Since taking effect in 2018, the European Union’s General Data Protection Regulation (GDPR), which requires all websites operating within the EU to get user consent before processing personal data, have had worldwide implications. Indeed, new research supported by the Marketing Science Institute argues that it is the most significant privacy regulation in effect today. In “Regulating Privacy Online: An Economic Evaluation of GDPR,” Garrett Johnson, a marketing professor at Boston University’s Questrom School of Business; Scott Shriver, a marketing professor at the Leeds School of Business at the University of Colorado Boulder, and Samuel Goldberg, a Ph.D. candidate at Northwestern University’s Kellogg School of Management, examine the data of more than 1,000 online firms to track the policy’s impact. MSI Executive Director Barbara Kahn, a marketing professor at the University of Pennsylvania’s Wharton School, recently sat down with Johnson and Goldberg to discuss the research.

Listen to the interview:

An edited transcript of the conversation follows.

Barbara Kahn: Can you explain how the GDPR works and what the regulation means?

Garrett Johnson: GDPR is essentially a privacy regulation, and at the heart of it you have a definition of personal data that is quite expansive. It is not just health data or personally identifiable data; it is all data that relates to a unique individual, so this can include cookies and IP addresses. With that start, the GDPR on the consumer end accords the consumer a lot of data rights, like the ability to access and correct the data that firms have about them. It also puts a lot of responsibilities on firms.

Firms must be able to respond to these rights-based requests from consumers, they have to audit their data flows, minimize the data collection, and hire basically a regulator inside the company called the data protection officer, among other responsibilities. It is quite a heavy lift for firms.

Kahn: A big part of it is that the individuals have to give consent that their data is being collected and they have to be able to see their data. What are some of the requirements related to that?

Johnson: The GDPR lays out the circumstances under which a firm can process a consumer’s personal data. One of those, probably the most important, is the consumer’s consent. The GDPR defines consent very specifically to be a consumer’s opt-in consent. So if a firm wanted to get a consumer’s consent they couldn’t just have a pre-ticked box that says that they’re okay with their personal data being used. The consumer actually has to tick that box.

Kahn: That is also why most of us have seen this annoying little box come up when we visit a website – suddenly, we are ticking boxes all over the place before we can move on with our data. Sam, is that the way it is?

Samuel Goldberg: That is exactly correct. That is why you see these pop-ups making the web a little bit harder to use these days.

Kahn: At least from my point of view, they get me just when I really want to see what I clicked on, and I just click anything. It’s not clear to me what I’m giving my consent to, or if that was the intention of the GDPR in the first place. But it has become almost a nuisance to me. I don’t know if that generalizes, or if that’s just me. Garrett, what do you think?

Johnson: You are right that effectively the way it has been implemented is that firms treat it as kind of a hop to go through, so consumers have to just press “agree” and continue. But while that has been the case for almost all websites, that’s not in accordance with the GDPR. The GDPR says give affirmative consent. What we’re going to be talking about today is our research in a world where we get GDPR lite, where we don’t see the full enforcement and compliance of the law, yet we still notice some impacts on websites.

Kahn: Before we do that, just as background, Sam, can you tell us a little about how companies use this personal data and why this is going to be such a big shift?

Goldberg: Personal data is used across the web in a variety of ways, but sites use it primarily for things like website design or product recommendation. Obviously, targeted advertising also makes huge use of personal data online.

Kahn: Tell us about your data set and what your analysis was, where you started and what your personal research question was.

Goldberg: Before we get too far into the data, I want to give a shoutout to Taylor Schreiner at Adobe. He has partnered in the past with academics to use Adobe Analytics data to study big questions about e-commerce and the online economy. We reached out to him with this opportunity to study the GDPR and he was super helpful and excited about it, and Adobe’s been really great to give us access to this data.

What our data consists of is essentially a collection of about 1,000 firms’ analytics dashboards. We see everything that these firms see about their online presence; this includes things like pageviews, or their e-commerce revenues, for example. Those are the two key metrics that we focus on in the paper.

The first pattern that you notice right away is that if you plot these metrics out over time and compare both before and after the GDPR was implemented, you see this 12 percentage-point decline in these metrics across the board. For most of these sites, we see pretty significant and large drops in these metrics.

Kahn: So, you looked at some metrics before GDPR and the same metrics after GDPR, and in that simple cut you see a decline?

Goldberg: If we compare pageviews and revenues from before and after the GDPR, we see approximately a 12 percentage-point decline in both those metrics. It’s a pretty significant and striking drop in those metrics.

