Measuring Costs and Benefits of Privacy Controls

Conceptual Issues and Empirical Estimates
January 31, 2019

Originally published in the Journal of Law, Economics & Policy Vol. 15, No. 1 (Winter 2018). View full article (PDF)


As increasing amounts of personal information become potentially available to internet providers, the government, and employers, a lively debate has emerged concerning the role of public policy in ensuring a proper balance between the various parties who may benefit from greater access to information and the protection of individual rights to privacy. A recent example is legislation passed in Congress repealing a regulation that “would have required internet service providers—like Comcast, Verizon and Charter—to get consumers' permission before selling their data.” As Robert Hahn, Anne Layne-Farrar, and Adam Thierer have noted, it is desirable that this debate be informed by a formal cost-benefit analysis based on empirical measures of costs and benefits.

Additionally, emerging technologies such as highly automated vehicles (HAVs or driverless cars) and unmanned aircraft systems (UAS or drones) bring privacy concerns to the forefront—particularly regarding the proper role of federal regulatory agencies. Accordingly, agencies such as the National Highway Traffic and Safety Administration (NHTSA) and the Federal Aviation Administration (FAA) currently face the difficult task of balancing their objectives of issuing sensible regulations that offer protections to consumers and allowing continued innovation and use of these emerging technologies.

The regulatory process “incorporates significant requirements regarding the collection, use and accessibility of data that differ from other policymaking processes.” Statutes, such as the Administrative Procedure Act of 1946 (APA), require agencies to “justify most regulatory decisions based on the data, analyses, and other information collected and made part of a publically available record.” Data and other evidence used by agencies to justify rulemaking become part of the public record and are particularly relevant in the case of judicial review, where regulations can be vacated if reviewing courts determine agency actions to be “arbitrary and capricious.” The APA is only one of numerous mandates that constrain and guide the rulemaking process.

Usable estimates of consumer privacy are a benefit to federal regulatory agencies because of the existing analytical requirements for collecting information under laws, such as the Paperwork Reduction Act (PRA). The PRA requires agencies “to justify any collection of information from the public by establishing the need and intended use of . . . information . . . and showing that the collection is the least burdensome way to gather the information.” Agencies must receive approval from the Office of Information and Regulatory Affairs (OIRA) before initiating any information collection from ten or more people.

In short, these mandates require agencies to base their rulemaking on a thorough analysis of regulatory costs and benefits, with added requirements to conduct retrospective ex post review of regulatory impacts. As the U.S. economy grows exponentially reliant on data generated by the collection of individuals’ personally identifiable information (PII), regulatory agencies will need empirical measures of consumer valuations of privacy.

Our article strives to contribute to the development and greater use of such empirical measures. Drawing on the economics of privacy literature, we summarize why the costs and benefits of privacy controls should be measured in principle. We then discuss attempts that have been made to measure the costs and benefits of privacy control. Finally, we synthesize the various findings to advance promising practices for generating useful estimates of U.S. consumers’ valuation of privacy.