The Bright Side of the GDPR: Welfare-Improving Privacy Management

We study the General Data Protection Regulation (GDPR)’s opt-in requirement in a model with a firm that provides a digital service and consumers who are heterogeneous in their valuations of the firm’s service and the privacy costs incurred when sharing personal data with the firm. We show that the GDPR boosts demand for the service by allowing consumers with high privacy costs to buy the service without sharing data. The increased demand leads to a higher price but a smaller quantity of shared data. If the firm’s revenue is largely usage based rather than data based, then both the firm’s profit and consumer surplus increase after the GDPR, implying that the GDPR can be welfare improving. But if the firm’s revenue is largely from data monetization, then the GDPR can reduce the firm’s profit and consumer surplus. This paper was accepted by D. J. Wu, information systems. Funding: The authors gratefully acknowledge financial support from the Australian Research Council [Grant DP210102015], the Japan Society for the Promotion of Science [KAKENHI Grants JP20H05631, JP21H00702, JP21K01452, JP21K18430, JP23H00818, JP23K20593, and JP23K25515], the Nomura Foundation, the International Joint Research Promotion Program at Osaka University, and the program of the Joint Usage/Research Center for “Behavioral Economics” at the ISER, Osaka University. Although N. Matsushima serves as a member of the Competition Policy Research Center at the Japan Fair Trade Commission (JFTC), the views expressed in this paper are solely ours and should not be attributed to the JFTC. Supplemental Material: The online appendix is available at https://doi.org/10.1287/mnsc.2024.06653 .