Incomplete Contracts and Future Data Usage

33 Pages Posted: 11 Feb 2023

See all articles by Jens Frankenreiter

Jens Frankenreiter

Washington University in St. Louis - School of Law

Talia B. Gillis

Columbia Law School

Dan Svirsky

Harvard Business School

Date Written: February 9, 2023


Most major jurisdictions require websites to provide customers with privacy policies. A privacy policy’s most important function is to provide consumers with a description of the online service provider’s current privacy practices. We argue that these policies also serve a second, often-overlooked function: they allocate residual data usage rights to online services or consumers, including the power to decide whether a service can modify its privacy practices and use consumer data in novel ways. We further argue that a central feature of the E.U.’s General Data Protection Regulation (GDPR), one of the most comprehensive and far-reaching privacy regulatory regimes, is to restrict privacy policies from allocating broad rights for future data usage to service providers. We provide a theoretical explanation for this type of regulatory intervention by adapting standard models of incomplete contracts to privacy policies. We then use the model to explain how U.S. firms reacted to the GDPR. We show that U.S. websites with E.U. exposure were more likely to change their U.S. privacy policies to have less stringent and more lenient modification rules. Among websites that do not have E.U. exposure, we see the opposite trend. These results suggest that websites sought to increase their share of residual rights over data usage in the wake of the entry into force of the GDPR.

Keywords: privacy, incomplete, contracts, GDPR, policies, behavioral, contract theory

JEL Classification: K12,D23,L22,D86,H11

Suggested Citation

Frankenreiter, Jens and Gillis, Talia B. and Svirsky, Dan, Incomplete Contracts and Future Data Usage (February 9, 2023). Available at SSRN: or

Jens Frankenreiter

Washington University in St. Louis - School of Law ( email )

Campus Box 1120
St. Louis, MO 63130
United States

Talia B. Gillis (Contact Author)

Columbia Law School ( email )

Dan Svirsky

Harvard Business School ( email )

Soldiers Field Road
Morgan 270C
Boston, MA 02163
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics