Introduction

This Article examines the welfare impact of the European Union’s (“EU’s”) sweeping digital privacy regulation, the General Data Protection Regulation (“GDPR”). Since 2018, all organizations that service EU-based individuals must comply with the GDPR. Broadly, the regulation requires organizations to guarantee rights related to access, consent, erasure, and data portability¹Ben Wolford, What is GDPR, the EU’s New Data Protection Law?, GDPR.EU, https://perma.cc/R58J-ZPSN. to users of their websites and applications.²GDPR is not necessarily limited to online activities by “users” and is more broadly about “individuals”; however, given the primary focus of the regulation on digital markets, this Article primarily uses the phrase “users,” while keeping in mind the above caveat. Penalties can include up to four percent of a company’s global revenues.³Id.

At the time of the implementation, the regulation was hailed as shifting the balance of power to consumers and “a chance to flip the economics of the industry.”⁴Nitasha Tiku, Europe’s New Privacy Law Will Change the Web, and More, Wired (Mar. 19, 2018, 6:00 AM), https://perma.cc/BRX4-SFWG; see also Adam Satariano, G.D.P.R., a New Privacy Law, Makes Europe World’s Leading Tech Watchdog, N.Y. Times (May 24, 2018), https://perma.cc/Y7L2-7KSM (“‘If we can export this to the world, I will be happy,’ said Vera Jourova, the European commissioner in charge of consumer protection and privacy who helped draft G.D.P.R.”). Others, however, were more cautious and speculated about potential unintended consequences—including the entrenchment of large incumbents.⁵See, e.g., Jedidiah Yueh, GDPR Will Make Big Tech Even Bigger, Forbes (June 26, 2018, 7:15 AM), https://perma.cc/VF2Q-JE6W (“Ironically, big tech companies such as Facebook, Amazon, Apple and Google benefit from a silver lining when it comes to being regulated—what hurts their competitors more only makes them stronger.”); How the GDPR Impacts and Suffocates Small and Medium Businesses, i-Scoop https://perma.cc/X5AZ-SCR9 (“Small and medium businesses are far from ready for the GDPR.”); see also Darcy W.E. Allen, Alastair Berg, Chris Berg, Brendan Markey-Towler & Jason Potts, Some Economic Consequences of the GDPR, 39 Econ. Bull. 785 (2019) (arguing that a potential fallout from the GDPR would be the creation of insurance data markets). Additionally, others estimated significant direct costs of compliance.⁶See, e.g., Dzof Azmi, GDPR: A Problem You May Not Know About, Digit. News Asia (Mar. 13, 2018), https://perma.cc/PT7T-XQDJ (“According to a recent PwC survey, 68% of US-based companies expect to spend US$1 million (RM3.9 million) to US$10 million to meet GDPR requirements. Another 9% expect to spend more than US$10 million.”). Ultimately, as with all regulation, the question is whether the actual impact of the policies matches the stated intent and goals of the regulation and, if so, at what cost—both anticipated and unanticipated.⁷See, e.g., Sam Peltzman, The Effects of Automobile Safety Regulation, 83 J. Pol. Econ. 677 (1975) (pioneering research into the unintended consequences of regulation); see also Thom Lambert, How to Regulate: A Guide for Policymakers 10 (2017) (“[R]egulations may err in two directions. They may prohibit or dissuade conduct that should be allowed or encouraged, or they may fail to condemn activities that should be precluded.”).

GDPR’s intended ex ante tradeoff is clear.⁸See, e.g., Council Regulation 2016/679 of April 17, 2016, Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data 2016, O.J. (L 119) (EU), https://perma.cc/4BR3-FC3T [hereinafter General Data Protection Regulation]. While GDPR is broadly about various measures of data protection, one notable aspect of the regulation is to give individuals greater control over their personal data, inter alia, via consent options for cookies and other trackers, the right to be forgotten, and guarantees of data portability.⁹Id. art. 7, 17, 20. With this elevated level of privacy, the hope is that users will feel safer while navigating digital markets and online content—achieving the greater social goal of protecting fundamental rights to privacy.¹⁰Id. art. 1 (“This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”). Of course, there are costs of compliance on the supply side—both direct, in terms of the legal and technical costs to adhere to the constraints of the regulation, and indirect, including the reality that businesses must operate using less data and perhaps less revenue.¹¹See infra Part I for a detailed discussion of GDPR’s impact on supply-side costs. Ultimately, the impact of the regulation must consider both these effects. Further, even on the demand side, while there may be static gains in terms of user privacy, there may be dynamic losses due to, for instance, lower levels of innovation or greater market concentration if the regulation disproportionately harms smaller or medium-sized firms.¹²Id.

This Article seeks to examine the ex post reality of the impact of GDPR on various measures of market performance. While the economic evidence is still emerging, the report card thus far (a) affirms that the regulation has altered business practices as it relates to user data, which is perhaps no surprise given the potential for penalties reaching 4% of global revenues, but also (b) indicates some concerning, negative impacts on startup activity, innovation, market concentration, and overall market contestability.¹³See, e.g., Garrett A. Johnson, Economic Research on Privacy Regulation: Lessons from the GDPR and Beyond 1 (Nat’l Bureau of Econ. Rsch., Working Paper No. 30705), https://perma.cc/V8HP-YC34 (“The economic literature on the GDPR to date has largely—though not universally—documented harms to firms. These harms include firm performance, innovation, competition, the web, and marketing. On the elusive consumer welfare side, the literature documents some objective privacy improvements as well as helpful survey evidence.”); Damien Geradin, Theano Karanikioti & Dimitrios Katsifis, GDPR Myopia: How a Well-Intended Regulation Ended Up Favouring Large Online Platforms – The Case Of Ad Tech, 17 Euro. Comp. J. 1, 2 (2020) (“This is what we understand by ‘GDPR Myopia’: in its effort to improve the protection of data subjects, the GDPR worsened one of the main problems experienced in digital markets today, which is increased market concentration and reduced contestability.”). Further, GDPR enforcement is not merely a story of robbing Peter (online businesses) to pay Paul (users). Even if user privacy—on some dimension—has increased, other market dimensions impact a user’s welfare. Again, regulations that adversely impact the rate of innovation and startup activity will result in dynamic harm to both users and firms—even if there are some identifiable static gains to users. The question, therefore, is perhaps more about how much Peter and Paul are paying.

