The new ISP/personal data legislation

A few brief thoughts on the economics of the just-passed legislation about ISPs’ rights to acquire and sell user data.

Of course this is good for internet providers, since it shifts privacy from a right for consumers—one that the data-hungry must bargain and pay for—to privilege for consumers—one that the data-hungry may bargain away or otherwise profit from.

A trickier question is what this means for market structure at the level of the ISP and then again downstream at the level of websites. I have a paper with Avi Goldfarb and Catherine Tucker arguing that piecemeal “informed consent” privacy regulation is potentially anti-competitive since introducing small frictions in the user experience disproportionately disadvantages entrants over incumbents. So what of this legislation that grants very broad personal data ownership to internet providers without requiring any permissions?

Let’s say that two goals (among others) of public policy on consumer data are (i) protect individual privacy and (ii) don’t hinder competition. One way to advance both would be informed consent that is blanket rather than piecemeal: global opt-in, for example through browser settings, for a baseline level of permission granted to all websites, to reduce the number of interruptions to the user experience that may be dissuasive of consumer experimentation.

The spirit of this new legislation, by contrast, makes a mockery of (i) without necessarily offering any unambiguous benefits on (ii). The claim that we will suddenly see competition among ISPs on the new dimension of data collection is a little far-fetched in the short-term. First, competition in ISPs is clearly limited in theory and in practice in ways that are in some ways similar but in some ways distinct from the virtual network effects, lock-in, and incumbency advantages of the most popular web platforms. Second, this is a red herring since it would take a very heroic Coaseian to argue that property rights over consumer data are not going to affect the split of the pie between consumer side and ISP side.

In one sense this just kicks the frictions can one degree up the chain to the ISP instead of to websites. Should I be optimistic that this may reduce frictions by making the whole notion of informed consent utterly moot? Perhaps this will manifest as consumers making a “grand choice” over suddenly competitive ISPs that performs some of the same functions as a global opt-in. I think maybe likelier is that the whole architecture becomes harder to navigate as a failsafe is sacrificed.

In particular, it is not obvious to me how business relationships between ISPs and websites may emerge or develop. If the ISP has the right to indiscriminately collect consumer data, will web platforms turn to the ISP to acquire that information rather than acquiring it from consumers? Will we see ISPs write exclusive contracts if and when they sell this data in bulk? Can control over this data be used as a threat to extract rents from web platforms? There is no point in sadly grasping for a silver lining here if consumers face fewer frictions but are losing their shirt elsewhere in an opaque hierarchy.

The three layers—ISP, internet companies, consumers—and many possibilities here mean there is a lot to unpack. My first reaction though is that I’m not holding my breath for any market structure magic to offset the obvious rights-stripping.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s