Download This PaperIncomplete Contracts and Future Data Usage
33 Pages Posted: 11 Feb 2023
Date Written: February 9, 2023
Abstract
Most major jurisdictions require websites to provide customers with privacy policies. A privacy policy’s most important function is to provide consumers with a description of the online service provider’s current privacy practices. We argue that these policies also serve a second, often-overlooked function: they allocate residual data usage rights to online services or consumers, including the power to decide whether a service can modify its privacy practices and use consumer data in novel ways. We further argue that a central feature of the E.U.’s General Data Protection Regulation (GDPR), one of the most comprehensive and far-reaching privacy regulatory regimes, is to restrict privacy policies from allocating broad rights for future data usage to service providers. We provide a theoretical explanation for this type of regulatory intervention by adapting standard models of incomplete contracts to privacy policies. We then use the model to explain how U.S. firms reacted to the GDPR. We show that U.S. websites with E.U. exposure were more likely to change their U.S. privacy policies to have less stringent and more lenient modification rules. Among websites that do not have E.U. exposure, we see the opposite trend. These results suggest that websites sought to increase their share of residual rights over data usage in the wake of the entry into force of the GDPR.
Keywords: privacy, incomplete, contracts, GDPR, policies, behavioral, contract theory
JEL Classification: K12,D23,L22,D86,H11
Suggested Citation: Suggested Citation
