The General Data Protection Regulation (GDPR), the most comprehensive and far-reaching privacy regulatory regime remains a puzzle, both with respect to its empirical effect and its theoretical underpinnings. We argue that at its core, the GDPR creates a two-part mandate for privacy policies, requiring (1) that residual rights over data usage be assigned to consumers and (2) a heightened modification rule. We adapt standard models of incomplete contracts to show that the joint impact of these two requirements depends on a single parameter summarizing how consumers discount future privacy harms. We then use the model to explain how U.S. firms responded to the GDPR. We show that U.S. websites with E.U. exposure are more likely to change their U.S. privacy policies to have less stringent and more lenient modification rules. Among websites that do not have E.U. exposure we see the opposite trend. These results are explained by websites seeking to obtain residual rights over data usage after learning of the impact of the GDPR mandate.
Jens Frankenreiter, Talia Gillis & Dan Svirsky