Measuring Costs and Benefits of Privacy Controls: Conceptual Issues and Empirical Estimates

Internet privacy
by Joseph J. Cordes, Co-Director & Daniel R. Pérez, Policy Analyst
November 06, 2017

Download working paper (PDF)


As more and more items of personal information become potentially available to internet providers, the government, and employers, a lively debate has emerged about the role of public policy in ensuring a proper balance between the various parties who may benefit from greater access to information, and the protection of individual rights to privacy. A recent example is legislation passed in the Congress repealing a regulation that “would have required Internet service providers—like Comcast, Verizon and Charter—to get consumers’ permission before selling their data.”[1] As Hahn and Layne-Farrar[2] and Adam Thierer[3] have noted, it is desirable that this debate be informed by a formal benefit-cost analysis based on empirical measures of benefits and costs.

Additionally, emerging technologies such as highly automated vehicles (HAVs or “driverless cars”) and unmanned aircraft systems (UAS or “drones”) bring privacy concerns to the forefront—particularly regarding the proper role of federal regulatory agencies. Accordingly, agencies such as the National Highway Traffic and Safety Administration (NHTSA) and the Federal Aviation Administration (FAA) currently face the difficult task of balancing their objectives of issuing sensible regulations that offer protections to consumers, with allowing continued innovation and use of these emerging technologies.

It is worth noting that the regulatory process “incorporates significant requirements regarding the collection, use and accessibility of data that differ from other policymaking processes.”[4] Statutes such as the Administrative Procedure Act of 1946[5] (APA) require agencies to “justify most regulatory decisions based on the data, analyses, and other information collected and made part of a publically available record.”[6] Data and other evidence used by agencies to justify rulemaking become part of the public record and are particularly relevant in the case of judicial review—where regulations can be vacated if courts determine agency actions to be “arbitrary and capricious.”[7] The APA is only one of numerous mandates that constrain and guide the rulemaking process.[8]

Usable estimates of consumer privacy are of particular benefit to federal regulatory agencies considering existing analytical requirements concerning the collection of information such as the Paperwork Reduction Act (PRA).[9] The PRA requires agencies “to justify any collection of information from the public by establishing the need and intended use of…information…and showing that the collection is the least burdensome way to gather the information.”[10]Agencies must receive approval from the Office of Information and Regulatory Affairs (OIRA) before initiating any information collection from ten or more people.[11]

In short, these mandates require agencies to base their rulemaking on a thorough analysis of regulatory benefits and costs—with added requirements to conduct retrospective (ex post) review of regulatory impacts. As the U.S. economy continues to be exponentially reliant on data generated via the collection of individuals’ personally identifiable information (PII), regulatory agencies will need empirical measures of consumer valuations of privacy.

Our paper hopes to contribute to the development and greater use of such empirical measures. Drawing on the economics of privacy literature, we summarize the insights that this literature has to offer about how the benefits and costs of privacy controls should be measured in principle. We then discuss attempts that have made been to measure the benefits and costs of privacy control. Finally, we synthesize the various findings to advance promising practices for generating useful estimates of U.S. consumers’ valuation of privacy.

Continue reading

[1]    Brian Naylor, Congress Overturns Internet Privacy Regulation, NPR (2017), available at

[2]    See Robert W. Hahn & Anne Layne-Farrar, The Benefits and Costs of Online Privacy Legislation, 54 Admin. L. Rev. 85, (2002).

[3]    See Adam D. Thierer, A Framework for Benefit-Cost Analysis in Digital Privacy Debates, 20 Geo. Mason L. Rev. 1055, 1056-57 (2013).

[4]    Marcus C. Peacock, Sofie E. Miller & Daniel R. Pérez, Public Interest Comment to the Commission on Evidence-Based Policymaking 2 (2016), available at (detailing a framework for producing evidence-based regulation structured around the three main phases of regulating: design, decision-making, and retrospective review).

[5]    Pub. L. No. 79-404, 60 Stat. 237.

[6]    Peacock, Miller & Pérez, supra note 7, at 2.

[7]    5 U.S.C. § 706(2)(A).

[8]    See, e.g., The Privacy Act of 1974, 5 U.S.C. § 552(a). See generally Susan E. Dudley & Jerry Brito, The Mercatus Ctr. and The Geo. Wash. Uni. Reg. Studies Ctr., Regulation: A Primer, 45-7 (2d ed. 2012) (for a thorough list of laws and executive orders affecting regulatory policymaking). See also Susan E. Dudley, Putting a Cap on Regulation, 42 Reg. Law News, American Bar Association 4-6 (2017) (for a detailed explanation of executive orders affecting the rulemaking process signed by President Trump which include: Exec Order No. 13,771, 82 Fed. Reg. 9339 (February 3, 2017) and Exec Order No. 13777, 82 Fed. Reg. 12285 (March 1, 2017).

[9]    44 U.S.C. §§3501-3520

[10]   Maeve P. Carey, Cost-Benefit and Other Analysis Requirements in the Rulemaking Process, Congressional Research Service, CRS Report R41974 (2014) 1-31 at 14-5.

[11]   Id. at 15.