(https://dx.doi.org/10.2139/ssrn.4350362), with Jens Frankenreiter & Dan Svirsky
Most major jurisdictions require websites to provide customers with privacy policies. For consumers, a privacy policy’s most important function is to provide them with a description of the online service provider’s current privacy practices. We argue that these policies also serve a second, often-overlooked function: they allocate residual data usage rights to online services or consumers, including the power to decide whether a service can modify its privacy practices and use consumer data in novel ways. We further argue that a central feature of the E.U.’s General Data Protection Regulation (GDPR), one of the most comprehensive and far-reaching privacy regulatory regimes, is to restrict privacy policies from allocating broad rights for future data usage to service providers. We offer a theoretical explanation for this type of regulatory intervention by adapting standard models of incomplete contracts to privacy policies. We then use the model to consider how U.S. firms reacted to the GDPR. We show that U.S. websites with E.U. exposure were more likely to change their U.S. privacy policies to drop any mention of a policy modification procedure. Among websites that do not have E.U. exposure, we see the opposite trend and discuss how to understand these changes in the context of an incomplete contracts model