A recent Warwick Business School study has found that privacy regulations, such as the General Data Protection Regulation (GDPR) in Europe, could indirectly trigger a larger degree of personal information sharing by websites. This raises questions regarding the effectiveness of privacy protections online.

Many websites monetise from user data, engaging ‘third parties’ and allowing them to use cookies to track online activity. To curb this widespread practice, government regulations imposing data sharing transparency and user consent obtention were established. Surprisingly, the research indicates that such regulations have resulted in a broader sharing of personal data.

The study, led by Ram Gopal, Professor of Information Systems Management at Warwick Business School, demonstrates that the GDPR-style privacy laws resulted in more engagement with third parties by websites. Professor Gopal commented, “Widespread privacy abuses have prompted calls for governments to protect consumer rights. But our research found that these policies led to an increase in third-parties and data sharing.” He added, “This will remain the case as long as some internet users are willing to accept higher data sharing in order to avoid paying for content.”

Warwick Business School, in collaboration with the Haskayne School of Business in Canada and Miami Herbert Business School in the U.S., employed an automated tool which visited 100,000 highly ranked websites daily. The aim was to record the number of third parties each site used and thus study the impact of regulatory policies.

Most nations have adopted a non-intervention approach, with 'consent-based' regulation appearing relatively unusual. California remains the only US state to implement GDPR-like restrictions. The study also discussed an alternative method, experienced in sectors such as news and healthcare in the United States, which involves subsidising websites that refrain from excessive data sharing.

Professor Gopal explained, “Subsidising websites that follow stricter privacy guidelines is like using a scalpel, allowing policymakers to sculpt around target markets. Consent-based policies are more like a sledgehammer, hitting everyone equally.” Yet both policies pose the risk of driving websites out of business by causing a revenue loss, thereby reducing competition which could negatively impact internet users and society at large. Gopal concluded, “Policymakers need to be aware of these unintended consequences when making regulations.”

The study entitled 'Law, Economics, and Privacy: Implications of Government Policies on Website and Third-Party Information Sharing', unravels critical insights into the trade-off between privacy protections and the potential ripple effects on the digital ecosystem. These findings posed noteworthy implications for stakeholders, including policymakers, businesses, and users, in striking the right balance in the evolving online privacy landscape.