spillover effects in the U.S.—that it may be filling gaps in U.S. privacy law—has implications for debates about the merits of reforms to the U.S. regime. GDPR spillovers imply that U.S. residents benefit from information privacy practices that are more robust than one would expect based solely on the content of U.S. law. Consequently, our evidence might alleviate concerns about emerging threats to privacy. This in turn suggests that the nature and extent of international spillovers bear on the impact of reforms to U.S. privacy law. If many of the firms that would be subject to a new legal standard have already adopted relatively protective information practices, then the incremental effects of reform may be limited.
International regulatory spillovers also bear on the political dynamics surrounding reform of U.S. privacy law. On the one hand, firms may be less resistant to stronger privacy laws, such as those currently under consideration, because they are already compliant with E.U. standards. Not only are such firms unlikely to oppose adoption of stronger privacy laws in the U.S., they may also become advocates for reform. On the other hand, the fact that GDPR spillovers limit the practical impact of new U.S. laws may dampen enthusiasm for reforms. For all these reasons, understanding GDPR spillovers to the U.S. is essential to both evaluating and explaining reforms to U.S. privacy law. Also, at a more practical level, understanding GDPR spillovers is important for practitioners who need to understand when and why their clients expect them to consider European law when advising on information practices aimed at U.S. residents.
Our article proceeds as follows. The next Part defines the concept of an international regulatory spillover and summarizes the literature on potential causes and political implications of such spillovers. The following Part introduces our study of the GDPR. It begins with an overview of the different legal regimes that govern U.S. firms interacting with the personal information of individuals in the U.S. and the E.U., respectively, and then summarizes the existing literature on GDPR spillovers. The next Part uses a unique hand-coded dataset to explore the extent of GDPR spillovers. The penultimate Part discusses factors that might explain those spillovers. The final Part concludes.
International Regulatory Spillovers, Causes and Consequences
In this Part we begin by defining the concept of an international regulatory spillover. We then discuss in turn the causes of international regulatory spillovers and their implications for the political economy of U.S. privacy regulation.
The Concept of an International Regulatory Spillover
The classic illustration of a regulatory spillover is the adoption of California emission standards by manufacturers of cars that will never be driven in California (Goldsmith and Wu, 2006). This example is best understood as an example of spillovers from California to other U.S. states. Our focus by contrast is on international spillovers.
We define an international regulatory spillover as an instance in which actors consciously comply with a law adopted by a particular nation-state outside of its territory in circumstances when the law is not strictly applicable. This definition excludes compliance with laws that are extraterritorial in scope and actually are applicable to the conduct in question. In addition, a change in behavior in response to foreign law only qualifies as an international regulatory spillovers if the change can be characterized as a shift toward compliance. 1 Finally, our focus here is on spillovers that affect the compliance behavior of private actors. The ways in which one state’s regulatory behavior influences the regulatory behavior of other states is a distinct topic, although, as we discuss below, the kinds of spillovers we discuss may cause private actors to seek ways to influence public action. 2
International regulatory spillovers from the European Union have attracted considerable attention in recent decades, most notably in Anu Bradford’s seminal work on the Brussels Effect (Bradford, 2020). The most commonly cited source of international regulatory spillovers from the E.U. is European data protection law, but that is not the only source (Bradford, 2020; Frankenreiter, 2022; Goldsmith and Wu, 2006; Shaffer, 2020). Bradford has compiled a slew of other examples of EU laws that have generated international regulatory spillovers, in areas such as antitrust law, animal welfare, health and safety, and online hate speech (Bradford, 2020). For example, she recounts how the EU’s strict regulations on use of genetically modified organisms (“GMOs”) have led producers such as Unilever, Nestlé, Gerber and Heinz to avoid using GMOs in their products, regardless of where they are being sold (174–184). Similarly, US chemical manufacturers have complied with stringent E.U. chemical regulations worldwide, despite the fact that the U.S. has a much laxer regime (196–199). Bradford also provides examples of electronics companies spending large sums to comply with E.U. standards for hazardous substances, even in sectors not covered by the standards (214).
Potential Causes of International Regulatory Spillovers
The examples of international spillovers in the previous section belie the naïve view that firms will automatically avoid the cost of complying with foreign regulations. The existing literature offers several reasons to reject this naïve view and identifies plausible channels through which the effects of regulation may spill over to affect firms operating outside of the source jurisdiction. The magnitude of any spillovers will depend on the nature of the legal regime in the source jurisdiction.
The most straightforward explanation for regulatory spillovers is the fear that failure to comply with the source jurisdiction’s law will lead to legal sanctions. Extraterritorial deterrence will be especially potent when firms find it difficult, from a purely technological perspective, to avoid operating in the source jurisdiction. For example, a company like Google, may find it difficult to determine whether a particular user is a “European Data Subject” and so cannot be sure that its data collection practices in U.S. markets will not affect E.U. residents (Shaffer, 2020, pp. 61–62; Bradford, 2020, p. 143). The key factor in the deterrence account is firms’ perceptions of the risk of liability, which may or may not be accurate. As Shaffer points out, even firms with little exposure to E.U. consumers might be spooked into compliance with E.U. law, particularly if their lawyers and other advisors subtly overstate the risk of liability to drum up business for themselves (Shaffer, 2020, pp. 69–70).
A second set of explanations is based on the costs of differential compliance. These arguments challenge the assumption that it will be prohibitively costly to comply with foreign law, relying on the fact that it often will be uneconomical for firms to comply with different legal standards in different parts of their business. Moreover, when compliance must be documented, it may be uneconomical to draft different documentation for different jurisdictions. In other words, there may be economies of scale in ensuring and documenting compliance with the source jurisdiction’s standards. Anu Bradford emphasizes this point in her writings on the “Brussels Effect.” She argues that E.U. law influences the practices of firms around the world because the E.U. is a large market; its standards are stringent, well-enforced and applicable to all firms that deal with E.U. consumers; and, many firms would find it costly and impractical to comply with different standards inside and outside the E.U., even when it is technologically feasible (Bradford, 2020, pp. 56–57).