The totality of the empirical evidence is critical to examining the wisdom of implementing sweeping regulations—particularly on markets and sectors characterized by high levels of innovation.¹⁴See, e.g., Axel Voss, How to Bring GDPR into the Digital Age, Politico (Mar. 25, 2021, 4:06 AM) https://perma.cc/EL6V-E579 (highlighting that GDPR “has been a huge headache for the average business, organization and citizen. But most importantly, the GDPR is seriously hampering the EU’s capacity to develop new technology and desperately needed digital solutions, for instance in the realm of e-governance and health”). As more jurisdictions contemplate some form of privacy regulation to emulate the GDPR, these results represent a cautionary tale. Explicitly, there are indications that negative consequences from regulation of digital markets are not unique to GDPR and also plague U.S. privacy regulations.¹⁵See, e.g., William Rinehart, What is the Cost of Privacy Legislation? A Collection of Estimates, Ctr. for Growth & Opportunity (Nov. 17, 2022), https://perma.cc/3DVM-9BG2 (examining the costs of the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), Children’s Online Privacy Protection Rule (“COPPA”), Enact Ohio Personal Privacy Act, and GDPR). Further, as the EU’s Digital Markets Act (“DMA”) and Digital Services Act (“DSA”) begin to be enforced, there are similar questions about whether these regulations will enhance welfare or even address the stated intent of improving the competitiveness of the regulated markets and sectors.

While others have also offered excellent and valuable summaries of prior GDPR research findings,¹⁶See, e.g., Avi Goldfarb & Verina F. Que, The Economics of Digital Privacy, 15 Annu. Rev. Econ. 267, 281 (2023); Johnson, supra note 13, at 17–26. to my knowledge, this Article offers the most comprehensive examination of empirical studies on GDPR—including some very recent research. In total, the results of thirty-one empirical studies of GDPR’s impact are included.¹⁷An important caveat is that several studies are working papers and, thus, not subject to the peer-review process. Consequently, those results should always be considered under that light. Nonetheless, giving the relatively recent passage of GDPR and the value from assessing the early returns, it is still useful to consider working papers with the appropriate caveat. Organizationally, Part I summarizes each study to identify common themes from the results. Part II offers some policy implications and several closing points. What ultimately emerges is a conclusion consistent with what Professors Garrett Johnson and Avi Goldfarb, with Verina Que, ultimately find: while there are some gains in terms of user data, these are offset by harms to online experiences, increases in concentration, and lower levels of innovation, entry, and investment.¹⁸See Goldfarb & Que, supra note 16, at 280 (“Overall, the conclusion from these papers is that the GDPR led to an immediate reduction in web visits and revenue . . . and a reduction in the efficiency of online search . . . . It also appears to have reduced the firms’ ability to target advertising and track consumers . . . . Competition appears to have decreased in the online advertising market . . . , and there was a decline in new firms, venture capital investment, and new apps . . . . In summary, the early evidence in the aftermath of the GDPR is that it worked, in the sense that firms were using less data in the year following the law’s passing. This, however, had costs in terms of firm profits, the consumer online experience, innovation, and competition. There is some suggestive evidence that the impact has declined over time, with both less consumer protection and less impact on concentration. . . .” (internal citations omitted)); Johnson, supra note 13, at 1 (“The economic literature on the GDPR to date has largely—though not universally—documented harms to firms. These harms include firm performance, innovation, competition, the web, and marketing. On the elusive consumer welfare side, the literature documents some objective privacy improvements as well as helpful survey evidence.”).

I.      A Review of the Empirical Studies Examining GDPR

There has been growing economic literature on the impact of GDPR on various performance measures. Broadly, the various studies cover a range of market outcomes, including concentration, data collection, tracking, profits, venture capital activity, ad targeting, content creation, and interconnection agreements. This Part summarizes the thirty-one empirical studies that have emerged that address the effects of GDPR on user and firm outcomes. These studies are grouped into four subheadings to organize the discussion: consumer-side, supply-side, privacy-focused, and market-side impacts. These subheadings are merely rough boundaries—as many studies touch on multiple areas.

A.      Consumer-Side Impacts

Professors Guy Aridor, Yeoon-Koo Che, and Tobias Salz examined the impact of GDPR on an online travel intermediary and found a 12.5% drop in total cookies used to track users; however, for the remaining users, they found that the fraction of consumers persistently tracked increased by 8%.¹⁹Guy Aridor, Yeon-Koo Che & Tobias Salz, The Effect of Privacy Regulation on the Data Industry: Empirical Evidence from GDPR, 54 RAND J. Econ. 695, 697 (2023). In other words, evidence suggested some users decided to opt out of tracking, but this resulted in a small yet significant bump in the number of remaining consumers being tracked for a longer period of time. Further, this change in user patterns resulted in a drop in advertising revenue—mitigated, however, by the remaining set of consumers being more valuable to advertisers.²⁰Id. at 698. Finally, the authors found that the ability to predict whether a consumer would purchase something on the website “did not significantly worsen” after the regulation.²¹Id. The study found that there is an information externality when users who opt out, in effect, give more information about the users who opt in.²²Id. Consequently, the welfare impact on the remaining users is unclear.²³Id. Finally, the authors found that smaller advertisers face higher costs, which can put them at a disadvantage relative to large incumbent technology firms that can collect data from more sources.²⁴Id. at 719 (“[A]lthough our results highlight that increased consent requirements may not be wholly negative, if consumers are similarly using such opt-out capabilities at our estimated rates in other markets (such as behaviorally-targeted advertising markets), then such regulation may put smaller firms at a disadvantage relative to the internet giants.”).

Using survey and experimental data, Professor Paul Bauer and his coauthors asked whether online trust has increased with the passage of GDPR,²⁵Paul C. Bauer, Frederic Gerdon, Florian Keusch, Frauke Kreuter & David Vannette, Did the GDPR Increase Trust in Data Collectors? Evidence from Observational and Experimental Data, 25 Info. Commc’n & Soc’y 2101 (2022). which would be one natural inference under the notion that privacy regulations give users a greater assurance of privacy quality. Yet, “[a]gainst [their] expectations [they] d[id] not find an effect [on trust in data collectors] both relying on [their] panel survey and a survey experiment based on German samples.”²⁶Id. at 2113. The authors offer various potential explanations for this non-effect but offer no definitive conclusions.²⁷Id. at 2113–15. One implication is that GDPR compliance may not signal much value to the market.

