Abstract
We study the GDPR's opt-in requirement in a model with a firm that provides a digital service and consumers who are heterogeneous in their valuations of the firm's service as well as the privacy costs incurred when sharing personal data with the firm. We show that the GDPR boosts demand for the service by allowing consumers with high privacy costs to buy the service without sharing data. The increased demand leads to a higher price but a smaller quantity of shared data. If the firm's revenue is largely usage-based rather than data-based, then both the firm's profit and consumer surplus increase after the GDPR, implying that the GDPR can be welfare-improving. But if the firm's revenue is largely from data monetization, then the GDPR can reduce the firm's profit and consumer surplus.
Original language | English |
---|---|
Journal | Management Science |
DOIs | |
Publication status | E-pub ahead of print - Nov 2024 |
Keywords
- GDPR
- opt-in
- opt-out
- privacy management
- welfare