A third set of explanations for spillovers focus on the benefits of compliance. Firms might take the opportunity to comply with foreign law as a way of sending a signal to various stakeholders, including consumers, investors and regulators. For instance, firms may fear that their public image – and demand for their products—will suffer if they are seen to be offering U.S. residents less protection than E.U. residents (Shaffer, 2020, pp. 78–79. See also Bradford, 2020, p. 61; Scott, 2009, pp. 927–928; Frankenreiter, 2022, pp. 20–21). 3 Alternatively, firms might comply with E.U. standards in order to signal to U.S. regulators that further U.S. legislation is unnecessary (Shaffer, 2020, p. 58). This theory presumes that firms expect the relevant stakeholders to both observe and reward compliance with foreign law, but that kind of response is not guaranteed. For example, consumers might interpret compliance with E.U. standards on disclosure of privacy risks as a signal that compliant firms are putting their data and risk and so should be avoided. Meanwhile, U.S. regulators might take compliance with E.U. standards as a signal that the associated compliance costs are low and so further U.S. legislation is feasible. Yet another possibility is that compliance generates benefits for individual agents within a firm rather than the firm as a whole. For instance, compliance managers may induce their employers to comply in order to enhance their personal reputations or self-esteem.
The magnitude of spillovers through each of these channels will depend in part on levels of enforcement and compliance in the source jurisdiction, both actual and anticipated First, the risk of legal sanctions will depend on the extent to which enforcement agencies in the source jurisdiction have the capacity and incentives to engage in cross-border enforcement. For instance, well-resourced agencies may have an incentive to pursue cross-border enforcement actions in order to avoid placing firms operating in their territory at a competitive disadvantage. Second, the greater the level of compliance in the source jurisdiction, the more likely it is that consumers and investors in other jurisdictions will become aware of the source jurisdiction’s norms and be in a position to reward firms that signal compliance with them. Third, high levels of compliance in the source jurisdiction may reduce compliance costs. For example, a greater number of compliant firms might induce service providers to develop more effective or lower-cost technologies or generate a larger pool of compliance professionals. Moreover, when the benefits and costs of compliance are uncertain, firms might take the number of compliant firms in the source jurisdiction as a signal of the likely net benefits. Fourth, high levels of compliance in the source jurisdiction may enhance the normative appeal of its laws.
Implications of International Regulatory Spillovers for U.S. Privacy Regulation
International regulatory spillovers may have wide-ranging effects on the interests and behavior of private actors and lawmakers, in both the source and the affected jurisdictions.
As far as private actors are concerned, spillovers by definition involve changes in compliance behavior. For the reasons outlined above, this may yield either costs or benefits for the actor who complies. It is tempting to conclude that spillovers are beneficial when they reflect efforts to capture the benefits of signaling or to conform to appealing norms, and detrimental when they reflect efforts to avoid the costs of liability or incremental compliance measures (Frankenreiter, 2022, pp. 1104–1116). We do not make any presumption of this sort because, at least in principle, even from a purely economic perspective it is possible for firms to engage in excessive signaling or to conform to norms that are inefficient.
Compliance may also affect the welfare of other parties, such as people who benefit from cleaner air or greater privacy protection or who lose their jobs as a result of a decline in the complying firm’s activities. In the information privacy context, for example, firms that comply with the GDPR in the U.S. could afford customers the right to access and delete their personal information, which could ease some of the current anxieties about law enforcement officials accessing period and pregnancy tracker applications’ information to prosecute individuals seeking abortions in states where abortion is now illegal. Competitors of the complying firm and their stakeholders may also be affected because compliance with foreign law may result in either a competitive advantage or disadvantage. For example, automobile manufacturers who choose to comply with costly California standards may be at a disadvantage to competitors who choose not to comply.
Spillovers may also affect private actors’ political behavior. Actors who anticipate being affected by spillovers will have an incentive to lobby foreign governments—Bradford cites many examples of US firms trying to shape E.U. to favor their interests by lobbying lawmakers in Brussels (2020, pp. 254–256. See also Scott, 2009). Meanwhile, in the jurisdiction affected by the spillover, firms that are already complying with a foreign standard may drop their objections to local adoption of the standard. They may even go further and actively promote local adoption in order to avoid being placed at a disadvantage to competitors who are not complying (Bradford, 2020, p. 256; Rothenberg, 2018).
As for lawmakers, how they respond to international regulatory spillovers will depend on whether they are responsible for creating or responding to spillovers and whether they care solely about the rights and welfare of people within their territory. Lawmakers in the source jurisdiction who care about the interests of foreigners ought to be eager to create spillovers that benefit foreigners and reluctant to create spillovers that impose undue burdens on them. At the opposite end of the spectrum, lawmakers who care only about the welfare of their fellow nationals still ought to care about how the spillover effects of the laws they adopt will affect the competitiveness of domestic firms. Enacting strict standards might become more appealing if international spillovers ensure that domestic firms’ competitiveness will be unharmed. Meanwhile, lawmakers whose constituents are likely to be affected by spillovers will have to consider those spillovers when assessing the incremental impact of their own laws. For example, if virtually all of the cars being sold in a jurisdiction already comply with California emissions standards then adopting similar local standards will have little impact on compliance and so may be less politically costly than it would be in the absence of spillovers. At the same time, those spillovers may reduce the political benefits of domestic adoption.
GDPR
The remainder of this article examines the most prominent contemporary example of an international regulatory spillover, compliance with the GDPR outside of the E.U. As we shall see, prior to its enactment the GDPR was expected to be vigorously enforced and to generate high levels of compliance within the E.U. These are precisely the conditions under which one would expect international spillovers to be meaningful and so the GDPR qualifies as a ‘most likely case’ in which to observe international regulatory spillovers.
Background: Regulation of Information Privacy in the U.S. and the E.U
Information privacy regulation has been hotly debated for the past two decades and different regimes have emerged around the globe. Since the early 1990s, the U.S. has adopted a self-regulatory market-based regime, known as “Notice and Choice.” The regime is overseen by the Federal Trade Commission (FTC) and recommends that firms embrace the FTC’s Fair Information Practice Principles related to the collection, use, sharing, and security of personal information, outline their information practices in privacy policies, and offer individuals some choices regarding particular information privacy practices (Federal Trade Commission, 1998). 4 Notice and Choice is a disclosure-based regulatory approach whose goal is to encourage individuals to read privacy policies and engage with firms with desirable information practices. This is in turn supposed to encourage firms to compete on privacy. Over the past two decades, the FTC has updated its recommended information privacy practices in a series of reports to Congress. The most recent are outlined in a 2012 report, Protecting Consumer Privacy in an Era of Rapid Change [FTC 2012].