Professor Rebecca Janßen and her coauthors determined the impact of the policy on the number of apps available in Google’s Play Store.²⁸Rebecca Janßen, Reinhold Kesler, Michael E. Kummer & Joel Waldfogel, GDPR and the Lost Generation of Innovative Apps 2 (Nat’l Bureau of Econ. Rsch. Working Paper No. 30028, May 2022), https://perma.cc/Y4H3-QCV7 (“[W]e estimate that the depressed post-GDPR entry rate [of mobile apps] would give rise to a long-run 32 percent reduction in consumer surplus and a 30.6 percent reduction in aggregate usage and therefore revenue.”). Several authors, however, have suggested that Janßen et al. require more data to disentangle the impact of GDPR from other potential explanations. See generally Konrad Kollnig & Reuben Binns, The Cost of the GDPR for Apps? Nearly Impossible to Study without Platform Data (May 13, 2022), https://perma.cc/BJ2Z-MVFV. Using detailed app data from 2016 to 2019, they measured that (1) GDPR reduced the number of apps available, (2) new entry of apps fell by half, and (3) consumer surplus and aggregate app usage fell by about a third.²⁹Janßen et. al., supra note 28, at 1–2. Of course, a full assessment of welfare must also account for the privacy gains that may have been conferred to consumers; nonetheless, the results paint a fairly grim consequence of the regulation on the app ecosystem.³⁰Id. at 2 (“Whatever the benefits of GDPR’s privacy protection, it appears to have been accompanied by substantial costs to consumers, from a diminished choice set, and to producers from depressed revenue and increased costs.”). The authors found some evidence that apps became less intrusive due to the GDPR; although, there was a pre-existing trend in that direction.³¹Id. The mechanism of harm identified by Janßen is that, ex ante, due to the higher cost of operation from GDPR compliance, the regulation deters a greater number of apps from entering.³²Id. at 7–8. This did raise the argument that their results imply the regulation is working and keeping out low-quality apps. Nonetheless, the authors were aware of this possibility and determined that GDPR likely prevented the launch of successful apps.³³Id. at 22. Ultimately, while cautious about drawing definitive policy conclusions, the authors explained that “whatever its beneficial impacts on privacy protection, [GDPR] also produced the unintended consequence of slowing innovation” and “factors hindering entry . . . can deliver substantial welfare losses.”³⁴Id. at 37.

Dr. Julia Schmitt and Professors Klaus Miller and Bernd Skiera considered GDPR’s impact on over 6,000 websites in terms of total user visits and revenues.³⁵Julia Schmitt, Klaus M. Miller & Bernd Skiera, The Impact of Privacy Laws on Online User Behavior 1 (HEC Paris Research Paper No. MKG-2021-1437, Oct. 1, 2021), https://perma.cc/DRB6-K82U. They estimated that GDPR reduced user visits by 5% and 10% in terms of the short-run and long-run effects, respectively.³⁶Id. at 5–6. In terms of the number of visits per user, the results were mixed.³⁷Id. at 6. For websites that experience a decline in overall traffic, the remaining users increased the number of visits by 4.8%.³⁸Id. In contrast, for websites that experienced an increase in overall travel, user intensity declined by about 9%.³⁹Id. Finally, smaller websites felt the loss disproportionately (declines between 10% and 21%) compared to more popular websites (declines between 2% and 9%).⁴⁰Id.

Professors Pradeep Chintagrunta and Pinar Yildirim, with Yu Zhao, quantified GDPR’s impact on consumers’ online search and browsing behavior using a panel across four countries (the United Kingdom, Spain, the United States, and Brazil).⁴¹Yu Zhao, Pinar Yildirim & Pradeep Chintagrunta, Privacy Regulations and Online Search Friction: Evidence from GDPR 2–3 (Aug. 2021) (unpublished manuscript) (on file with authors), https://perma.cc/X3X8-JYFG. The data revealed that the EU panelists (which included UK users) visited 14.9% more domains, browsed 0.37% more pages per domain, and spent 44.7% more time on the web after GDPR relative to the non-EU panelists.⁴²Id. at 3. This led the authors to suggest that “[t]hese increased engagement outcomes from consumers are consistent with both the enhanced privacy benefits of GDPR and the inefficiency firms face to reach out to customers.”⁴³Id. In terms of search, the data indicated that EU panelists submitted 4.8% more search terms per topic, which is “consistent with the idea of higher information friction.”⁴⁴Id. at 3–4. Further, EU panelists spent 11.2% more time browsing products and considered 10.6% additional products, again, which is consistent with higher frictions.⁴⁵Id. at 4.

Continuing with Chintagunta, Yildirim, and Zhao, they discovered that the ultimate impact on markets and firms is favorable to larger firms with greater market share.⁴⁶Id. They found that, post-GDPR, larger websites experienced six times the increase in transactions than smaller websites.⁴⁷Zhao et al., supra note 41, at 4. This led the authors to conclude that “[o]verall, the post-GDPR online environment may be less competitive for online retailers and may be more difficult for EU consumers to navigate through.”⁴⁸Id. at 1. Specifically, “higher online activity stems from a higher challenge for EU panelists to find the products and services of interest to them after GDPR.”⁴⁹Id. at 31.

B.      Supply-Side Impacts

Dr. Chinchih Chen and Professor Carl Benedikt Frey, with Giorgio Presidente, assessed the impact of GDPR on financial performance using a dataset spanning sixty-one countries and thirty-four industries.⁵⁰Chinchih Chen, Carl Benedikt Frey & Giorgio Presidente, Privacy Regulation and Firm Performance: Estimating the GDPR Effect Globally (The Oxford Martin Working Paper Series on Technological and Economic Change, No. 2022-1, 2022), https://perma.cc/884E-GRV6. They found that exposure to GDPR resulted in a decline of 8% in profits and 2% in sales.⁵¹Id. at 2 (“Our baseline estimates suggest that, on average, firms operating in the EU experienced a 8% reduction in profits, and a 2% decrease in sales, in response to the enforcement of the GDPR in 2018, which implies that the regulation adversely impacted firm performance primarily through the cost channel.”). Importantly, however, the exception to this decline was large technology companies, whereas the profit decline among small technology companies was almost double the average effect.⁵²Id. This finding of a regressive impact on firm performance represents an unintended consequence of the regulation, as there has been a clear attempt globally to restrain “big tech” via ex ante regulation and ex post antitrust challenges.

