43 Pages Posted: 6 Oct 2019 Last revised: 13 May 2021
Date Written: September 25, 2019
We study the incentives of a digital business to collect and protect users’ data. The users’ data the business collects improves the service it provides to consumers, but it may also be accessed, at a cost, by strategic third parties in a way that harms users, imposing endogenous users’ privacy costs. We characterize how the revenue model of the business shapes its optimal data strategy: collection and protection of users’ data. We show that, relative to the socially desired data strategy, the business may over- or under-collect users’ data and may over- or under-protect it. In fact, the only deviation from the socially optimal strategy that no business will pursue in equilibrium is one of under-collection combined with over-protection of users’ data. Restoring efficiency requires a two-pronged regulatory policy, covering both data collection and data protection. We derive one such policy which combines a minimal data protection requirement with a tax proportional to the amount of collected data.
Keywords: Information security, online platforms, data-driven businesses, data policy design, advertisement-driven businesses, transaction-driven businesses, welfare
Suggested Citation: Suggested Citation