The FTC takes an active role in enforcement of consumer information privacy: it oversees enforcement of the now temporarily-defunct E.U.-U.S. Privacy Shield, another voluntary framework that allowed participating firms to meet E.U. requirements for transferring personal data to third countries, in accordance with Chapter V of the GDPR. The FTC uses Section 5 of the FTC Act to bring actions against firms that engage in unfair or deceptive information privacy practices, such as violating terms in privacy policies, to encourage compliance with its regime. 5 Despite this additional push, commentators and academics have regarded the U.S. regime as toothless and incapable of reigning in firms’ information privacy practices due to its voluntary nature and the FTC’s inability to fine firms for failure to comply with the guidelines (See, e.g., Martin, 2013; Kang, 1998; Schwartz, 2000; Strahilevitz, 2013. But see Ryan Calo, 2013; Bamberger & Mulligan, 2010, p. 288). The empirical literature supports these conclusions: Disclosure regimes generally have failed to promote or increase readership of standard terms, especially when the terms are long and difficult to read—as privacy policies have been shown to be; and studies have documented that firms’ information practices show poor compliance with previous FTC guidelines (Ben-Shahar & Schneider, 2014; Bakos et al., 2014; Electronic Privacy Information Center, 1999; Hoofnagle, 2005; Marotta-Wurgler, 2016; McDonald & Cranor, 2008).
The E.U.’s 2018 GDPR stands in sharp contrast to the U.S.’s regime. Most strikingly, it is a mandatory law which gives enforcement agencies the authority to impose significant sanctions for violations, including up to 4% of a company’s yearly global revenues. Like FTC (2012), it has extensive disclosure requirements that firms must include in their privacy policies. “Data controllers” must inform data subjects about how their data will be used, what categories of data will be collected, how long the data will be kept, and how they can exercise their data-related rights. They must also obtain consent to data processing “in an intelligible and accessible form, using clear and plain language.” (GDPR, 2018, Article 12. See also Becher & Benoliel, 2021) If the controller intends to transfer personal data to a country outside the E.U., this information must be disclosed in the privacy policy. Furthermore, controllers need to disclose any third parties who will handle the data. If the data controller suffers a data breach that creates “a high risk to the rights and freedoms of natural persons,” the data controller must notify the subject (GDPR, 2018, Article 35).
The GDPR also incorporates numerous substantive protections that go well beyond the FTC’s. First, it imposes strict restrictions on use and transfer. Data controllers who retain personal data can only do so for as long as necessary to fulfill the original basis for collection and processing. In addition, the GDPR requires that data controllers implement appropriate security measures and gives data subjects the right to sue for compensation for violations of its directives as well as the right to access and rectify any inaccurate personal data. It also includes substantive rules regarding transfers following the initial collection. The GDPR dictates that transfers from data controllers to processors be governed by a written contract that gives the controllers significant control over the processor’s activities, requires consent to transfers to sub-processors, and requires compliance with the GDPR. With regards to enforcement and termination rights, the GDPR permits data subjects to terminate agreements by withdrawing their consent to processing and encourages collective enforcement by giving data subjects the right to mandate a non-profit to conduct enforcement proceedings on their behalf.
The GDPR seeks to circumvent both the constraints of contractual privity and the traditional limitations on extra-territorial jurisdiction. It applies explicitly to the processing of personal data of E.U. residents by entities located outside the E.U. (Article 3 (2)). It also applies to the processing of personal data “in the context of the activities of” entities located in the E.U., even if the processing itself does not take place in the E.U. (Article 3 (1)). It seems clear that processing of data of non-E.U. residents by entities located outside the E.U. is not covered by the first prong of this formula. There is some uncertainty, however, about the circumstances in which such processing will be deemed to be “in the context of the activities of” an entity located in the E.U. 6
Not only does the GDPR clearly apply to firms located outside the E.U., it also expressly reaches instances where the personal information of E.U. residents is transferred outside of the E.U. Article 46 of the GDPR specifically authorizes transfers of this sort when the transferor enters into an agreement with the transferee that incorporates the protections provided under E.U. law and allows the data subject to enforce those rights as a third-party beneficiary of the agreement. This can be done by, among other things, incorporating “standard contractual clauses” approved by the Commission for this purpose. The pre-existing standard contractual clauses were revised by the Commission in June 4, 2021 to make them GDPR-compliant.
The GDPR took the world by storm, even though many of its substantive requirements were not new. In the runup to its enactment, legal news outlets and major newspapers discussed its scope, stiff penalties and likely effects on firms’ information privacy practices and consumers to conducted a record number of privacy-related searches (Economist, 2018; Satariano, 2018). Importantly, the GDPR also had an undeniable effect on the information practices of firms subject to its scope, as shown, for instance, by studies documenting changes in intra-firm data privacy management, the structure of relationships with intermediaries, and connections with technology providers (Bessen et al., 2020; Goldberg et al., 2019; Peukert et al., 2022, pp. 746–768).
In the aftermath of the GDPR, lawmakers in many other jurisdictions have moved to reform their privacy laws, including lawmakers in the U.S. (Greenleaf, 2023; Morton, 2023). To date, over a dozen states have enacted comprehensive consumer data privacy laws to fill the void left by the lack of substantive Federal privacy legislation. The most salient example is California, whose CCPA shares many aspects of the GDPR (including stiff penalties for noncompliance) (see California Consumer Privacy Act, 2018; Connecticut Personal Data Privacy and Online Monitoring, 2022; Utah Consumer Privacy Act, 2022; Virginia Consumer Data Protection Act, 2021). Examining the likelihood and extent of GDPR spillovers is critical to assess the likely impact and political feasibility of these sorts of initiatives.
Existing Evidence of GDPR Spillovers
Studies of the spillover effects of the GDPR have examined its impact on a range of privacy practices. Peukert et al. (2022) examine the influence of the GDPR on data-related practices of more than 110,000 websites. GDPR Article 13 (1) (e) requires data providers to make sure third-party data processing providers also abide by the GDPR. They find that after the GDPR came into effect the websites in their sample reduced the number of requests to third party servers that potentially could involve sharing users’ personal data. The GDPR appeared to affect the practices of websites to which it was not directly applicable, but in a limited way. On the one hand, websites that neither were located in the E.U. nor appeared to cater to people in the E.U. displayed reductions in the numbers of third party requests. On the other hand, those reductions were relatively small and lasted no more than 6 months.
An alternative way to measure the influence of the GDPR is to examine the contents of firms’ privacy policies. The content of firms’ privacy policies is shaped by many factors besides regulatory requirements, including the costs of drafting the policies and the attitudes of the professionals who draft them. Consequently, privacy policies may not fully reflect firms’ actual privacy information practices. However, a sizeable portion of the GDPR’s requirements is disclosure-based which means that compliance ought to be reflected in privacy policies.
