Skip to main content

The perils of privacy regulation


Advocates of digital privacy law believe it is necessary to correct failures in the market for digital privacy. Though legislators allegedly craft digital privacy regulation to protect consumers, some advocates have understated the dangers that digital privacy law may engender. This paper provides evidence for Kirzner’s “perils of regulation” in the digital privacy arena. The regulatory process fails to simulate the market process, stifles entrepreneurial discovery, and creates opportunities for superfluous discovery. My research suggests that policy-makers should consider a more holistic accounting of the costs before imposing additional digital privacy regulation.

This is a preview of subscription content, access via your institution.


  1. 1.

    See Hirsch (2010) for a more comprehensive accounting of the ways that websites may collect information and of the parties who have a vested interest in information collected on the Internet.

  2. 2.

    Hirshleifer (1980) took issue with the Posnerian focus on “privacy” as “secrecy,” arguing that “privacy” should be defined more expansively, likening “privacy” to “autonomy.” For Hirshleifer, privacy as autonomy entails freedom from observation. I stick to the Posnerian conception.

  3. 3.

    Hirsch (2010) advocates a “co-regulatory” approach to protecting privacy in which governments and firms work cooperatively to set regulations. Incidentally, one of the most cited papers on the economics of co-regulation is an examination of its operation in the context of food safety economics (see Martinez et al. 2007).

  4. 4.

    Kirzner begins his discussion by exploring the “undiscovered discovery process.” He uses this terminology to highlight that what has been labeled a “market failure” is, in fact, an opportunity for entrepreneurial profit. Calls for regulation frequently follow from the belief that entrepreneurs are incapable of solving alleged market failures. The focus of this paper is not on how entrepreneurs may solve digital privacy problems (though such research is worthwhile). Rather, the focus of this paper is on the ways that digital privacy law distorts the entrepreneurial market process, and thus I begin my analysis by discussing the “unsimulated” rather than the “undiscovered” discovery process.

  5. 5.

    Note that a “security” risk differs from a “privacy” risk. The latter refers to the types of information I deal with in this paper: personal, but nonsensitive information. The former refers to sensitive information such as an individual’s credit card number.

  6. 6.

    The Directive also contains provisions for protecting against true invasions of property, such as credit card theft.

  7. 7.

    An early study (Gross and Acquisti 2005) of Facebook and other social media sites revealed that young users, on average, did not express a high desire for digital privacy or anonymity, suggesting that the aims of privacy legislators become quickly outdated.

  8. 8.

    The knowledge that ARGO aggregates is Hayekian in the sense that it is localized and dispersed, though not tacit.

  9. 9.

    For example, DuckDuckGo is a rapidly growing search engine that does not track individual’s queries.

  10. 10.

    Note that this paper focuses primarily on “privacy” risks, that is access to “nonsensitive” information, rather than on threats to “sensitive” information such as credit card theft. The latter fits more properly under the category of “cybersecurity.” What this section demonstrates, however, is the ironic fact that bureaucratic efforts to shield privacy may, in fact, result in graver threats to one’s own cybsersecurity.

  11. 11.

    This piece of legislation is based on the Obama Administration’s 2012 “Consumer Privacy Bill of Rights.”

  12. 12.

    I am indebted to a 2015 blog post entitled “Innovation Death Panels and Other Shortcomings” by Geoffrey Manne and Ben Sperry at the blog “Truth on the Market” for the idea that the “Consumer Privacy Bill of Rights” exposes consumers to greater privacy risks.

  13. 13.

    As Hirsch (2010) documents, providing consumers with “access” to their information–what this bill would do–is a cornerstone of the 1973 Fair Information Practice Principles (FIPPs) proposed by the Department of Health, Education, and Welfare (HEW).

  14. 14.

    Once an Internet merchant has established a digital storefront, the marginal cost of acquiring and serving an additional customer is often very low.

  15. 15.

    Sands is a technology executive who has experience with large companies as well as several startups, including several directly involved in providing digital privacy solutions.

  16. 16.

    Note that Milberg et al. (2000) argue that one benefit of digital privacy law is that it would correct the “reactive” failures of private firms.

  17. 17.

    Obviously, the same conclusion holds for entrepreneurs in any country.

  18. 18.

    See, for example, Posner (1978, 1981), Stigler (1980), Bibas (1994), Clarke (1999), Lin (2002), Sarathy and Robertson (2003), Mayer-Schönberger (2010), Pavlou (2011), Pasquale (2012), and Scholz (2015).


  1. Acquisti, A., & Grossklags, J. (2005). Privacy and rationality in individual decision making. IEEE Security and Privacy, 1, 26–33.

    Article  Google Scholar 

  2. Acquisti, A., Taylor C. R., Wagman, L. (2015). The economics of privacy. Available at SSRN 2580411.

  3. Baumol, W. J. (1996). Entrepreneurship: productive, unproductive, and destructive. Journal of Business Venturing, 11(1), 3–22.

