Economic Research on Privacy Regulation: Lessons from the GDPR and Beyond

This paper reviews the economic literature on the European Union's General Data Protection Regulation (GDPR). I highlight key challenges for studying the regulation including the difficulty of finding a suitable control group, variable firm compliance and regulatory enforcement, as well as the regulation's impact on data observability. The economic literature on the GDPR to date has largely—though not universally—documented harms to firms. These include harms to firm performance, competition, innovation, the web, and marketing. On the elusive consumer welfare side, the literature documents some objective privacy improvements as well as helpful survey evidence. The literature shows how the GDPR works in practice and illuminates the consequences of its design decisions. Finally, I suggest opportunities for future research on the GDPR as well as privacy regulation and privacy-related innovation more broadly.