Davis and Marotta-Wurgler (2019) investigated the GDPR effect by looking at changes in firms’ privacy policies over time. We compared the information privacy practices outlined in privacy policies facing U.S.-facing consumers from a representative sample of 194 sample of firms’ websites at two points in time: in 2014 and immediately after the GDPR went into effect (Davis & Marotta-Wurgler, 2019). 7 We found that a large fraction of sample firms significantly revised their privacy policies right around May, 2018, the month when the GDPR came into effect (Davis & Marotta-Wurgler, 2019). This widespread change in firms’ stated privacy practices was unprecedented in its magnitude and unparalleled by any previous efforts to comply with U.S. regulations or guidelines. If we focus on the 2014 privacy policies, we found an increase in the rate of revisions around 2012 the year when the FTC’s latest information privacy guidelines were issued, followed by another large number of revisions in 2014. This is in sharp contrast to the 2018 sample, where over 70% of firms revised their policies right around the date when the GDPR became effective, and about 15% revised them one to two years prior, when the GDPR was introduced. The effect of the GDPR on the privacy policies is readily apparent and most 2018 sample policies referred to it in varying ways.
Frankenreiter’s contribution to this discussion also contains an empirical study that finds a limited GDPR effect for a small set of terms from a sample of websites’ privacy policies. He finds that the GDPR prompted changes in both U.S. and E.U.-facing privacy policies used on the most frequently visited websites in the U.S. and the E.U. respectively. He also finds that many of the revised U.S.-facing policies granted greater protection to E.U. residents than to non-E.U. residents. By October 2018, 34.7% of U.S.-facing websites complied with more than half of the GDPR requirements that he tracks for E.U. residents, but only 6.7% met that standard for non-E.U. residents (Frankenreiter, 2022, pp. 1201–1202). Meanwhile, 76% of the E.U.-facing websites in the sample complied with the majority of the GDPR requirements (1200). This discrepancy may be the explained by the sample selection; the E.U. and U.S.-facing websites do not belong to corresponding firms and markets. In addition, the sample includes including non-commercial firms, such as universities, making it hard to disentangle whether the differences in compliance between E.U. and U.S.-facing websites is the result of a limited spillover or of differences in compliance across different firms in different markets in each region. Frankenreiter’s quantitative analysis focuses mainly on the role of economies of scale in explaining why firms adopt GDPR-compliant terms in their U.S.-facing privacy policies. He concludes that they play a limited role and so costs of differential compliance are unlikely to explain the spillovers he observes. He suggests that those spillovers are more likely to be explained as attempts to capture benefits that flow from signaling compliance to consumers.
Contribution to the Existing Literature
Our study contributes to the existing literature in three main ways. First, it offers a more granular examination of compliance that extends to a broader set of GDPR requirements to evaluate firms’ general approach to compliance. Second, it offers a robust benchmark against which to measure GDPR compliance and, consequently, the magnitude of any spillover effects outside of the E.U., the jurisdiction where compliance with the law is mandatory. Third, it expands the analysis of the impact of the GDPR on privacy policies by examining compliance in light of both theories of international regulatory spillovers and theories of how documents such as privacy policies are drafted.
Evidence of Spillovers
In the sections that follow we begin by describing our dataset and summarizing our findings about levels of compliance reflected in the privacy policies. We then examine whether the adoption of the GDPR had spillover effects on U.S.-facing privacy policies as well as which policies and which terms within those policies reflect spillover effects.
Dataset
We measure GDPR compliance in both the U.S.-facing policies (presented to U.S.-based consumers) and E.U.-facing policies (presented to E.U.-based consumers) from 177 representative companies from seven online markets where consumer data is collected and shared at various levels of intensity: adult, cloud computing, dating, gaming, news and reviews, social networks, and special interest message boards. The firms include both major and minor players from each market, as corroborated by various market share reporters. The firm selection process is described in detail in Marotta-Wurgler (2017, S22–26).
The firms in our dataset all conduct business in the United States and have overseas operations, including in the E.U. The sample is the same as the one used in Davis and Marotta-Wurgler (2019), except for three firms that did not have an E.U. presence and therefore were irrelevant for our purposes. It includes the largest firms, such as Amazon, Facebook, and Google, as well as many smaller firms. We ascertained each firm’s E.U. presence by checking for a E.U. based address on the firms’ websites and on public firm directories. We collected E.U. location data in January 2020. Of all the sample firms, 165 are headquartered outside of the E.U., with 141 operating in the United States and the remaining 24 in non-E.U. countries, including Argentina, Australia, Bahamas, India, United Kingdom, Cayman Islands, Norway, the Philippines, Russia, Switzerland, the United Kingdom, and Singapore. Only 12 sample firms are headquartered in the EU. These include one firm in Cyprus, Finland, Hungary, and the Netherlands, respectively: five firms in Luxemburg, and three in Germany.
For each of the 177 sample firms, we collected three policies: A 2014 U.S-facing privacy policy (before the GDPR), a 2018 U.S.-facing policy collected in August 2018 (after the GDPR), and a 2018 E.U.-facing policy which we gathered in January 2020 (after the GDPR). We were able to collect the 2018 version of about half these policies using the Wayback machine or through direct communication with the firms. For firms that did not respond, we obtained the policies using a VPN located in Ireland and verified that the policy obtained was one data subjects in Ireland would see. As we explain in the following section, we do not believe this difference in collection timing is likely to bias our results in any meaningful way. Each policy was coded by two coders who are lawyers or had at least completed the first year of law school (Marotta-Wurgler, 2017).
Strikingly, 75% of the sample firms (133 of 177) offered precisely the same privacy policy to their E.U. and their U.S. users in 2018. The remaining 25% (44 of 177) either offered a distinct policy (28 firms) or included a “carveout” referring to additional GDPR-related rights for data subjects in E.U.-member states (16 firms). In only six cases does the carveout explicitly confer additional rights on data subjects in the E.U., in other cases the “carveout” consists of a general statement that data subjects in the E.U. have rights conferred by the GDPR.
Summary Statistics by Policy Type.