Kahn: I’m assuming that you have to be careful and not assume. There can be other kind of complicating factors that are causing this drop, and the analysis is not going to end there. Is that right?

Goldberg: That’s right. The complicated part about the GDPR is it changes both data recording as well as potentially the underlying outcomes themselves. It’s going to change when I can record a pageview with my analytics dashboards, and it also could change how many pageviews I actually see. And so we spend a significant portion of the paper trying to disentangle those two facts.

Kahn: The fact that the consumer has to consent — how do you take that into account as one of the reasons? Is it that they have to consent and therefore they’re not looking? How do you separate out that it’s the action of consent that makes a difference?

Johnson: We’ve got this challenge of the data that Adobe sees falls by 12%. It’s a puzzle because two things could cause that to happen. One is that a large percentage, or something like 12% of consumers, don’t provide consent to the website sharing the data with Adobe, and so Adobe just doesn’t see the data that’s actually still happening.

The other reason is that the GDPR could actually be hurting websites, for instance, by making it harder for them to market to consumers. So it’s definitely a challenge for us to disentangle what is what. But what we can show, I think pretty convincingly, is there’s a bit of both going on. There are some users who are opting out, and that has a real effect on these businesses.

Kahn: How much time and expense is it for companies to comply with the law? How hard is it for them to put it together? I guess within the EU they have to do it, but within the U.S. they’ve been starting to do it. Have you looked at that kind of issue, too?

Johnson: There have been some interesting reports about the cost to firms. For instance, EY looked at the top 500 global firms and they said that it cost a total of $7.8 billion for these firms to comply with the GDPR, or at least start their compliance process. And then there is another survey of small and mid-size organizations that found that three quarters of them were spending more than $100,000. So firms are making important investments to bring themselves into compliance.

Kahn: You did your methodology to separate out these effects, and without that complicated analysis it was at 12%. Once you filtered all of that out, what were your conclusions?

Goldberg: Our data is approximately consistent with between a 4% and 15% opt-out rate. Somewhere between 4% and 15% of users opt out of data collection in our data set. And we see approximately a one percentage point drop in weekly revenues that we can attribute to marketing.

Kahn: Does this differ by industries? What kind of descriptor variables did you use on this?

Goldberg: Surprisingly, we do not see a lot of variation in these effect sizes across types of websites. The one exception to that is that we do see that larger sites seem to not be impacted as much by the GDPR. In particular, this is true for larger e-commerce sites. And we can dig into that a little bit. It appears that smaller firms are having a harder time getting consent than larger firms.

Kahn: I have heard people talk about one of the fixes for dealing with the GDPR is to not use web data on the individual level and to think about it more on a segment level so you don’t need to have personal data and you might not need consent. Can you untangle that? What is the difference between monitoring on an individual level versus a segment level? How is that is affected by GDPR?

Johnson: I teach digital marketing, and the common tie that puts all of the amazing capabilities we have in digital marketing together, what underpins that, is user-level identity. Knowing who you are across websites allows us to do a better job of targeting you, to measure the effectiveness of advertising, and then optimize to better allocate our spend across the channels that are performant. Individual identity powers all that, and the GDPR is changing that paradigm.

You rightly point out that this is creating a push towards segments and flocks, for instance, rather than individuals, the difference there being that if you are part of a group of people, like men from Philadelphia aged 20 to 30, then is not personal information because it’s information you share with a large group of people. That is a paradigm shift for marketers that we’re moving towards. The GDPR is a big forcing function bringing us in that direction.

Kahn: So what you’re saying is we are going to move to segment-level data, so we’re not going to move to the individual-level data. How does this need for consent affect behavior?

Johnson: In the existing paradigm, websites use site analytics data to optimize their websites and segment their customers and understand how consumers are using their website and how they can improve their website. Effectively, in a world where about 10% of consumers are opting out, you still have some of that data but your ability to make good decisions is not as good. So that is one effect.

Another is that if people are not providing consent to sharing data with Adobe or Google Analytics, they will certainly not provide consent for personalized advertising. And without personalized advertising, we have shown in other research that ad prices fall by about 50%. Within the current paradigm that is built around individual consumers, these effects can be pretty large. But I think part of what you are speaking to is that this is a step towards a new paradigm of marketing that does things in a different way. That is going to be a big paradigm shift for managers.

Kahn: I guess those kinds of shifts will happen if a regulation like GDPR comes to North America. Do you think that is likely? I think a lot of firms are doing this proactively in anticipation of it, but right now the law is mostly in the EU, correct? Do you think it will come to North America?