Dr. Geza Sapi and Professor Lorien Sabatino, with Raffaele Congiu, found that GDPR has a negative impact on web traffic (i.e., 15%).⁵³Raffaele Congiu, Lorien Sabatino & Geza Sapi, The Impact of Privacy Regulation on Web Traffic: Evidence From the GDPR, 61 Info. Econ. & Pol’y 1 (2022). They also measured significant reductions in website traffic triggered by email marketing and display ads.⁵⁴Id. at 2–3. Although, notably, website traffic from paid search—mainly from Google—was not impacted.⁵⁵Id. at 3. Similar to other studies, they concluded that the impact of GDPR on websites is regressive—with a twist.⁵⁶Id. at 2. Smaller firms experienced website traffic declines compared to medium-sized firms, which were unaffected and even grew.⁵⁷Id. Although, unlike other studies, they also estimated a negative impact on larger site traffic.⁵⁸Id. Also similar to increased search frictions, the authors discovered a significant increase in the “bounce rate,” which is the share of visitors that almost immediately leave a site after arriving.⁵⁹Congiu et al., supra note 53, at 2. Despite these findings, the authors speculated that “it appears to us that additional consumer benefits may easily outweigh the implied losses of website traffic[.]”⁶⁰Id. at 15.

Dr. Caterina D’Assergio and her coauthors assessed whether permission emails sent to users in the wake of GDPR involved different strategies and persuasions.⁶¹Caterina D’Assergio, Puneet Manchanda, Elisa Montaguti & Sara Valentini, The Race for Data: Gaming or Being Gamed by the System? (Oct. 2022) (unpublished manuscript) (on file with authors), https://perma.cc/FBW2-RWMD. While GDPR mandates user opt-in, the authors noted that the specific format for these permissions is not regulated.⁶²Id. at 4. Using a dataset of approximately 1,500 of these emails, they confirmed that firms used different types of strategies, framing, and persuasion to secure user opt-in.⁶³Id. at 6–7. The authors characterized the various approaches as either (a) “endorsing the regulator’s intent and pursuing consumer interest” or (b) “seeking self-interest.”⁶⁴Id. at 4. Ultimately, what this study highlights is the inherent imprecision of regulation.⁶⁵Id. at 44 (“[F]irms took advantage of the freedom left by the policy, which did not impose a specific format for the text of the messages designed to request opt-in, and acted in their self-interest.”). Further, despite the study’s characterization that firms “gamed the system,”⁶⁶Id. it is unclear why firms should be obligated to conform with the regulator’s intent or why persuasion and the use of incentives (e.g., providing a discount) are necessarily harmful to users.

Dr. Adrian Dabrowski and his coauthors examined the impact of GDPR on how websites use cookies.⁶⁷Adrian Dabrowski, Georg Merzdovnik, Johanna Ullrich, Gerald Sendera & Edgar Weippl, Measuring Cookies and Web Privacy in a Post-GDPR World, in 1149 Passive and Active Measurement 258, 258–70 (David Choffnes & Marinho Barcellos eds., 2019). They executed this study by determining whether different jurisdictions—including those not subject to GDPR—collect cookies in different ways.⁶⁸Id. at 259. Specifically, they looked at persistent cookie usage between EU and U.S. users. They discovered a spillover effect in that websites appear to be adopting a uniform approach to privacy post-GDPR, and overall cookie load had fallen by 46.7% in the United States compared to pre-GDPR data in 2016.⁶⁹Id. at 269. Yet, they did measure a differential between EU and U.S. consumers. Of the top 1,000 websites tracked by Alexa, “49.3% of cookie-using websites of the Alexa Top 1,000 choose to refrain from cookie setting without consent on the first visit when facing an EU visitor, when they would for other visitors.”⁷⁰Id. at 268.

Using seven years—2015 to 2021—of confidential data from a large cloud computing provider, Professor Mert Demirer and his coauthors estimated that GDPR led to EU firms having significant declines in data storage (by 26%) and data processing (by 15%) relative to comparable U.S. firms.⁷¹Mert Demirer, Diego Jiménez-Hernández, Dean Li & Sida Peng, Data, Privacy Laws and Firm Production: Evidence from the GDPR 2 (Nat’l Bureau of Econ. Rsch. Working Paper No. 32146, 2024), https://perma.cc/X9ML-H6DT. Of course, this finding was consistent with the idea that the regulation effectively reduces overall online data; although, the authors found the magnitude of the impact to be “noteworthy.”⁷²Id. at 25. After developing an estimate of the elasticity of substitution between data and computation, the authors discovered that they are complements in production, which led to the conclusion that the “strong complementarity suggests that firms cannot easily substitute toward computation when faced with increased data costs.”⁷³Id. at 3. This result indicates that GDPR distorts a given firm’s optimal mix of data and computation, which, some could argue, is the actual point of GDPR. Nonetheless, like other studies, the authors found that larger firms experienced less distortion in data storage due to the regulation,⁷⁴Id. at 4 (“We find that larger and more compute-intensive firms experienced smaller wedges [the costs imposed by regulation on the marginal cost of storing data] from the GDPR.”); id. at 37–38 (“The results suggest that the distortionary effects of the GDPR are highest for the smallest firms, with a wedge equivalent to a 25% tax, and with monotonically decreasing effects as the firm size gets bigger.”). which implies less deviation from the optimal mix for these larger firms.

Professors Samuel Goldberg, Garrett Johnson, and Scott Shriver used a dataset of over one thousand websites to track the impact that GDPR had on recorded page views and revenues, which they found fell 11.7% and 13.3%, respectively, after the introduction of GDPR.⁷⁵Samuel G. Goldberg, Garrett A. Johnson & Scott K. Shriver, Regulating Privacy Online: An Economic Evaluation of the GDPR, 16 Am. J. Econ. Pol’y 325, 354 (2024). They presented evidence that a nonnegligible portion of consumers benefited from opting out of data collection.⁷⁶Id. at 327 (“Our estimates suggest that a nonnegligible portion of consumers are benefitting from the ability to opt out of data collection.”). Nonetheless, they also estimated the regulatory impact harms small sites relative to large ones.⁷⁷Id. at 328. Specifically, smaller e-commerce sites experienced over twice the decline in recorded revenue (-16.7%) compared to larger sites (-7.9%) due to a disparity in obtaining consent.⁷⁸Id. Ultimately, the authors concluded that their “results illuminate real consequences of the GDPR for online firms.”⁷⁹Id. at 355.