Reported statistics are means unless specified otherwise. Year last updated variable is summarized only for contracts which report such date. Alexa rankings are truncated at 1,000,000. For firms with separate E.U. Policies in 2018, or where the U.S. Alexa rankings are unavailable, we use worldwide alexa rankings. blank cells indicate a variable that takes the same value for all years and all policies for a given firm, so only the 2014 U.S.-Facing Policy cell is filled in.
Table 1 also summarizes the characteristics of the privacy policies we collected. On average, the privacy policies from 2014 were last updated in 2011 (median 2012). The mean date of last update is 2017 for the policies collected in 2018, while the median date of last update is 2018 for both the U.S-facing and E.U.-facing policies. Most firms updated both their E.U.-facing and U.S.-facing policies around the time when the GDPR came into effect, as evidenced by the date of last update.
Measures of GDPR Compliance
Much of our analysis relies on measures of the extent to which the terms of firms’ privacy policies suggest that the firm complies with GDPR requirements. We track compliance for 62 terms across 15 categories of GDPR requirements governing a wide range of information privacy practices. The terms tracked are comprehensive of the practices usually described in privacy policies, which correspond to a substantial number of GDPR requirements, although they are not exhaustive. The terms we track include, among others, requirements that firms provide a legal basis for processing personal data, allow data subjects to exercise rights guaranteed by the GDPR, comply with data processing requirements (including data security and protection), adopt security measures, and offer specific means of redress. In addition, to measure compliance with the GDPR’s consent requirements, we track how the terms are presented to users and the types of consent mechanisms are used. Further details regarding the terms, their purpose, and their correspondence with GDPR articles are provided in Appendix B.
Our coding strategy was to be as granular as possible in order to capture differences across firms and minimize coder discretion (Marotta-Wurgler, 2017). For example, when tracking whether the privacy policy has a consent mechanism for the sharing of users’ personally identifiable information, we first track whether such information is collected. If so, we measure whether the mechanism is opt-in (requiring the user to take an affirmative to action to share such information), opt-out (requiring the user to take an action to stop such sharing), or mandatory. When measuring how the firm will communicate changes in privacy policies, we measure all the possible ways in which a firm can communicate this to users (email, notice on the site, no notice, new affirmative consent requirement), as well as whether the firm is silent on the issue, or the firm promises not to change the contract.
One of the terms we code is the one disclosing whether the firm has a “Data Privacy Officer,” which was introduced in response to novel provisions of the GDPR and so was not present in the 2014 policies
For similar reasons, we also code and track 2018 policies that include the Standard Contractual Clauses. Those clauses predated the GDPR. The required content was amended by the new regulation, but the new requirements did not go into effect until 2021, years after we collected our sample policies. Accordingly, the presence of Standard Contractual Clauses in a privacy policy is an indication that it was influenced by E.U. privacy law, though not necessarily the GDPR.
Policy Compliance With GDPR.
Terms are grouped into categories. blank cells indicate terms for which compliance is not defined by the standard. Novel GDPR terms are blank for 2014 contracts. Most E.U.-facing policies are the same as the company’s U.S. Policy. All cell values report the fraction of contracts that comply with the GDPR rules regarding the term in question, not the fraction of contracts that contain a particular value of the term. Most terms are measured for all 177 contracts, but for a handful of terms there are contracts for which the terms are not applicable, and compliance is not computed.
U.S. Policy Compliance With GDPR: Firms With Common Versus Distinct E.U. Policies.
Novel GDPR terms are blank for 2014 contracts. All cell values report the fraction of contracts that comply with the GDPR rules regarding the term in question, not the fraction of contracts that contain a particular value of the term. There are 44 firms that have distinct terms for E.U. Residents in 2018, whether made distinct by a separate document or by a GDPR/E.U. Carveout.
Tables 2 and 3 allow us to compare levels of compliance in three ways: between U.S.-facing policies in 2014 and 2018, between U.S.-facing and E.U.-facing policies in 2018 (we use the latter as a benchmark to measure the magnitude of GDPR compliance in the U.S.), and between terms. These comparisons reveal four key points.
First, there was a modest increase between 2014 and 2018 in the average level of compliance reflected in the terms of U.S.-facing policies, but that trend was not consistent across terms. The average level of compliance with non-novel GDPR terms in U.S.-facing privacy policies increased from 40% in 2014 to 43% in 2018. Firms that use the same policy in 2018 (as reported in Table 3) showed relatively little increase in GDPR compliance between 2014 and 2018: 40%–42%. Meanwhile, firms with distinct policies in 2018 went from lower GDPR compliance in 2014 to greater compliance in 2018: 37%–44%.
Second, the average aggregate compliance levels reported in Tables 2 and 3 conceal considerable variation across terms. For instance, firms greatly increased compliance with requirements to disclose the collection of content data and sensitive information (from 58% to 93% and from 39% to 61%, respectively) and to bind third party processors contractually (from 18% to 52%). Not all terms became more protective, however. For example, between 2014 and 2018, the proportion of firms that allowed users to adjust privacy settings decreased from 52% to 21%.
Third, the privacy policies manifest very low levels of compliance with certain requirements, but this does not necessarily mean that all firms’ actual practices are not GDPR-compliant, or that firms did not respond to GDPR. For instance, although the proportion of U.S.-facing privacy policies containing promises to notify users in case of data breaches doubled, from 4% to 8%, between 2014 and 2018, the absolute level of compliance was still low. However, as mentioned earlier, the failure to make such promises in a privacy policy does not necessarily mean that a firm will not comply with data breach disclosure mandates in the event of a breach. Unlike many other terms we track, the GDPR does not require firms to include disclosures regarding their data breach notification practices. It only imposes an obligation to notify when the event arises. Therefore, the absence of a data breach notification term does not mean that a firm has failed to comply with the GDPR. That may also explain why only 9% of firms’ E.U.-facing policies contain such a term.
Fourth, the level of compliance for most sample terms is higher than documented levels of compliance with the FTC’s non-binding “Notice and Choice” guidelines (Marotta-Wurgler, 2017).
Indicators of GDPR Spillovers
Indicators of GDPR Influence and Spillovers on 2018 U.S. Policies.
Panel A shows fraction of policies showing influence of GDPR. In Panel B, ***, **, and * Denote statistical significance at the 1%, 5%, and 10% levels, respectively.
The most straightforward, and in some ways the most compelling, indicator of a spillover is simply whether the U.S. policy states that it is GDPR-compliant. We call this indicator S1. 23% of U.S.-facing policies contain such a statement. Our indicator S2 is less strict and more encompassing, merely indicating whether the GDPR is mentioned, rather than claimed, in the U.S.-facing policy. This simply represents an explicit acknowledgement that a set of rules known as GDPR exists. Indicator S3 is based on whether the 2018 U.S.-facing policy was last updated in April or May 2018.
