The Economics of “Opt-Out” Versus “Opt-In” Privacy Rules

October 6, 2017

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

In the United States, federal laws use different mechanisms to protect an individual’s privacy. Some of these laws, especially those that focus on highly sensitive data, such as the Children’s Online Privacy Protection Act (COPPA), require individuals to opt in before companies can collect, use, and share their personal information. Others, such as the Gramm-Leach-Bliley Act (GLBA), operate on an opt-out basis, where companies make available information about how they collect, use, and share personal information and allow individuals to opt out if they desire. Which is better: opt in or opt out? Many scholars have studied this question, and the overwhelming evidence shows that in most cases opt out rules for data collection and sharing are better for innovation and productivity while still protecting privacy.

Economic Theory and Privacy Rights

Some scholars, such as Lacker (2002), have argued that the decision whether to opt-out or opt-in can be best characterized by an economic theory developed by Nobel Prize winning economist Ronald Coase (1960). Coase says that in a competitive market with well-defined property rights and no transaction costs, parties confronted with an externality will negotiate an efficient outcome. In the case of privacy, Coase’s Theorem suggests that control over data will go to the party that values it the most, regardless of who initially has the “right” to the data (i.e., whether the individual must opt in or opt out).

This means that if the law requires individuals to opt in before a company can collect or use data, then a company may provide incentives to users to opt in to sharing their data. Naturally, the company will not offer to pay more than what the data is worth to it. Individuals who value their data more than the company will not accept this offer, but individuals who value their data less than the company would. Alternatively, if the law requires individuals to have the ability to opt out, then a company may provide incentives for users to not opt out to sharing their data. Again, only users who value their data less than the company would accept this offer. And because of the positive externalities of sharing data, even these market-based solutions will often lead to sub-optimal societal welfare as individuals with under share or companies will pay too much.

However, while Coase’s theorem may be true in theory, in the real world, these conditions do not exist, and therefore the decision to create opt-in or opt-out rules matters for several reasons.

Data Markets Have Information Asymmetry

Coase’s theorem works best if all parties have equal knowledge about the transaction to negotiate an efficient outcome. However, there is often information asymmetry between businesses and consumers. Some consumers may not understand a company’s privacy practices. They may incorrectly believe a company’s privacy policy provides more protections than it does and therefore decide to permit their data to be shared even if this goes against their preferences. Or they may incorrectly believe the policy and practices provide fewer protections than it does, and therefore decide to restrict their data from being shared. Certainly, many consumers do not routinely read or understand privacy notices. Jensen, et. al. (2005) showed that users seldom consulted a website’s privacy policy and often had inaccurate perceptions about their own knowledge of how online technologies may affect their privacy. In addition, many people likely choose to be rationally ignorant about their privacy choices (intentionally not reading or ignoring the privacy policy) because the benefits of reading a privacy notice are too small when compared to the time needed to understand it.

This information asymmetry might suggest that policymakers should favor opt-in requirements because it minimizes the chance that data will be used against the individual’s wishes. However, recent studies suggest that consumer behavior is not influenced by whether they read privacy notices. Ben-Shahar and Chilton (2016) analyzed how participants would behave based on the privacy policy of a dating app, where one policy explained that the app would collect highly sensitive information, such as sexual history, and sell that information to third-party advertisers. The authors found that consumers’ willingness to share this information was the same, regardless of what the privacy policy said and whether the participants had read it. Even when people understood the privacy policy and the information was highly sensitive, they still chose to share it. In part this may be because they believe that they would receive some benefit from sharing which would outweigh the risk from that sharing.

Privacy Decisions Have Transaction Costs

Coase’s theorem requires transaction costs to be near zero for parties to negotiate an efficient outcome. However, the transaction costs of privacy decisions can be significant, especially when consumers must opt in for companies to be able to use the data. Obtaining affirmative consent imposes significant costs on businesses. Bloom et al. (2010) attempted to calculate the cost for hospitals if the Texas government adopted opt-in policies for tracking immunization health records for children in the state. The study found that obtaining consent for each child born in the state would cost roughly $1.4 million or roughly $2 per child per year. Conversely, switching to an opt-out system would reduce this annual cost to $110,000 or $0.29 per child, which could redirect limited healthcare funding to critical areas, such as vaccine purchasing. Similarly, in 1997, the telecommunications provider Qwest, formerly called U.S. West, conducted a study to obtain affirmative consent to use information about customers’ calling patterns to advertise new services to them. The company used both direct mail and telemarketing to solicit this consent. While the telemarketing was more successful at soliciting consent than direct mail, Qwest still reported that it required an average of 4.8 telephone calls per household to obtain consent. The company determined that an opt-in policy was not a viable business strategy because it was too costly and inefficient. If companies are forced to live with opt-in rules, the higher costs involved would ultimately be passed along to consumers in the form of higher prices, or would result in fewer free services.