    Article  Google Scholar 

  4. Bergkamp, L. (2003). European Community Law for the New Economy. Intersentia nv.

  5. Bibas, S. A. (1994). Contractual approach to data privacy. Harvard Journal of Law & Public Policy, 17, 591.

    Google Scholar 

  6. Buchanan, J. M. (2005) Afraid to be free: Dependency as Desideratum. In Policy Challenges and Political Responses (pp. 19–31). US: Springer.

  7. Budnitz, M. E. (1997). Privacy protection for consumer transactions in electronic commerce: why self-regulation is inadequate. SCL Rev, 49, 847.

    Google Scholar 

  8. Campbell, J., Goldfarb, A., & Tucker, C. (2015). Privacy regulation and market structure. Journal of Economics and Management Strategy, 24(1), 47–73.

    Article  Google Scholar 

  9. Clarke, R. (1999). Internet privacy concerns confirm the case for intervention. Communications of the ACM, 42(2), 60–67.

    Article  Google Scholar 

  10. Consumercal (2015). The Children’s Online Privacy Protection Act (COPPA). Accessed June 26, 2015. i-know-about-privacy-policies/californiaonline-privacy-protection-act-caloppa-2/.

  11. Craig, T., & Ludloff M. E. (2011). Privacy and big data. O’Reilly Media, Inc.

  12. Demsetz, H. (1969). Information and efficiency: another viewpoint. The Journal of Law & Economics, 12(1), 1–22.

    Article  Google Scholar 

  13. Essers, L. (2015). Cloud startup zettabox touts privacy and local storage to appeal to EU Customers. Last modified June 10, 2015. customers.html.

  14. European Commission (2012). Press Release Database. Commission proposes a comprehensive reform of data Protection rules to increase users’ control of their data and to cut costs for businesses.

  15. European Union Agency for Fundamental Rights (2014). Handbook on European Data Protection Law.

  16. Executive Office of the President (2014). President’s Council of Advisers on Science and Technology Report to the President. Big data and privacy: a technological perspective.

  17. Ezor, J. I. (2012). Privacy and data protection in business: Laws and practices. Lexis- Nexis.

    Google Scholar 

  18. Federal Trade Commission (2012). Protecting consumer privacy in an Era of rapid change. Washington, DC: FTC Report.

    Google Scholar 

  19. Federal Trade Commission (2013). Children’s Online Privacy Protection Rule; Final Rule, Part II, 2013, Federal Register 78, no. 12 (January 17, 2013):

  20. Foldvary, F. E., & Klein, D. B. (2002). The half-life of policy rationales: how new technology effects old policy issues. Knowledge, Technology & Policy, 15(no. 3), 82–92.

    Article  Google Scholar 

  21. FTC Privacy Report (2013). Oliver and Grimsely. Last modified.

  22. Gaudin, S. (2011). Social Networks Credited with Role in Toppling Egypt’s Mubarak. Computerworld. Last modified February 11, 2011.

  23. Geiger, J. (2003). Transfer of data abroad by Private Sector Companies: data protection under the German Federal Data Protection Act. German Law Journal, 4, 747.

    Google Scholar 

  24. Goldfarb, A., & Tucker, C. E. (2011). Privacy regulation and online advertising. Management Science, 57(1), 57–71.

    Article  Google Scholar 

  25. Granovetter, M. S. (1973). The srength of weak ties. American Journal of Sociology, 1360–1380.

  26. Gross, R., & Acquisti A. (2005). Information revelation and privacy in online social networks. In Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, pp. 71–80. ACM.

  27. Heath, N. (2013). EU privacy laws to spell an end to facebook for free? ZDNet. Last modified. an-end-to-facebook-for-free/.

  28. Higgs, R. (1997). Regime uncertainty. The Independent Review, 1(no. 4), 561–590.

    Google Scholar 

  29. Hirsch, D. D. (2010). Law and policy of online privacy: regulation, self-regulation, or co-regulation. The Seattle Univ Law Rev., 34, 439.

    Google Scholar 

  30. Hirshleifer, J. (1980). Privacy: its origin, function, and future. The Journal of Legal Studies, 649–664.

  31. Hoofnagle, C. J. (2005) Privacy self regulation: A decade of disappointment. In J. K. Winn (Ed.) Consumer Protection in the Age of the ‘Information Economy’ (Ashgate 2006).

  32. Ikeda, S. (2002) Dynamics of the mixed economy: Toward a theory of interventionism. Routledge.

  33. Ikeda, S. (2005). The dynamics of interventionism. Advances in Austrian Economics, 8, 21–57.

    Article  Google Scholar 

  34. Jamal, K., Maier, M., & Sunder, S. (2005). Enforced standards versus evolution by general acceptance: a comparative study of ecommerce privacy disclosure and practice in the United States and the United Kingdom. Journal of Accounting Research, 43(1), 73–96.

    Article  Google Scholar 

  35. Jolly, I. (2014). Data protection in United States: Overview. Practical Law. Last modified July 1, 2014.

  36. Kirzner, I. M. (1985). Discovery and the capitalist process. University of Chicago Press.

  37. Lenard, T. M., & Rubin, P. H. (2009). In defense of data: information and the costs of privacy. Technology Policy Institute Working Paper 9–44.

  38. Lerner, J. (2012). The impact of privacy policy changes on venture capital investment in online advertising companies. Analysis Group, 1–27.

