A cyber padlock symbol emerges from a mobile phone screen, to show how a user's data is protected by privacy regulations

Fair share? Privacy regulations like GDPR could results in user data being shared more widely, research shows

If a stranger stopped you in the street and asked for your personal information, you would think twice about giving it to them. 

At the very least, you would probably ask why they wanted that information and what they planned to do with it. And unless they gave a very good reason, many of us would probably say no. 

Yet most of us are asked to allow firms to gather our information dozens of times each day as we navigate the internet. 

We are constantly confronted with questions like: “Do you accept cookies from this website?” And while we might find these requests irritating, most of us simply click “yes” and continue browsing, rather than bothering with the convoluted settings and choices that we don’t quite understand. 

These pop-ups have proliferated in response to recent privacy laws, such as the European Union’s General Data Protection Regulation (GPDR) and California’s Consumer Privacy Act. 

And while many countries do not have any restrictions, more jurisdictions are looking to implement their own regulations. For example, Canada is currently reviewing and modernising its Privacy Act. 

The intention is to limit how websites collect user data and share it with other companies, known as ‘third parties’. However, our research suggests these regulations are not as effective as intended. 

On the contrary, they actually increased the number of third parties that had access to user data. They also had the unintended consequence of decreasing competition to the detriment of consumers. 

The fact is that almost every website – both commercial and not-for-profit – commodifies user data. 

Within the first three seconds of opening an average web page, more than 80 third parties have accessed your information. 

This use of data by third parties can be helpful. It is an easy way for companies to earn money and can easily connect consumers to any resources they are looking for. 

However, third parties can also pose serious privacy threats to consumers. This can result in financial harm to users and to society at large. 

Discrimination can be based on any detectable characteristic including psychographic profiles, age, race, gender, or religious affiliation, among others.  

Meanwhile, society can be harmed by co-ordinated attempts to manipulate voters based on the data collected about website users and the information they are presented with as a result, as was famously the case with the Cambridge Analytica scandal

This is why privacy legislation is necessary. The impact of that legislation is less well understood.

Why does GDPR increase data sharing?

In particular, the strategic reaction of websites to the introduction of new regulations is often overlooked. This is more akin to a game of cat and mouse, than straightforward compliance. 

If a regulation says a website has to do X, then a website will often react to that restriction by doing Y, as well as doing X. 

This is not necessarily to avoid compliance. Rather, the intention is to continue to maximise profits while meeting new regulatory requirements.

I have spent years studying website privacy and revenue management with colleagues at the University of Miami and the University of Calgary. 

We analysed the privacy implications of website monetization strategies and how the trustworthiness of individual websites can be predicted by observing their third party usage. 

Our latest study focused on the effect of government intervention to protect consumer privacy online. We collected third-party utilisation of the 100,000 most popular websites globally around the time that California’s Consumer Privacy Act (CCPA) was implemented, comparing jurisdictions that enforced opt-in privacy regulations to those that had no such policies. 

We found that the implementation of opt-in policies had an unintended effect on the use of third parties. After the CCPA came into effect, there was a significant increase in the number of third parties that received the data of internet users who accessed those websites from California. 

The websites had complied with the new data protection and privacy regulations by asking users for consent. But to mitigate a potential fall in revenue as fewer users gave consent, they had increased the number of third party organisations that had access to the data of anybody who did opt in. 

In markets where users had relatively low privacy concerns and were more likely to give consent, their data was now being exposed to a significantly larger number of third parties – a completely unintended consequence of the legislation. 

How to protect online privacy more effectively

Our findings have important implications for policymakers involved in data protection and privacy regulation, offering countries like Canada the opportunity to learn from the mistakes made by other regulators. 

Rather than using opt-in policies as a one-size-fits-all approach, which we found to be counterproductive in addressing data-sharing concerns and harmful to competition, we recommend using a mix of policies in a more precise fashion. 

These mechanisms, such as limited consent requirements and subsidising websites in particular sectors or industries, are more likely to meet an industry’s specific needs and motivate competing websites to improve their third-party data sharing. 

As a result, they offer policymakers a more precise tool to sculpt data sharing in target markets, in contrast to the sledgehammer approach of opt-in policies that affect all markets equally. 

That is a lesson we should share far and wide, before ineffective regulations are rolled out globally.

Further reading:

Could a new AI model spot fake reviews on Amazon?

How can digital firms beat their rivals in the race for survival?

How can analysing third-parties identify fraudulent websites?


Ram Gopal is Professor of Information Systems Management at Warwick Business School, Director of the Gillmore Centre for Financial Technology, and is the Information Systems Society's Distinguished Fellow. He teaches Digital Finance, Blockchain and Cryptocurrenices on MSc Management of Information Systems and Digital Innovation.

Learn more about digital information and the future of work on the four-day Executive Education course Leading Digital Transformation at WBS London at The Shard.

For more articles on Entrepreneurship & Innovation sign up to the Core Insights Newsletter.