Even small transaction costs would be significant given the per-user value of many types of data. For example, when companies pay for advertising user profiles, i.e. information about a user’s likes and preferences for targeted advertisements, they buy them in bulk, which ends up being worth about $0.005 per user. Because of these thin margins, most companies who monetize their products with online advertising could not reasonably pay customers even small amounts for using their data. Instead, these companies would likely be better off in a fee-for-service business model, and more customers would end up paying for online services.

The Positive Externalities From Data Are Often Public Goods

Many uses of data generate positive externalities, and these benefits grow as more parties share the data. For example, health researchers can use data to track diseases, research cures, and accelerate innovation in health care, and the opportunities for these benefits increase as the data becomes available to more parties. However, many of these benefits are public goods, such as reduced traffic congestion or more efficient energy production, and the benefits are not fully captured by any particular party. This creates a free rider collective action problem where individuals benefit from this data sharing even if they were to opt-out individually.

The Negative Effects of Opt-In Rules

If Coase’s economic theory does not adequately fit the opt-out versus opt-in discussion, then we must turn to additional academic studies to determine which option is better. Research suggests there are several negative consequences for implementing opt-in rules and regulations for data privacy.

First, opt-in rules restrict market innovation. Goldfarb and Tucker (2010) found that privacy regulations can negatively impact the efficacy of online advertising, limiting the primary funding mechanism for today’s Internet. Specifically, Goldfarb and Tucker analyzed the impact of the European Union’s Privacy and Electronic Communications Directive (2002/58/EC), which various European countries implemented to limit how advertisers can collect and use information about consumers for targeted advertising. The authors found that after the opt-in policy went into effect, the result was an average reduction in the effectiveness of the online ads by approximately 65 percent. The authors note that if advertisers reduced their spending on online advertising in line with this reduction in effectiveness, “revenue for online display advertising could fall by more than half from $8 billion to $2.8 billion.” Therefore, opt-in policies would reduce the available funding for online companies, reducing their capacity to innovate and lowering functionality for their consumers. This is one important reason for the relatively fewer number of Internet startups in Europe as they have a harder time funding their businesses through ads than do Internet startups in the United States.

Second, requiring users to opt in to data collection would impose other burdens on consumers, such as unwanted calls or emails. There are many situations where companies only want data about a select group of individuals. Unless they can identify this group in advance, opt in requirements force companies to try to obtain permission to collect data from everyone in a population, even though they only really want data from a subset of these individuals. To illustrate this point, Staten and Cate (2003) provide an interesting case study of MBNA Corporation (acquired by Bank of America in 2006). To advertise its products, MBNA directly contacted potential customers. MBNA reduced these large lists of prospects to a manageable size by using personal information to identify eligible prospects. In this study, MBNA wanted to reduce its list from 800 million to 400 million contacts. If affirmative consent were required, then the bank would need to reach out to all 800 million people to get permission to offer 400 million people the offer. Half of these people would get a needless solicitation that they would not have been eligible to receive. This inefficiency would ultimately be passed along to MBNA’s customers, increasing prices.

Third, opt-in requirements frame consumer choices in ways that lead to less-than-optimal data sharing. Contrary to the early economic models that assume people always act rationally, Tversky and Kahneman (1986) found that how choices are framed influences how choices are made. People often make choices based on a host of non-rational reasons, such as the tendency to avoid loses rather than attempt to acquire gains, and their choices often depend on how a question is framed. Research from Fischhoff (1991) and Slovic (1995) also suggests that consumers do not recall a previously calculated preference when making their decision, but rather generate their response upon hearing the question. In the context of privacy for online health surveys, Johnson, Bellman and Lohse (2000) studied how framing of opt-out and out-in questions affects how people respond. In the study, opt-out questions asked whether customers wanted not to be notified, while the out-in questions asked for consumers to affirmatively agree to share information. For example, researchers framed the opt-in question as an affirmative: “Notify me about more health surveys,” and the opt-out question as a negative: “Do NOT notify me about more health surveys.” The study found that twice as many people signed up to share their information when the default option used an opt-out framing (96 percent) than an opt-in framing (48 percent).