Johnson: Let me start by talking about North America, about the law, and then Sam can talk about what we saw in our data on that topic. There is definitely a push for U.S. privacy regulation. One thing that is pushing for that is that various states either have laws or are considering laws, like California and Virginia, for instance.

At some point, this creates a necessity for the federal government to step in and have a unified approach. And I think it is an exciting time because there’s a lot of momentum to do something. I am perhaps a little bit more skeptical that Congress can agree on exactly what direction they want to go and whether this issue will finally bubble up to the top of a very crowded agenda. But I think policymakers need to be clear-eyed here. Everyone wants more privacy, but privacy is not free, especially in today’s data-driven economy.

Our research showed that this [regulation] has hurt website revenue; our other research shows that the GDPR hurt competition. There is excellent other research showing that tech venture investing fell by 26% right after the GDPR. These are big costs, and I think that is something that policymakers should keep in mind as they draft regulation and choose whether to follow the European example. Sam, do you want to talk about some of the spillovers of the GDPR?

Goldberg: We do look in the paper to see if the GDPR has changed how firms are using personal data in the United States as well, or for North American users in particular. And again, our data consists of mostly very large, global firms. And because of how the GDPR is regulated, it sometimes makes sense for them to just invest in privacy globally rather than just for the EU citizens. And indeed, we do see small but significant spillovers to North American traffic as well. So the GDPR led to this global regulation in a way.

Kahn: What are some of the other things you’re seeing about what could happen? Regardless of whether we see the regulation implemented, as you say, there’s a lot of politics in North America and we may or may not see it. But as Sam was mentioning, many of these firms are global and it’s just as easy for them to do one policy globally anyway, so we are seeing people moving in this direction. So it’s hard to not conclude that GDPR is going to have strong ramifications on the way business is conducted.

Johnson: It is an important question for managers. Some business leaders are taking the wrong message from the GDPR and thinking that the GDPR is just much ado about nothing, thinking it’s some sort of Y2K event. Business leaders need to recognize that the GDPR’s enforcement deadline was a first step on a longer journey that is redefining how marketers are using personal data. Some next very big steps are measures that platforms like Apple and Google have taken to implement parts of the GDPR worldwide, by either eliminating cookies or sharply restricting how mobile phone identifiers are available to marketers.

These changes are seismic. I said before that what underpins modern digital marketing is a cross-site and cross-app identity. If marketers lose that, then the rules of digital marketing are going to be fractured and rewritten. There’s a lot of uncertainty and a lot for marketers to grapple with at this time, which is exciting and scary at the same time.

Kahn: Wow, it really does sound seismic. Sam, do you want to add some of your own conclusions, what your research has led you to think, believe, and recommend?

Goldberg: Garrett and I think very similarly about these types of problems. I agree with everything he said. The key takeaway here is that privacy online is not going anywhere as a key policy issue. Firms will have to figure out how to adjust to this kind of tumultuous environment, at least in the short run.

Kahn: What does your research suggest is the effect of all of this on marketing?

Johnson: We get Adobe Analytics data, so we see where people are coming from when they arrive at a website. We see that there is the largest effect on personal data channels like email and display ads. This is exactly where you would expect the GDPR to have an effect because these marketing channels rely on personal data. Roughly speaking, we see that traffic from email and display falls something like 20% after the GDPR, but direct traffic to websites falls by 10%.

So we conservatively think that this extra 10% that’s falling in these channels that use personalized data is clear evidence of the GDPR having a real effect on business outcomes. And that is where we get this estimate that the GDPR reduces pageviews and revenues for these websites by about a half a percent. Now, that is not very big, but that’s as conservative as you can get. Our conversation has stressed that so far, we have seen the “GDPR lite.” We have not seen the GDPR under full compliance that would make these effects even larger.

Kahn: Are people visiting webpages less because it is a less personalized appeal or is it that they don’t consent to give the data? What is the reason for it? Because I don’t think those are small declines. Those are pretty big declines and businesses would be worried about that. And is there a fix for it, or is it just part of the regulation you can’t get around?

Johnson: The GDPR is tying one arm behind marketers’ backs, where the cost and risks of sending personalized emails and using email lists and engaging in the display ad marketplace, those risks have just gone up a lot. I think marketers are bit gun-shy about that. Some of them have effectively culled their email lists because they didn’t have GDPR-level consent behind those lists. All these little pieces add up to what is clearly, in our data, a much larger effect on these personalized channels.