Johnson, Shriver, and Goldberg also looked at the impact of GDPR on business-to-business data sharing.⁸⁰Garrett A. Johnson, Scott K. Shriver & Samuel G. Goldberg, Privacy and Market Concentration: Intended and Unintended Consequences of the GDPR, 69 Mgmt. Sci. 5695, 5696 (2023). Specifically, they studied the market for website vendors who offer technology support services to websites—both small and large.⁸¹Id. at 5695 (“These services include raising ad revenue, hosting audiovisual content, measuring visitor activity, and facilitating social media sharing. Web technology is an area of concern for privacy regulators because of its large-scale personal data processing.”). Post-GDPR, website vendors experienced a decline in use on the order of 15%, including advertising-related vendors, but smaller vendors disproportionately felt the decline.⁸²Id. at 5696, 5715. The authors also note that vendor use returned to pre-GDPR levels by the end of 2018; however, this does not imply that the GDPR had no impact as we do not observe the relevant counterfactual. Further, the decline persisted in advertising-related vendors. In turn, this regressive impact resulted in greater market concentration in the website vendor market by 17%.⁸³Id. at 5696. This led the authors to suggest “[a]s policymakers wrestle with how to protect individual privacy, they may therefore seek to balance the risk of increasing the concentration of personal data ownership and increasing market power.”⁸⁴Id. at 5715.

Dr. Heli Koski and Nelli Valmari examined the first-year compliance costs of GDPR, its impact on profit margins, and how these costs may alter the relative competitive positions of smaller and larger firms.⁸⁵Heli Koski & Nelli Valmari, Short-term Impacts of the GDPR on Firm Performance (Rsch. Inst. of the Finnish Econ. (ETLA) Working Papers, No. 77, 2020), https://perma.cc/3GVM-MFXD. Undoubtedly, given the potential severity of a fine, firms have expended significant resources to comply with GDPR.⁸⁶Id. at 5. The authors estimated substantial compliance costs, where profit margins of European data-intensive firms had less of an increase (1.7% to 3.4%) than their U.S. counterparts.⁸⁷Id. at 13. Further, of these firms, small and medium-sized firms in Europe were the most disadvantaged, while large European data-intensive companies were impacted relatively less.⁸⁸Id.

Professor Vincent Lefrere and his coauthors studied the impact of GDPR on news and media sites and their content.⁸⁹Vincent Lefrere, Logan Warberg, Cristobal Cheyre, Veronica Marotta & Alessandro Acquisti, Does Privacy Regulation Harm Content Providers? A Longitudinal Analysis of the Impact of the GDPR (Oct. 5, 2022) (unpublished manuscript) (on file with authors), https://perma.cc/FP2P-2DYM. Ultimately, they ascertained that websites adapted to initial changes and were ultimately not significantly impacted—contrary to predictions that “forebode dire consequences.”⁹⁰Id. at 1. In essence, websites that rely on EU visitors found “ways to avoid being negatively affected by the regulation.”⁹¹Id. Thus, there are no significant differences in content production and traffic measures between EU and U.S. websites.⁹²Id. at 6. Notably, while such findings may suggest that nothing changed due to the regulation, the question is what is happening under the surface. The authors speculated that websites with significant EU visitors may have “invoked ‘legitimate business interest’ to keep collecting” user data or adjusted their data-gathering strategies in other ways.⁹³Id. at 6, 52.

Professor Steven Maex sought to weigh the internal information quality (“IIQ”) gains from GDPR with the regulatory burdens.⁹⁴Steven A. Maex, Modern Privacy Regulation, Internal Information Quality, and Operating Efficiency: Evidence from the General Data Protection Regulation 2 (Aug. 2022) (Ph.D. Dissertation, Temple University) (on file with Temple University Libraries) (defining IIQ as “the accessibility, usefulness, reliability, accuracy, quantity, and signal-to-noise ratio of the data and knowledge collected, generated, and consumed within an organization” (quoting John Gallemore & Eva Labro, The Importance of the Internal Information Environment for Tax Avoidance, 60 J. Acct. & Econ. 149, 149 (2015))). In the end, Maex concluded that “GDPR-impacted firms experience significant declines in operating efficiency that overwhelm the benefits stemming from improvements in IIQ.”⁹⁵Id. at 6. The clear theme of Maex’s research is that there are inherent tradeoffs from the various effects of privacy regulation.

Professors Pengyuan Wang and Li Jiang, with Jian Yang, investigated the impact of GDPR from the perspective of advertisers and the effectiveness of ads.⁹⁶See Pengyuan Wang, Li Jiang & Jian Yang, The Early Impact of GDPR Compliance on Display Advertising: The Case of an Ad Publisher, 61 J. Mktg. Rsch. 70 (2023). They discerned that “GDPR compliance leads to modest decreases in ad performance, advertisers’ bid prices, and the publisher’s ad revenue.”⁹⁷Id. at 73. Specifically, revenue per click declined an estimated 5.7%.⁹⁸Id. The impact was felt more heavily for travel and financial services ads.⁹⁹Id. at 88. The authors also gathered that publishers could mitigate the loss in data to a degree through content targeting—particularly for certain types of content, such as sports.¹⁰⁰See id. at 73.

Professors Bocong Yuan and Jiannan Li focused on GDPR’s implementation by hospitals and healthcare institutions over personal health data protection.¹⁰¹Bocong Yuan & Jiannan Li, The Policy Effect of the General Data Protection Regulation (GDPR) on the Digital Public Health Sector in the European Union: An Empirical Investigation, 16 Int’l. J. Env’t. Rsch. & Pub. Health (2019). They estimated that hospitals experienced significant financial “distress” to comply with GDPR.¹⁰²See id. at 2 (“Thus, the possible financial distress resulting from costly adjustments can be considered as measurable evidence to verify the existence of the gap in personal health data protection and then reflect the effectiveness of the GDPR.”). While the authors asserted that these severe costs indicate that GDPR is “effective[ ],”¹⁰³Id. it is not clear that this is the only possible conclusion. Instead, their results simply show that GDPR compliance is costly. Without a measure of the benefits of the regulation, there is no ability to conclude whether the impact is effective or not.

