A computer screen showing the letters GDPR spelled out amidst lines of binary copy

Data-driven: Lawmakers should be aware of the unintended consequences that privacy regulations can cause

Policies to protect privacy online could inadvertently lead to websites sharing personal information more widely, new research shows.

Many websites sell user data and allow ‘third parties’ to use cookies to track their online activity.

This has prompted some governments to bring in regulations to protect privacy online.

However, forcing websites to tell users how they share data and obtain consent to do so – such as the General Data Protection Regulation (GDPR) in Europe – increased the number of third parties they engaged, according to a study led by Warwick Business School.

That meant a user’s personal data was shared more widely.

Lead author Ram Gopal, Professor of Information Systems Management, said: “Widespread privacy abuses have prompted calls for governments to protect consumer rights.

“But our research found that these policies led to an increase in third-parties and data sharing.

“This will remain the case as long as some internet users are willing to accept higher data sharing in order to avoid paying for content.”

Consent-based privacy guidelines are like a 'sledgehammer'

The study by Warwick Business School, Haskayne School of Business in Canada, and Miami Herbert Business School in the US was published by the journal Information Systems Research.

Researchers used an automated tool to visit 100,000 top-ranked websites every day and record the number of third-parties they used to examine the impact of regulatory policies.

‘Consent-based’ regulation is relatively rare – most countries have adopted a non-intervention approach, including every US state except for California.

An alternative approach is to subsidise websites that do not share user data excessively. This has been tried in some industries in the United States, such as news and healthcare.

Professor Gopal said: “Subsidising websites that follow stricter privacy guidelines is like using a scalpel, allowing policymakers to sculpt around target markets.

“Consent-based policies are more like a sledgehammer, hitting everyone equally.

“However, both approaches could drive some websites out of business by causing a loss of revenue. This would reduce competition, which would be detrimental to internet users and society in general.

“Policymakers need to be aware of these unintended consequences when making regulations.”

Further reading:

Gopal, R. D., Hidaji, H., Kutlu, S. N., Patterson, R. A. and Yaraghi, N. (2023), Law, economics and privacy : implications of government policies on website and third-party information sharing, Information Systems Research.

Eshghi, A., Gopal, R. D., Hidaji, H. and Patterson, R. (2023), Now you see it, now you don’t: obfuscation of online third-party information sharing, INFORMS Journal on Computing, 35, 2, 286-303.

Shi, R., Aaltonen, A., Henfridsson, O. and Gopal, R. D. (2023), Comparing platform owners' early and late entry into complementary markets, MIS Quarterly.


Ram Gopal is Professor of Information Systems and Director of the Gillmore Centre for Financial Technology.

Learn how to innovate with new technology in the four-day Executive Education course Business Impacts of Artificial Intelligence.

For more articles on Digital Innovation and Entrepreneurship sign up to the Core Insights newsletter here.