Our next two indicators, S4 and S5, identify spillovers with use of novel terms and Standard Contractual Clauses. S4 identifies spillover with the appearance of at least one of three terms particular to European privacy law: the designation of a DPO, the verbatim incorporation of the E.U. standard contractual clauses for transfer of personal data to controllers in third countries, or the same with respect to transfer of personal data to processors in third countries. S5 identifies spillover with U.S.-facing policies’ compliance with at least three of the 15 ‘European’ terms. Like S4 above and S6 below, this is an arbitrary threshold that appears to divide the sample but could be changed somewhat without a major effect on interpretation.
Our last spillover indicator, S6, identifies spillover with a net increase in compliance among at least three of the terms that are not particular to GDPR. We use this mostly as a control measure, since these terms may have changed prior to the adoption of GDPR and without reference to its requirements. The second panel of Table 4 shows correlations between these spillover indicators. The first two, S1 and S2, are positively correlated by definition because S1 = 1 automatically implies S2 = 1. S4 and S5 also have this sort of mechanical positive correlation. More compelling are the statistically significant positive correlations between S3 (updating around GDPR introduction) and spillover indicators based on content, such as S1 and S4. There is also a weakly statistically significant correlation between compliance in European terms (S5) and changes in compliance among non-novel (S6) terms. The positive correlations throughout the table suggest that to a greater or lesser degree, the spillover indicators are highlighting the same firms.
Which Policies Exhibit Evidence of Spillovers?
Table 4 suggests that a substantial fraction of U.S.-facing policies was influenced by GDPR. Our most strictly defined indicators of the spillover effect suggest that the GDPR influenced 23% and 29% of U.S.-facing policies respectively. The more broadly defined indicators suggest that anywhere from 39% to 50% of policies were influenced.
Almost all of our indicators suggest that GDPR spillovers are much more prevalent among firms that maintained distinct policies in the U.S. and the E.U. as of 2018. For instance, overall, 29% of U.S.-facing policies feature at least one European term (S4), but this is driven by the 70% prevalence of those terms in firms that maintain distinct U.S.-E.U. policies. Only our most loosely defined indicator of spillovers, S6, suggests that spillovers are less prevalent among firms with distinct policies.
Our dataset permits us to explore whether other factors besides use of a distinct E.U. policy are associated with spillovers. To investigate this question we use the spillover measures S1, S4, and S6 as 0-1 dependent variables and some of the firm and industry characteristics summarized in Table 1 as independent variables. We hesitate to call these independent variables “determinants” of spillovers because identifying causality is always challenging.
Regressions to Explain GDPR Influence and Spillovers.
All 2018 U.S. Contracts. Each dependent Variable is a 0–1 Indicator of GDPR Influence. Every Third Regression Contains the Endogenous Variable Distinct E.U. Policy to Show Results do Not Change. Product Popularity is Defined as the Negative of the Log Alexa rank. Standard Errors in Parentheses. ***, **, and * Denote Statistical Significance at the 1%, 5%, and 10% Levels, Respectively
We obtain the same finding when using S4 (the presence of at least one of three novel GDPR terms) as the spillover indicator. Across all three specifications in the middle columns, the most robust factor is an E.U. physical presence, raising the probability of S4 = 1 by about 25%. There is weak evidence that companies with a paid service are also more likely to exhibit a spillover by this measure. Companies without paid services tend to have ad-based business models. Those firms may find it relatively costly to comply with the more restrictive data collection and retention practices imposed by the GDPR.
The last three columns use S6 (an increase in compliance with non-novel GDPR terms) as the spillover indicator. As mentioned above, this is the least definitive GDPR-spillover indicator, since it involves changes that may have happened for other reasons. In any event, we find that public firms are about 20% less likely to increase GDPR compliance in three or more non-novel terms. One might speculate that public firms are more sophisticated about “needlessly” increasing GDPR compliance in this way, but the same view could not explain the lack of this relationship with respect to S1 and S4. Here there is weak evidence that having an E.U. physical presence is a factor influencing spillovers.
Which Terms Exhibit Evidence of Spillovers?
Our data provide hints that the GDPR may have had greater effects on some terms of privacy policies than others. First, some terms of U.S.-facing policies exhibited greater changes from 2014 to 2018 than others. Second, some terms of U.S.-facing policies manifest greater divergence from E.U.-facing policies than others. We suggest that the terms whose levels of compliance in 2018 were both significantly higher than in 2014 and close to the levels of compliance in the E.U. are the ones that were most strongly affected by the GDPR, even if the 2018 level of compliance was less than 100%. Terms of U.S.-facing policies whose levels of compliance in 2018 were significantly higher than in 2014 but still lower than in the E.U.-facing policies appear to have been influenced less strongly.
Terms With the Greatest Increase in Compliance.
Terms are listed in descending order according to the magnitude of change in the Level of GDPR compliance from 2014 to 2018 for the sample policies. “2014 v. 2018” reports the difference in compliance between the U.S-Facing 2014 and 2018 Policies. “2018 U.S. Facing v. 2018 E.U.-Facing” Reports the Difference in Compliance Between the 2018 U.S-Facing and E.U. Facing Policies.
Terms With the Greatest Difference in Compliance.
Terms are listed in descending order according to the magnitude of difference in the level of GDPR compliance between 2018 U.S. Facing and 2018 E.U.-facing privacy policy terms. “2018 U.S. Facing v. 2018 E.U.-Facing” reports the difference in compliance between the 2018 U.S-Facing and E.U. Facing Policies.
What Explains GDPR Spillovers?
We now explore the factors that explain variations in spillovers, both across and within privacy policies. We begin by exploring whether spillovers are influenced by compliance costs, extraterritorial deterrence, or costs of differential compliance, taking into consideration the following hypotheses: Compliance costs: Spillovers will be limited when adoption of GDPR-compliant terms is costly. Extraterritorial deterrence: Spillovers will take the form of carveouts providing greater rights for E.U. data subjects than for other users. Costs of differential compliance: Spillovers will be used to achieve uniformity in compliance practices across different parts of firms’ operations.
We cannot directly test whether spillovers are driven by attempts to capture benefits of compliance. We do, however, conjecture that those benefits may not be limited to economic benefits that accrue to firms. They may also include the benefits that accrue to key decision-makers within firms when they adhere to professional norms. Finally, we also conjecture that the spillovers we observe may be influenced by firms’ access to resources required to select GDPR-compliant terms that meet their organizational goals.
