Protecting Consumers in Privacy and Data Security: A Perspective of Information Economics

31 Pages Posted: 24 Jul 2017

See all articles by Ginger Zhe Jin

Ginger Zhe Jin

University of Maryland - Department of Economics; National Bureau of Economic Research (NBER)

Andrew Stivers

NERA Economic Consulting

Date Written: May 22, 2017

Abstract

This note provides an economic approach to consumer privacy and data security based on the extensive economic literature on how information flows, and is used, in the marketplace. We apply that approach to consumer protection in privacy and data security, as a step toward the ultimate goal of facilitating well-grounded cost-benefit analysis of future policy and law enforcement action in this area.

Over the past two decades, the FTC has led the governmental effort to protect the integrity of consumer privacy choices in the market. This note attempts to describe the economic basis for that work in one coherent piece. Given the scope of the topic, this note is only a first step in providing clarity on the economic perspective on consumer protection in this area. We hope the note will improve future actions in privacy and data security. As a matter of scope, we do not discuss the potential implications of privacy and data security for antitrust or competition. Nor do we discuss data access and data use beyond domestic commerce.

We also do not claim to provide the economics of privacy and data security. Other authors have provided the basic research and surveys that this work builds on. Other perspectives might usefully focus on how property rights in information influence the creation and flow of information through the market, or how structuring privacy as a human right would change markets and influence social welfare. Such other perspectives might also facilitate cost-benefit analyses of privacy and data security policy and enforcement.

In comparison, we articulate privacy and data security issues primarily in information economic terms. In particular, we highlight the distinction between process and outcome: while an individual’s privacy outcome is the realized restriction on the flow and use of information, the process that leads to that outcome depends on many parties. The decisions that each of those parties make about how that information flows, and the control that each party exercises over the flow of the individual’s information, all contribute to the privacy outcome. The distinction between process and outcome is important. This is in part because while consumers may prefer more or less privacy – the outcome – given a particular situation, they all want themselves, and by extension the sellers they interact with, to have a certain amount of control over the flow. In line with other areas of market intervention, a focus on the process ensures that consumers and sellers have the tools to exercise appropriate control on the process. In turn, this should help bolster a healthy market to facilitate and honor their choice of privacy. This approach is in contrast to a more paternalistic approach that attempts to determine consumer preferences on privacy outcomes and directly impose that determination on the market.

Next, we articulate how consumer-to-seller information flows are more complicated in practice than the typical seller-to-consumer information flows that typically concern the FTC in other areas, such as advertising enforcement. In particular, information flows generated by a transaction can persist over time and create effects outside of that initial transaction. These persistent effects often complicate market incentives.

Because the persistence of information can cause commitment problems, and tends to exacerbate information asymmetry and externality, it is more starkly important for policy makers to foster a healthy information environment about privacy outcomes and processes, to encourage industry to develop standards and mechanisms that support a healthy information market, and to police that market if necessary. In this document, we identify some market mechanisms that have arisen to address potential market failures, and when interventions in consumer protection are most likely justified. In light of these potential market failures, we then list potential policy tools and discuss their pros and cons.

Keywords: Consumer, Privacy, Data Security, Information, Policy

JEL Classification: M31, M37, M38, L15, L51, D80, D82, D83

Suggested Citation

Jin, Ginger Zhe and Stivers, Andrew, Protecting Consumers in Privacy and Data Security: A Perspective of Information Economics (May 22, 2017). Available at SSRN: https://ssrn.com/abstract=3006172 or http://dx.doi.org/10.2139/ssrn.3006172

Ginger Zhe Jin (Contact Author)

University of Maryland - Department of Economics ( email )

College Park, MD 20742
United States
301-405-3484 (Phone)
301-405-3542 (Fax)

National Bureau of Economic Research (NBER)

1050 Massachusetts Avenue
Cambridge, MA 02138
United States

Andrew Stivers

NERA Economic Consulting ( email )

1255 23rd St NW Ste 600
Washington, DC 20037
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
438
Abstract Views
2,559
Rank
121,704
PlumX Metrics