INFORMS (Institute for Operations Research and Management Sciences)
Abstract
We study the incentives of a digital business to collect and protect users’ data. The users' data the business collects improve the service it provides to consumers, but they may also be accessed, at a cost, by strategic third parties in a way that harms users, imposing endogenous users' privacy costs. We characterize how the revenue model of the business shapes its optimal data strategy: collection and protection of users' data. A business with a more 'data-driven' revenue model will collect more users' data and provide more data protection than a similar business that is more 'usage-driven'. Consequently, if users have small direct benefit from data collection, then more usage-driven businesses generate larger consumer surplus than their more data-driven counterparts (the reverse holds if users have large direct benefit from data collection). Relative to the socially desired data strategy, the business may over- or under-collect users' data and may over- or under-protect it. Restoring efficiency requires a two-pronged regulatory policy, covering both data collection and data protection; one such policy combines a minimal data protection requirement with a tax proportional to the amount of collected data. We finally show that existing regulation in the US, which focuses only on data protection, may even harm consumer surplus and overall welfare