In addition, Acquisti et al (2013) surveyed respondents about whether they would exchange future purchase data for gift cards. Researchers found that when the question was framed as an explicit choice to share future data for an additional $2, a majority of respondents (52 percent) would reject the offer. However, when the question was framed as an implicit choice to pay $2 in order to avoid future data collection—by switching from a $12 to a $10 gift card—only 10 percent of subjects accepted. Furthermore, Cranor and McDonald (2010) showed that a slight deviation on a question—whether a group would receive a discount of $1 to have their data collected for behavioral advertisements or pay $1 for privacy-protective services—could yield vastly different results. Despite the fact that both options would yield the same result, when asked about paying the dollar, only 11 percent of respondents chose the privacy-protective option, while 69 percent would not accept the discount in exchange for their data.

People Say They Want More Privacy, But Few Act on It

So why do some public opinion surveys find support for stronger privacy laws? While people say that privacy is an important factor in their decision-making, in practice this is often not the case. Preibusch et al. (2013) did a study of participants buying DVDs from two online stores, with one asking users to complete a privacy-invasive questionnaire. The study found that when the prices were the same, neither store won out over the other. But when offered a discount in exchange for completing the questionnaire, the vast majority of participants chose to buy from the cheaper, privacy-invasive firm. Similarly, Happ et al. (2016) showed that over a third of respondents would readily give up their personal passwords for work or school accounts for a bar of chocolate, despite the risks of doing so. Further, Strahilevitz and Kugler (2016) found that, despite most participants’ unease with an email provider using automated content analysis—where a computer algorithm, not a person, analyzes email content to serve up more targeted advertisements—65 percent of them were unwilling to pay any amount for an alternative. In short, consumers care about prices when they make privacy-related decisions. The reason why public opinion polls show such support for strong privacy laws is because these surveys rarely confront consumers with the price consequences of their choices. Clearly, consumers are much more willing to say they want more online privacy when questions are framed as letting them have their cake and eat it too.

Opt-in regulations are also suboptimal because only a relatively small group of highly-motivated individuals are extremely concerned about and therefore motivated by their privacy. Kumaraguru and Cranor (2005) surveyed 14 privacy studies that were originally conducted by privacy-researcher Alan Westin, finding that only a small fraction of individuals, a group Westin referred to as “privacy fundamentalists,” place such a high premium on their privacy that they are unwilling to share their information under almost any condition. The vast majority of respondents across all studies either wanted to exchange their information for something of value or were unconcerned about organizations collecting their information. Indeed, these findings mirror other research, such as industry estimates from the American Banker (2001), that around 5 percent of people choose to opt out of sharing financial information under GLBA requirements. This suggests opt-out rules are much more efficient than opt-in rules because most users are willing to share their information in exchange for some value.

The final challenge to opt-in policies are that they put the benefit of the individual ahead of that of the community. As noted earlier, while opt-in rules would default to more individuals receiving privacy benefits than they would otherwise choose, society would bear the cost as all consumers lose out on the positive externalities that come from sharing information. Public goods (such as public health and transportation) and commercial goods (such as e-commerce applications) would be worse off because they would have less data to generate value for consumers. Conversely, opt-out rules would allow those individuals who value their own welfare much more than communal welfare—such as privacy fundamentalists—to make that choice, while still enabling most individuals who value both self and society to easily share information of their choice. 

Conclusion

Some people mistakenly believe that most privacy debates pit the interests of businesses or government versus those of consumers, where businesses gain when consumers lose. However, this is simply wrong. Many types of organizations, from businesses to non-profits to government agencies, collect, use, and share personal data, and both the organization and the individual benefit from these exchanges. Organizations benefit by using data for purposes such as improving products and services, conducting medical research, delivering targeted online ads, mapping traffic congestion, improving education, etc. And individuals obtain benefits, such as discounts at the grocery store, access to free or low-cost online apps and services, and improvements in medical knowledge among their health care providers. The fact that someone with a device and a broadband connection can now easily make a video conference call to someone else around the world at no cost because of online advertising is a testament to the benefits that a robust data ecosystem brings.

In reality, privacy debates are better characterized as consumer versus consumer. Different individuals will value their privacy differently depending on their personal preferences. When policymakers enact strict laws and regulations on privacy, especially opt-in rules, the relatively small share of privacy-sensitive individuals gain at the expense of the rest of society by making it more difficult for organizations to collect and use data efficiently.

In short, opt-in laws are less efficient and costlier than opt-out ones. Given the abundance of research on this topic, when lawmakers and regulators create privacy laws and regulations, they should favor opt-out rules because they benefit consumers, businesses, and the overall economy while protecting consumer choice.