C.      Privacy-Focused Impacts

Dr. Martin Degeling and his coauthors sought to determine whether GDPR impacted website privacy in terms of explicit privacy policies and cookie consent notices.¹⁰⁴Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub & Thorsten Holz, We Value Your Privacy . . . Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy, Network & Distrib. Sys. Symp. 1 (2019). Specifically, they estimated that 4.9% of websites that did not have privacy policies pre-GDPR added new privacy policies post-GDPR.¹⁰⁵Id. at 2. Further, of those websites with a privacy policy, 72.6% updated their privacy policies.¹⁰⁶Id. at 6. Perhaps not surprisingly, the authors also observed more websites displaying cookie consent notices.¹⁰⁷Id. at 2. Notably, the authors cautioned that these developments may not actually translate into real gains in consumer privacy.¹⁰⁸Id. at 14 (“While seemingly positive, the increase in transparency may lead to a false sense of privacy and security for users. Few websites offer their users actual choice regarding cookie-based tracking. Moreover, most of the analyzed cookie consent libraries do not meet GDPR requirements.”). They also cautioned that these notices place real burdens on consumers.¹⁰⁹Id. (“This puts an additional burden on users, who are presented with an increasing number of privacy notifications that may fulfill the law’s transparency requirements but are unlikely to actually help web users make more informed decisions regarding their privacy. In addition, regulators need to provide clear guidelines in what cookies a service can claim ‘legitimate interests’ and which should require actual consent.”).

Professors Gregor Dorfleitner, Lars Hornuf, and Julia Kreppmeier evaluated how GDPR impacted the privacy statements of 276 German FinTech companies.¹¹⁰Gregor Dorfleitner, Lars Hornuf & Julia Kreppmeier, Promise Not Fulfilled: FinTech, Data Privacy, and the GDPR, 33 Elec. Mkts. (2023). The authors found that the readability of privacy statements has declined post-GDPR due to longer statements and greater use of standardized language.¹¹¹Id. at 2. The authors conjectured that the “FinTechs appear to safeguard themselves with exact technical and legal termini and comprehensive statements instead of the user comprehension required by the GDPR.”¹¹²Id. at 18. Additionally, the authors questioned whether FinTech firms “have implemented the essential provisions of the GDPR and whether the regulation has achieved its goal. The answer is broadly no.”¹¹³Id.

Based on data from a large telecommunications provider, Professors Miguel Godinho de Matos and Idris Adjerid assessed the impact of GDPR’s requirement for more detailed opt-in prompts.¹¹⁴Miguel Godinho de Matos & Idris Adjerid, Consumer Consent and Firm Targeting After GDPR: The Case of a Large Telecom Provider, 68 Mgmt. Sci. 3330 (2022). Not surprisingly, the authors explained that, for those who opt in, this allowed the telecom provider “to improve its economic outcomes: the number of sales and ratio of sales to contacts increased for households in the treated group.”¹¹⁵Id. at 3332. It is worth noting that the telecom provider had sought consent pre-GDPR but in a less “granular” way. See id. at 3353. In other words, improved data collection results in more effective marketing to consumers. Additionally, while the data does not allow a full examination of whether GDPR is regressive on small firms, the authors cautiously supported the finding of others that GDPR likely disproportionally provides advantages to larger incumbents with stronger brand names and loyalty.¹¹⁶See id. at 3353 (“Although we don’t observe effects for different size firms, the results in our manuscript lend support to this conjecture. Specifically, we find that a dominant market player surprisingly increases data allowances in the wake of more stringent requirements for consent and quickly capitalizes on these allowances to improve economic outcomes. Notably, our results suggest that these effects are largest for consumers who have longer tenure with the firm and who consume more diverse services prior to treatment. It is not clear that smaller firms or new entrants with a limited scope of services would have the same outcomes.”).

Examining a narrow window of time before and after GDPR (that is, a month before and a month after), Drs. Timothy Libert, Lucas Graves, and Professor Rasmus Kleis Nielsen collected information on news site cookies and the changes before and after GDPR.¹¹⁷Timothy Libert, Lucas Graves & Rasmus Kleis Nielsen, Changes in Third-Party Content on European News Websites after GDPR, Reuters Inst. for the Study of Journalism (Aug. 2018), https://perma.cc/8E55-NBTT. They uncovered that “the overall number of third-party cookies on news sites is down 22%, including significant drops in advertising and marketing (14%) and social media (9%) cookies, and a seven percentage point drop in the number of news sites that host third-party social media content, such as sharing buttons from Facebook or Twitter.”¹¹⁸Id. at 1. These results, the authors observed, were solely due to website changes and not due to user opt-ins;¹¹⁹Id. thus, these measurements clearly indicated websites—at least initially—shifted their practices away from the use of third-party cookies.¹²⁰Id. (“These changes suggest that some news organisations are responding to GDPR either by obtaining consent for third-party tracking or by curbing the use of outside cookies in general.”).

Professors Klaus M. Miller and Bernd Skiera, with Karlo Lukic, sought to uncover whether GDPR led to less online tracking.¹²¹Karlo Lukic, Klaus M. Miller & Bernd Skiera, The Impact of the General Data Protection Regulation (GDPR) on Online Tracking (Mar. 21, 2023) (unpublished manuscript) (on file with authors), https://perma.cc/TY8Q-ZPVG. The authors confirmed that, relative to a control group of websites not subject to GDPR, the growth of online tracking (measured in terms of the number of trackers per website) was marginally less (approximately 10% less) than the growth of trackers in the control group.¹²²Id. at 4. Specifically, the control group went from an average of twelve trackers per website to twenty-one post-GDPR, while the treatment group went from an average of twelve trackers per website to nineteen post-GDPR.¹²³Id. Ultimately, the authors explained: “[T]he fact that the effect was minor may suggest that users frequently choose to provide such consent—e.g., because they wish to take advantage of a more personalized online experience.”¹²⁴Id. at 42. Finally, they asserted, “it is up to EU regulators to determine whether these reductions in tracking are sufficient to claim that the GDPR achieved its goals.”¹²⁵Id. at 5.

While not establishing causality, Dr. Nurul Momen, Professor Lothar Fritsch, and Majid Hatamian measured the change in the number of permissions used by Android apps post-GDPR and whether user reviews of apps changed.¹²⁶Nurul Momen, Majid Hatamian & Lothar Fritsch, Did App Privacy Improve After the GDPR?, 17 IEEE Sec. & Priv. 10 (2019), https://perma.cc/7VCV-BB5A. They found a significant reduction in the number of permissions and less user concern about apps in the Google Play forum.¹²⁷Id. at 18–19. Ultimately, they “conclude[d] that app privacy has moderately improved since the GDPR was implemented.”¹²⁸Id. at 19.