Compliance Costs
We examine the compliance costs hypothesis by leveraging our granular data set. Compliance costs tend to differ at the term level. We focus on those terms that have been identified as having relatively higher compliance costs and that can be measured by examining privacy policies (Deloitte, 2017; Presthus et al., 2018). These include the requirement that gives subjects the rights of data portability and deletion. We classify terms related to disclosures of information collected and used as well as related privacy practices as relatively low cost.
Our analysis of which terms manifest the least spillover effects bears out the view that the costs of complying with the GDPR limit the extent of GDPR spillovers. Commentary from 2017 and 2018 suggests that it was relatively costly for firms to comply with the requirement to give subjects the rights of data portability and deletion. 10 By contrast, terms related to disclosure of information collected and used and related privacy practices appear to be relatively low cost (Deloitte, 2017; Presthus et al., 2018). Table 7 reveals that when firms chose to opt for U.S.-facing policies with lower levels of compliance than in the E.U. they did it most frequently by failing to comply with the GDPR’s requirements to give users the right to delete information, to use the information in direct ads, and to adjust privacy settings. Compliance with all three of these requirements requires incurring costs that vary with the number of users to whom the rights are granted. This supports the inference that firms eschewed compliance with these requirements in their U.S.-facing policies in order to reduce their compliance costs, consistent with the compliance cost theory.
Extraterritorial Deterrence
We examine the extraterritorial deterrence hypothesis by measuring the extent to which firms include carveouts in their privacy policies. These carveouts are common contractual tools used to tailor standard form contracts to specific contracting parties (Frankenreiter, 2021; Zarsky, 2014). Common examples include warranty provisions that only apply to residents of states that have mandatory warranty terms and California Consumers Privacy Act (CCPA)-related provisions that apply only to residents of California. Firms concerned about potential penalties for failure to comply with the GDPR for E.U.-based subjects or citizens can easily extend such protections with carveouts in their U.S.-facing policies without extending compliance more generally.
Our data do not support the claim that GDPR spillovers are solely attributable to firms that fear being sanctioned for failing to comply with the GDPR if EU users visit their US-facing websites. According to that view, firms would tend to adopt compliant provisions whose scope was limited to users in the E.U., i.e. carveouts. This would allow them to save on the costs of adopting GDPR-compliant information practices in the US (or risking FTC liability for deceptively claiming GDPR compliance). The fact that only 6 of the U.S.-facing policies in our sample included carveouts that granted superior rights to subjects in the E.U. suggests that this theory is not the principal explanation of the spillovers we observe. Or to put it another way, fear of being sanctioned in the E.U. for targeting subjects in the E.U. does not explain the substantial evidence that the GDPR has affected the terms of U.S.-facing policies that explicitly apply to U.S. residents.
The relatively high level of spillovers among firms with an E.U. physical presence is, however, consistent with the idea that those firms fear being sanctioned for processing the data of people outside the E.U. on the grounds that the processing takes place “in the context of” their establishment’s activities in the E.U. Overall though, our data do not provide compelling evidence that extraterritorial deterrence is the primary driver of the spillovers we observe.
Costs of Differential Compliance
We explore this hypothesis in two ways. First, we consider whether firms adopt different privacy policies on their U.S. and E.U.-facing websites. Second, we classify terms into those that are likely to govern firm information practices in a wholesale manner and are therefore harder to tailor to individual markets or subjects, and into those can be more easily tailored at the regional or individual level (Bradford, 2020).
Our analysis partly supports the theory that spillovers are driven by the costs of differential compliance. The simple fact that 75% of the firms in our sample use the same U.S. and E.U.-facing policies is consistent with the idea that differentiated compliance is costly. However, the fact that 25% of the firms used different policies on their U.S. and E.U.-facing websites suggests that the costs of differential compliance are not always prohibitive.
Our analysis of which terms manifest the greatest spillover effects also offers some support for the prediction that spillovers will be prevalent when compliance entails low incremental costs in the U.S. once a firm has complied in the E.U. GDPR requirements that may be uneconomical to comply with on a purely regional as opposed to firm-wide basis include provisions relating to third party contracts, and requirements to adopt “privacy by design” (which involves hiring personnel and adopting information privacy-sensitive information practices at the operational and product or service design level), security practices such as encryption, or limits on data processing (Bradford, 2020). Terms related to the processing of information, which appear under the “Controllers’ Obligations- Data Processors” and “Third Party Processor” categories, all show marked improvements in compliance. For example, compliance among terms relating to due diligence on third parties with data access increased from 2% in 2014 to 21% in 2018 and closely tracked compliance in E.U.-facing policies. However, compliance among terms related to technological security measures increased slightly, from 42% in 2014 to 48% in 2018 but diverged significantly from E.U. levels of compliance. Moreover, overall compliance with terms related to privacy by design decreased from 43% to 26% and also diverged significantly from the level of compliance in the E.U.
One possibility is that the privacy policies may not reflect actual information practices: firms may be complying with “privacy by design” and security measures by implementing more safeguards in their operations and information practices but failing to mention those practices in their privacy policies – even the GDPR does not mandate such disclosure. Data processor contracts, in contrast, must be disclosed in privacy policies. This may explain the difference across these categories and thus offer stronger support for the hypothesis that spillovers are more likely when regional compliance is costly.
Benefits of Compliance, Norms, and Resources
Neither extraterritorial deterrence nor costs of differential compliance explains the appearance of spillover in policies used by firms with distinct U.S and E.U.-facing policies. Nor do these theories explain why spillovers appear to be more common in firms with a physical presence in the E.U. We conjecture that several additional factors explain these findings.
Broadly speaking, our findings suggest that firms, or actors within those firms, benefit from adopting GDPR-compliant terms, but the nature of those benefits is unclear. It has been suggested that firms may adopt such terms to send a signal to potential counterparties whose data might be subject to the policy. Privacy policies are rarely read, so this effect is unlikely to be material (Bakos et al., 2014). More material is the fact that these policies often are published, and so any signals they contain also will be sent to investors, regulators, and the general public. In principle, however, the impact on a firm of sending such a signal could be negative, as in the case in which a robust privacy policy – or just one that is unusually prominent – alerts previously unconcerned consumers to the risk of privacy violations and so scares them away (Brough et al., 2022).