  39. Lin, E. (2002). Prioritizing privacy: a constitutional response to the internet. Berkeley Technology Law Journal, 17, 1085.

    Google Scholar 

  40. Litan, R. E. (1999). Balancing costs and benefits of new privacy mandates. AEI-Brookings Working Paper, 99–03.

  41. Madden, M. (2014). Public perceptions of privacy and security in the Post-Snowden Era. Pew Internet. Last modified November 12, 2014.

  42. Manne, G. & Sperry, B. (2015). Innovation death panels and other economic shortcomings of the White House Proposed Privacy Bill. Truth on the Market (blog). March 18, 2015, death-panels-privacy-bill/

  43. Martinez, M. G., Fearne, A., Caswell, J. A., & Henson, S. (2007). Co-Regulation as a possible model for food safety governance: opportunities for public–private partnerships. Food Policy, 32(no. 3), 299–314.

    Article  Google Scholar 

  44. Mayer-Schönberger, V. (2010). Beyond privacy, beyond rights—toward a ‘systems’ theory of information governance. California Law Review, 1853–1885.

  45. Milberg, S. J., Smith, H. J., & Burke, S. J. (2000). Information privacy: Corporate Management and National Regulation. Organization Science, 11(1), 35–57.

    Article  Google Scholar 

  46. Mises, L. v. (1949, 1998). Human action, scholars’ edition. Auburn: Mises Institute.

  47. Mole, B. (2015). New Flu tracker uses google search data better than google. ArsTechnica.

  48. Neef, D. (2014). Digital exhaust: What everyone should know about big DATA, Digitization and Digitally Driven Innovation. Pearson Education.

  49. New Singapore Data Protection Law: What You Need to Know (2015). London: Olswang LLP, 2012. Accessed June 29, 2015.

  50. O’Brien, D. (2014). Start-ups, Data Privacy and Disruption. Privacy Association. Last modified August 21, 2014.

  51. Online Privacy Protection Act of 2003 (2003). California Statute. Section 22575–22579.

  52. Pasquale, F. (2012). Privacy, antitrust, and power. George Mason Law Review, 20, 1009–1024.

    Google Scholar 

  53. Pavlou, P. A. (2011). State of the information privacy literature: where are we now and where should we go? MIS Quarterly, 35(no. 4), 977–988.

    Google Scholar 

  54. Posner, R. A. (1978). Economic theory of privacy. Regulation, 2, 19.

    Google Scholar 

  55. Posner, R. A. (1981). The economics of privacy. The American Economic Review, 405–409.

  56. Rothbard, M. N. (1962). Man, economy, and state (Vol. 2). Princeton: Van Nostrand.

    Google Scholar 

  57. Sands, T. (2015). email correspondence.

  58. Sands, T. (2016). email correspondence.

  59. Sarathy, R., & Robertson, C. J. (2003). Strategic and ethical considerations in managing digital privacy. Journal of Business Ethics, 46(2), 111–126.

    Article  Google Scholar 

  60. Scholz, L. (2015). Privacy as Quasi-Property. Iowa Law Review, Forthcoming.

  61. Scott, M. (2015). As facebook sweeps across Europe, regulators gird for battle. New York Times.

  62. Shirky, C. (2011). The political power of social media. Foreign Affairs, 90(1), 28–41.

    Google Scholar 

  63. Solove, D. J. (2004). The digital person: Technology and privacy in the information age. NYU Press.

  64. Solove, D. J. (2006). A taxonomy of privacy. University of Pennsylvania Law Review: 477–564.

  65. Statista (2015). Number of Monthly active facebook users worldwide as of 1st Quarter 2015 (in Millions). Accessed June 25, 2015.

  66. Stigler, G. J. (1980). An introduction to privacy in economics and politics. The Journal of Legal Studies, 623–644.

  67. Swire, P. P. (2003). Efficient confidentiality for privacy, security, and confidential business information. Brookings-Wharton Papers on Financial Services, 2003(1), 273–310.

    Article  Google Scholar 

  68. Techworld (2015). Zettabox Gambles on EU Privacy Law to Take on Google, Amazon and Microsoft in Cloud Storage Battle. Last modified June 11, 2015.

  69. Thierer, A. (2013). Privacy law’s precautionary principle problem. Maine Law Review, 66, 467–486.

    Google Scholar 

  70. Varian, H. R. (1997). Economic aspects of personal privacy. In Privacy and Self-Regulation in the Information Age. US Department of Commerce.

  71. Warren, S. D., & Brandeis, L. D. (1890). The right to privacy. Harvard Law Review, 193–220.

  72. Yang, S., Santillana, M., & Kou, S. C. (2015). Accurate estimation of influenza epidemics using google search data via ARGO. Proceedings of the National Academy of Sciences, 112(no. 47), 14473–14478.

    Article  Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Caleb S. Fuller.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Fuller, C.S. The perils of privacy regulation. Rev Austrian Econ 30, 193–214 (2017).

Download citation


  • Economics of digital privacy
  • Regulation
  • Market process

JEL Classification

  • K29
  • L51
  • B53