Dr. Iskander Sanchez-Rola and his coauthors analyzed the impact of GDPR on the use of cookies and user tracking on 2,000 popular websites around the world.¹²⁹Iskander Sanchez-Rola, Matteo Dell’Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier & Igor Santos, Can I Opt Out Yet? GDPR and the Global Illusion of Cookie Control, in Asia CCS ‘19: Proc. 2019 ACM Asia Conf. on Comput. & Commc’n Sec. 340 (2019), https://perma.cc/P6S8-UUV8. As an initial matter, they found that most websites engage in some tracking (with 92% engaging in tracking before providing any notice), and only 4% offer a clear opt-out option in their cookie notice.¹³⁰Id. at 341. The authors determined that post-GDPR, websites in the United States approached cookie regulation similar to EU websites.¹³¹Id. at 346. They observed, however, that the cookie settings dialogs for U.S. websites are more complex and, generally, are more difficult to opt out of.¹³²Id.

Professor Tobias Urban and his coauthors looked at third-party presence on websites post-GDPR as a measure of overall tracking.¹³³Tobias Urban, Dennis Tatang, Margin Degeling, Thorsten Holz & Nobert Pohlmann, Measuring the Impact of the GDPR on Data Sharing in Ad Networks, in Asia CCS ‘20: Proc. 15th ACM Asia Conf. on Comput. & Commc’n Sec. 222 (2020), https://perma.cc/7UZF-R3E2. They used cookie ID synching, which gauges user tracking, and found that it declined post-GDPR.¹³⁴Id. at 223 (“Based on twelve measurements over a period of ten months, starting before the GDPR’s enforcement date, we show that the amount of links between companies is reduced by over 40%.”). However, their overall conclusion was that the number of direct third-party connections with users on a website initially decreased but eventually reversed course and started increasing.¹³⁵Id. at 233. The authors also did not find a fundamental change in online practices regarding user data.¹³⁶Id. (“This hints that companies did not change their business practices but are more cautious when it comes to the processing of personal data.”). The authors also found that, somewhat perversely, “the effects on Internet users’ privacy might be negative as fewer companies continue to be present on more websites, increasing their possibilities to create profiles.”¹³⁷Id.

D.      Market-Wide Impacts

Professors Ginger Zhe Jin and Liad Wagman, with Jian Jia, tracked the impact of GDPR on technology-related startup activity.¹³⁸Jian Jia, Ginger Zhe Jin & Liad Wagman, The Short-Run Effects of the General Data Protection Regulation on Technology Venture Investment, 40 Mktg. Sci. 661 (2021). Relative to the rest of the world, including the United States, the EU experienced a decline in new ventures—particularly in data-related, business-to-consumer firms.¹³⁹Id. at 662. Overall, the authors estimated a 26.1% reduction in the number of EU venture deals each month when compared to the United States.¹⁴⁰Id. Further, it was not just technology and data-related ventures that experienced a relative decline, but also healthcare and finance ventures.¹⁴¹Id. at 663. Additionally, they found that “it is exactly those nascent ventures that are in the process of transitioning from angel to venture capital that may be most impacted by the GDPR.”¹⁴²Id. at 680. Given the authors’ results, even if the negative impact on startup activity mitigates over the years (and there is no reason to believe it will), the lost innovation, investment, and entry for an extended period of time will materially impact the projected growth rate of a key sector of an economy.

Professor Jens Foerderer and Tobias Kircher compared the outcomes of U.S.-based apps that are impacted by GDPR and U.S.-based apps that are not (i.e., the control group) to determine whether GDPR affects venture capital funding and app survival.¹⁴³Tobias Kircher & Jens Foerderer, Does EU-Consumer Privacy Harm Financing of US-App-Startups? Within-US Evidence of Cross-EU-Effects, Proc. 42nd Int’l Conf. on Info. Sys. (ICIS) (2020). They estimated that GDPR “reduced the financing of app startups” and “f[ound] an increase in the likelihood of startup closure for app startups.”¹⁴⁴Id. at 5.

Professor Christian Peukert and his coauthors focused on the post-GDPR change in interactions between websites and third-party domains and web technology providers, with the thought that less reliance on third parties and web tech providers was associated with greater user privacy.¹⁴⁵Christian Peukert, Stefan Bechtold, Michail Batikas & Tobias Kretschmer, Regulatory Spillovers and Data Governance: Evidence from the GDPR, 41 Mktg. Sci. 746 (2022). They found that the interactions substantially reduced post-GDPR.¹⁴⁶Id. at 746. The subsequent impact on the web services market, however, was somewhat asymmetric, where firms with smaller shares are relatively more harmed by the reduction in demand.¹⁴⁷Id. at 758. In other words, GDPR enforcement led to greater market concentration, which led the authors to conclude: “This indicates that privacy regulation may have unintended consequences for market structure and competition.”¹⁴⁸Id. at 747. Specifically, “consent-based privacy regulation can disproportionately benefit firms offering a larger scope of services and that privacy regulation can increase market concentration by restricting data flows across firms.”¹⁴⁹Id. at 764.

Professors Jannick Sørensen and Sokol Kosta noted that third-party involvement (measured via URLs) in websites declined post-GDPR;¹⁵⁰Jannick Sørensen & Sokol Kosta, Before and After GDPR: The Changes in Third Party Presence at Public and Private European Websites, in WWW ‘19: World Wide Web Conf. 1590, 1591 (2019), https://perma.cc/TYT9-93CS (“At a general level, we can conclude that the amount of TPs on web pages have slightly declined . . . .”). although, the authors were more cautious about assigning causality to the GDPR.¹⁵¹Id. (“We cannot support the general assumption that the GDPR has led to fewer TPs [third-parties], since we cannot find strong evidence for any correlation.”); see also id. at 1599 (“[A]ttributing the general decline we see to GDPR is problematic, as the implementation of GDPR coincides with another change in the ecosystem of third party services, namely the uptake of server-side header bidding for online advertisements”). Tracking 1,250 websites, the paper measured a slight decline in third-party URLs.¹⁵²Id. at 1593, 1597. Ultimately, the authors concluded: “Our longitudinal large-scale study of the third-party server interactions at websites has shown that no clear effect of GDPR can be seen.”¹⁵³Id. at 1599.