Our data are most consistent with a somewhat different conjecture about the benefits of GDPR compliance: decisionmakers within firms may ‘benefit’ from GDPR compliance because of its normative appeal rather than because of its purely economic consequences. Sociologists who study institutional isomorphism – the tendency of organizations to become like one another – suggest that normative considerations are most likely to induce conformity in organizational settings where managers charged with compliance decisions are highly professionalized (DiMaggio & Powell, 1983, pp. 152–155). For these purposes, professionalization means the existence of a group of practitioners who, by virtue of some combination of education and socialization, claim unique expertise and status in relation to a particular set of tasks (Kharuna, 2007, pp. 8–11). Professionalization inculcates a common sense of which policies and procedures are normatively sanctioned and legitimated, in other words, ‘the right way to do things’ (DiMaggio & Powell, 1983, p. 154). This implies that firms and sectors in which key compliance personnel have strong cross-border professional ties will be particularly susceptible to cross-border spillovers. Several commentators have suggested that privacy professionals exert a significant influence over firms’ information practices, that they transmit ideas about privacy practices through their institutional networks, and that they generally had a positive view of the GDPR (Shaffer, 2000, pp. 66–69; Waldman, 2020, pp. 807–808). Our findings are consistent with the conjecture that firms with E.U. locations were particularly likely to have compliance professionals with close ties to compliance professionals in the E.U. who were influenced by the normative appeal of the GDPR.
Our findings are also consistent with the possibility that firms with E.U. locations find it less costly than other firms to adopt GDPR-compliant provisions in their privacy policies, even when they choose different terms for their U.S. and E.U.-facing websites. It seems reasonable to presume that a firm’s ability to select terms that reflect their organizational objectives will depend on the firm’s access to both legal expertise and copies of policies that it can use as templates. 11 These resources should be particularly accessible for firms that are already operating in the E.U. and have drafted compliant privacy policies. Those firms may have better working relationships with internal and external privacy experts in the E.U. and greater familiarity with E.U. debates around privacy.
The limitations of our study include the following. One is that we do not have 2014 E.U.-facing privacy policies to determine the changes in such privacy policies before and after GDPR. Such data would offer a more thorough account of how policies in the E.U. have changed because of the GDPR, although our focus is on the effects of the E.U. law in U.S.-facing policies. Another potential concern is the size of our sample, which is smaller than those used in other studies and only covers six markets. But we do cover the largest e-commerce players and our results are often strong enough that they seem unlikely to be overturned with additional data, at least within the markets we consider. Another potential concern is that our four-year collection windows to compare information practices in the U.S. may capture only changes in privacy policies that are not due to the GDPR. Yet our Nou & Nyarko six GDPR compliance measures, including some which track precisely whether the policy claims GDPR compliance and the type of terms and language used that are novel to GDPR, give us confidence that we are indeed capturing changes that are targeted toward GDPR compliance—particularly given that most changes occur in May, 2018, precisely when the GDPR came into effect.
Conclusion
We demonstrate that the GDPR, which by its terms only applies to firms’ dealings in the E.U. and with data subjects in the E.U., also affected the privacy policies firms presented to U.S. consumers. More than half of U.S.-facing policies exhibited at least some influence of GDPR; fully 23% of them state that the firm will comply with the foreign regulation. Only a quarter of our sample firms maintain distinct E.U.-facing and U.S.-facing privacy policies; rather than limit the GDPR’s influence to their E.U.-only policy, such firms actually exhibit a greater propensity to incorporate GDPR into the U.S.-facing policy as well, with 52% of such firms’ policies stating that they comply with GDPR. Firms with physical presence in the E.U., and to a lesser extent firms with products that require payment to use their products, are more likely to exhibit such spillovers. This is a separate effect from those identified previously. To the best of our knowledge, this is one of the most granular studies to document the spillovers of GDPR in a systematic way and to determine its magnitude against meaningful benchmarks. More generally, it offers evidence of regulatory spillovers (or “California” or “Brussels” Effects) beyond the environmental context.
Our results shed light on several hypotheses about the causes of international regulatory spillovers. First, there is no support for the hypothesis that firms are extending GDPR compliance in the U.S. for fear of potential violations as a result of failure to offer the required protections to E.U. residents abroad. Firms just don’t offer carveouts in their policies. Rather, most tend to offer the same policy in both regions, offering support for the theory that spillovers are driven by the costs of differential compliance. Further support for this theory is provided by the fact that the terms that have the largest changes in compliance are those that are costly to differentiate across regions, such as terms complying with the requirement that firms contract with data processors regarding data uses and security. On the other hand, terms that are costly to comply with and that vary at the user level, such as providing individuals the right to delete their information, are less likely to spill over. Finally, we identify a previously understudied potential channel for spillovers: having a physical location in a jurisdiction that adopts a disruptive regulation may trigger changes in firms’ internal norms and provide access to resources required to determine how to comply in a way that is consistent with the firms’ objectives.
Although our analysis suggests that the GDPR had significant spillover effects in the U.S., it does not suggest that those spillovers completely filled the gaps in the U.S. privacy regime. The variations in compliance that we found across both firms and GDPR obligations suggest that, at least as of August 2018, there was considerable room for firms to alter information privacy practices targeted by the GDPR. The greatest potential for change was in firms without a physical presence in the E.U. and in practices with high variable costs, including the right to delete information. Our findings are also open to the interpretation that the greatest potential for change is in firms that have less compliance capacity and less access to compliance professionals sympathetic to the goals of privacy regulation.
These findings have implications for both the likely impact and the feasibility of reforms to U.S. privacy law. As of August 2018, spillovers from the GDPR had not completely eliminated the potential impact of reforms to U.S. privacy law. Nor had those spillovers eliminated potential sources of opposition to such reforms. At the same time, our findings suggest that the impact of legal reforms –and perhaps the levels of political resistance as well – might turn on the extent to which those reforms succeed in influencing the capacity and normative orientation of firms’ compliance professionals. These conclusions are all based on data from a limited sample of firms at a specific point in time, but they offer clear directions for future research on additional firms and using more current data.
Supplemental Material
Supplemental Material - Filling the Void: How E.U. Privacy Law Spills Over to the U.S.
Supplemental Material for Filling the Void: How E.U. Privacy Law Spills Over to the U.S. by Kevin E. Davis and Florencia Marotta-Wurgler in Journal of Law and Empirical Analysis
Footnotes
Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
Supplemental Material
Supplemental material for this article is available online.
Notes
References
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
