MARKET FAILURES AND OTHER JUSTIFICATIONS FOR REGULATION
The European Union has had an extensive data protection regulatory framework since 1995, and has encouraged similar regulatory activity in nearly 50 non-EU countries. The USA has taken a more laissez-faire approach in the private sector, although the Obama administration launched a privacy ‘Bill of Rights’ in 2012 for consumers, and has encouraged the development of international privacy standards at the Asia-Pacific Economic Cooperation (APEC) intergovernmental group (Greenleaf, 2013).
But beyond enforcing contracts and prosecuting fraud, why should regulators get involved in market transactions between willing buyers and sellers of personal information?Economists recognize three main types of market failure that justify limited government intervention: negative externalities, asymmetric information, and anticompetitive market structures. A negative externality occurs when an actor takes an economic decision that imposes costs on a third party, such as the decision of a power station to dump polluted waste water in a local river. Since the actor suffers no negative consequences in the absence of regulation, they have a strong incentive to take such actions. The resale of personal data for marketing purposes is another example of such an action, since it imposes the cost of future invasive advertising on the data subject without compensation. This is a strong argument for restricting third-party transactions in personal data to those authorized by the original consumer (Varian, 1997). More subtly, an individual that discloses information about themselves is also providing information about other individuals like them, which makes it harder for those individuals to mask their private characteristics (Moskowitz and Taylor, 2012).
The parties in a transaction often have asymmetric levels of information. In the case of privacy, consumers have limited knowledge of how their personal information will be used by producers.
This is especially true of technology-mediated transactions, where personal data can be gathered ubiquitously and invisibly (Acquisti, 2004) in a way that few users - even young ‘digital natives’ - fully understand (Palfrey and Gasser, 2008, p. 285). For example, Debatin et al. (2009, p. 100) found in an online survey of students that while a majority reported they understood Facebook’s privacy settings, this understanding was skewed.To reduce information asymmetry, regulators commonly require companies to disclose how they will use personal information. Tsai et al. (2011) found some evidence that accessible privacy policies encourage consumers to purchase from online retailers with better privacy protection, and that some consumers are willing to pay a premium to buy goods from more privacy-protective websites.
In general, however, privacy policies are usually long and complex legalistic documents that few consumers read and even fewer understand. They are usually subject to change at any moment, especially if the business ownership is transferred (Greenstadt and Smith, 2005). Verification and enforcement is difficult, costly and has an unstable market equilibrium - when all firms respect privacy, no consumers will test those promises, encouraging firms to disregard their policies, which in turn encourages consumers to start testing policies and firms to respect privacy, ad infinitum (Vila et al., 2003). Finally, privacy is usually a secondary factor in an individual’s decision to buy a product - there may be no good privacy-protecting alternative. If consumers have little reason to know about or believe in good privacy practices, no firm has an incentive to follow them (Greenstadt and Smith, 2005).
One widely used mechanism to improve consumer confidence in firms’ privacy practices is the award of ‘privacy seals’ after an independent audit. However, these schemes often suffer from the problem of capture. If firms conducting audits earn income from the award of seals, they have an incentive to make them easy to obtain.
The most popular scheme, TRUSTe, has been criticized for giving a seal to any firm that adhered to a stated privacy policy, however invasive that policy might be (ibid.). Edelman (2006) found that other ‘trust’ authorities issued seals without any substantial checks on the trustworthiness of recipients. This had the perverse effect that the sites seeking and obtaining seals were less trustworthy than those that did not.Many early users of new social network sites are less concerned about privacy; the more privacy-concerned individuals join later in order to share information with their friends (Bonneau and Preibusch, 2009). Users that have invested a great deal of time in building profiles on one site will be reluctant to switch to a new site unless they can easily move their existing profile. There will therefore be limited competitive pressure for improved privacy practices in markets dominated by a small number of providers with high switching costs (Brown and Marsden, 2008).
Network effects tend to further encourage market concentration in communication markets: the value of such services increase with a growing customer base, since each new user increases the number of reachable users for all existing customers. Individuals want to be where their friends are, and are unlikely to leave popular sites such as Facebook unless all of their friends coordinate a move to another social networking site (ibid.).
12.3.1 Cognitive Biases
A broad range of behavioral economics research has found that individuals often do not behave in the calculating, rational manner assumed by classical economics. They do not have an unlimited amount of time and mental energy to carefully calculate the precise costs and benefits of every decision; they sometimes lack self-control and opt for immediate rather than delayed gratification; and they are often reluctant to overcome inertia, even when it would be to their benefit (Acquisti, 2004).
The risks that arise from disclosure of personal information are often highly probabilistic and difficult to calculate.
Loss of data might lead to identity fraud, which can in turn result in the refusal of a small loan, a large mortgage, or a university place or job. Humans have finite cognitive resources; this ‘bounded rationality’ means that individuals can rarely obtain, remember and think through all of the information relevant to a privacy decision. Instead they rely on simplified mental models, approximate strategies and heuristics that will not have perfectly rational outcomes (Acquisti, 2002). For example, Acquisti and Grossklags asked respondents to a survey (all of whom were current or former university students) which parties had access to credit card details they had provided in an online purchase: 34.5 percent of survey respondents answered that only the merchant had access, while only 21.9 percent included ‘my credit card company or bank’, and just 19.3 percent answered ‘hackers or distributors of spyware’ (Acquisti and Grossklags, 2005, p. 31).Individuals may only discover the payoffs of privacy protection or intrusion through infrequent experience (Acquisti, 2004). They are generally bad at judging cumulative risk, which is critical since personal data persists over time and total privacy risk is greater than the sum of its parts - a greater quantity of data makes it easier to identify the individual they refer to (ibid.). They also suffer from optimism bias, incorrectly estimating their own risks to be lower than those of other individuals under similar conditions (Acquisti, 2002).
Against these highly uncertain, subjective costs, individuals often receive some immediate benefit from information disclosure - sharing information with friends on a social network site, personalization of websites with recommendations and saved payment and delivery details, or discounts and coupons from loyalty schemes. Adults as well as children frequently make decisions that have an immediate benefit outweighed by longer- term costs, such as smoking or putting off a task that will take greater effort in future (Acquisti, 2004).
This includes avoiding taking an action - such as opting out of a marketing program or changing default privacy settings (Edwards and Brown, 2009) - that has an immediate cost but only longer-term benefits.Information disclosure behavior is highly situational, and can be strongly affected by the salience of privacy and other contextual factors such as anonymity and trust in the recipient. John et al. (2011) asked students a range of questions in a survey, with answers that could have significant consequences in a university setting - such as whether the
The economics of privacy, data protection and surveillance 253 student had cheated in an exam. Those who had been given an explicit assurance of confidentiality, thereby foregrounding privacy issues, were much less likely to admit cheating - 8 percent rather than 35.4 percent of participants. In a second experiment participants were asked more and less intrusive questions that they had to answer either explicitly or indirectly. Participants were 1.48 times more likely to admit intrusive behaviors when asked indirectly rather than explicitly.
Individuals sometimes need help to act in their own longer-term best interests (Thaler and Sunstein, 2008). They might wish to protect their privacy, but have difficulty in making the short-term decisions required to do so (Acquisti and Grossklags, 2003).
12.4