Professors Rajkumar Venkatesan, S. Arunachalam, and Kiran Pedada looked at the impact of GDPR from the perspective of acquisitions involving artificial intelligence (“AI”).¹⁵⁴Rajkumar Venkatesan, S. Arunachalam & Kiran Pedada, Short Run Effects of Generalized Data Protection Act on Returns from AI Acquisitions 2 (2022) (unpublished manuscript) (on file with authors), https://perma.cc/7LEG-4SSC. They found that GDPR, on average, reduced the return on assets (“ROA”) from AI acquisitions; however, for firms using AI for customer-focused experiences and cybersecurity, the ROA actually increased.¹⁵⁵Id. at 6. The gains were approximately 15% to 24% for this subset of AI acquisitions.¹⁵⁶Id. Consequently, like other studies, the results showed that the regulatory impact of GDPR is uneven and disproportionately felt by some and less by others.

Professor Ran Zhuo and her coauthors estimated GDPR’s impact on internet interconnection agreements and behavior globally between 2015 and 2019, and they found no impact.¹⁵⁷Ran Zhuo, Bradley Huffaker, KC Claffy & Shane Greenstein, The Impact of the General Data Protection Regulation on Internet Interconnection, 45 Telecomm. Pol’y 1 (2021). Interconnection agreements, according to the authors, can be considered “analogous to the postal network” where users and providers of content send digital data or “mail.”¹⁵⁸Id. at 2. GDPR impacted digital data collection, storage, sharing, and monetization.¹⁵⁹Id. There are possible explanations for this lack of impact—including the need to continue to grow the internet for sites such as streaming, which are not as impacted by GDPR.¹⁶⁰Id. at 22.

Policy Implications and Conclusions

The GDPR, DMA, and DSA regulations fall under the larger debate regarding the wisdom of regulating markets involving highly innovative products. While theory can lend insight,¹⁶¹See, e.g., Michael S. Gal & Oshrit Aviv, The Competitive Effects of the GDPR, 16 J. Competition L. & Econ. 349 (2020) (predicting that GDPR will limit competition in data markets and also create greater market concentration since it incentivizes firms to internalize their data collection). ultimately, only empirical evidence is sufficient to assess the final impact of regulations on market performance. This Article has focused on the evidence of GDPR, given that it has now been six years since the enforcement of the privacy regulation in 2018. While DMA and DSA are clearly different regulations and the effects may be quite different, economic literature consistently shows that unintended consequences accompany regulation.¹⁶²Even with antitrust remedies, which can be considered as a form of ex post regulation, there can be unintended consequences. See, e.g., Sruthi Thatchenkery & Riitta Katila, Innovation and Profitability Following Antitrust Intervention Against a Dominant Platform: The Wild, Wild West?, 44 Strategic Mgmt. J. 943 (2022) (finding that the Microsoft antitrust remedy from the early 2000s had mixed results with some gains to innovation from firms who relied on the Microsoft ecosystem at the cost to their profits). Even in the realm of privacy regulation, prior studies have shown adverse outcomes.¹⁶³See, e.g., Amalia R. Miller & Catherine Tucker, Privacy Protection and Technology Diffusion: The Case of Electronic Medical Records, 55 Mgmt. Sci. 1077 (2009); Idris Adjerid, Alessandro Acquisti, Rahul Telang, Rema Padman & Julia Adler-Milstei­n, The Impact of Privacy Regulation and Technology Incentives: The Case of Health Information Exchanges, 62 Mgmt. Sci. 1042 (2016); Amalia R. Miller & Catherine Tucker, Privacy Protection, Personalized Medicine, and Genetic Testing, 64 Mgmt. Sci. 4648 (2018); Amalia R. Miller & Catherine E. Tucker, Encryption and the Loss of Patient Data. 30 J. Pol’y Analysis & Mgmt. 534 (2011) (finding privacy regulation can cause even more data breaches).

The story of GDPR is a complex one. The regulation’s mandates on consumer opt-in and the use of third-party sites have impacted how firms operate. While GDPR’s impact on cookies is perhaps an overemphasized part of the story, the reviewed studies clearly indicate less reliance on cookies, evidence that users have opted out, and less tracking. Whether these compliance gains are short- or long-lived is a key question. Yet, there are also studies that indicate consumers must work harder to find what they want.¹⁶⁴See, e.g., Zhao et al., supra note 41. Additionally, there is evidence that websites have suffered adverse consequences in terms of traffic and revenue.¹⁶⁵See, e.g., Aridor et al., supra note 19; Goldberg et al., supra note 75; Wang et al., supra note 96. Nonetheless, part of the concern over the loss of user information has been mitigated by the increased information on users who opt in.¹⁶⁶See, e.g., Aridor et al., supra note 19. Another straightforward finding is that there are significant direct costs of compliance.¹⁶⁷See, e.g., Koski & Valmari, supra note 85; Yuan & Li, supra note 101.

Further, there are dynamic effects based on changes to startup activity, acquisitions, innovation, and overall revenues.¹⁶⁸See, e.g., Jia et al., supra note 138 ; Kircher & Foerderer, supra note 143. Some industries seem unaffected—such as the backend internet infrastructure¹⁶⁹See, e.g., Zhuo et al., supra note 157.—but it is unclear what this lack of change means regarding welfare.¹⁷⁰Id. There is evidence that advertisers, who are in a sense the other “users” of multisided platforms, appear to be harmed—although, again, the impact depends on the nature of the advertisement and whether contextual information can mitigate some of the effects.¹⁷¹See, e.g., Aridor et al., supra note 19; Johnson et al., supra note 80; Wang et al., supra note 96. Further, studies consistently find that the impact of GDPR on competition has been negative and regressive.¹⁷²See, e.g., Chen et al., supra note 50; Congiu et al., supra note 53; Johnson et al., supra note 80. The regulation has entrenched incumbents and made it more difficult for smaller firms and startups to enter.¹⁷³See, e.g., Aridor et al., supra note 19; Godinho de Matos & Adjerid, supra note 114; Jia et al., supra note 138; Kircher & Foerderer, supra note 143. How all these effects wash out is ultimately unknowable with precision. What appears to be clear is that user gains in privacy are coming at a substantial cost to compliance that disproportionately harms smaller firms. Further, the more important dynamic incentive effects on innovation and competition are factors that will have substantial long-term implications.¹⁷⁴See generally Philippe Aghion, Antonin Bergeaud & John Van Reenen, The Impact of Regulation on Innovation, 113 Am. Econ. Rev. 2894 (2023) (finding that industry regulations can have material impacts on the rate of innovation).