A choice paralysis, where every option is a punchline!

And one choice is opt-in, the other is opt-out.

It is pretty interesting to understand how the American privacy setup functions very differently than how the European setup does. Focus is on the California Consumer Privacy Act, 2018 (CCPA), that attempts to define privacy rights very uniquely, uncannily even. For instance, please focus on the right to opt-out of the sale of personal information.

According to the State of California Department of Justice, the right to opt-out means:

You may request that businesses stop selling your personal information (“opt-out”). With some exceptions, businesses cannot sell your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale of your personal information.

Source: California Consumer Privacy Act (CCPA) | State of California - Department of Justice - Office of the Attorney General

Under CCPA, businesses are required to include a “clear and conspicuous” Do Not Sell My Personal Information link on their website. This link should be easily accessible and not buried in a privacy configuration option available only after creating an account.

Before you click the Do Not Sell My Personal Information link, the business is free to collect, use, and sell the personal information you provide as outlined in the business’s privacy policy. This is the default agreement under the opt-out approach, meaning the business can sell your information until you take action to override it.

An alternative approach is the opt-in mechanism. Under an opt-in version of CCPA, a business would not be able to sell your personal information until you had actively granted it permission. This approach requires affirmative consent from the user before any data sale.

While the difference between opt-in and opt-out approaches is straightforward, extensive research has been conducted to determine which is more effective. Reasonable people still debate this, and examples of US federal laws use both mechanisms.

Research on the impact of these approaches on businesses affected by privacy regulations like CCPA generally concludes that opt-out is more efficient and cost-effective. Opt-in makes it more difficult and expensive for businesses to collect the same volume of data as under an opt-out approach. Assuming businesses use the data to improve their products and services, the research claims that consumers benefit while still having some choice.

My supposition is based on this fantastic 2017 article by Alan Maquin. I have merely taken the liberty hereonwards to simplify their complex study: The Economics of “Opt-Out” Versus “Opt-In” Privacy Rules | ITIF .

In the United States, federal laws use different mechanisms to protect an individual’s privacy. Some of these laws, especially those that focus on highly sensitive data, such as the Children’s Online Privacy Protection Act (COPPA), require individuals to opt in before companies can collect, use, and share their personal information. Others, such as the Gramm-Leach-Bliley Act (GLBA), operate on an opt-out basis, where companies provide information about their data practices and allow individuals to opt out if they desire. Which is better: opt in or opt out? Many scholars have studied this question, and the overwhelming evidence shows that in most cases, opt-out rules for data collection and sharing are better for innovation and productivity while still protecting privacy.

Theoretical Foundations

Some scholars, such as Lacker, have argued that the decision whether to opt-out or opt-in can be best characterized by an economic theory developed by Nobel Prize-winning economist Ronald Coase. Coase’s theorem suggests that in a competitive market with well-defined property rights and no transaction costs, parties confronted with an externality will negotiate an efficient outcome. In the case of privacy, Coase’s theorem suggests that control over data will go to the party that values it the most, regardless of who initially has the “right” to the data (i.e., whether the individual must opt in or opt out).

This means that if the law requires individuals to opt in before a company can collect or use data, then a company may provide incentives to users to opt in to sharing their data. Conversely, if the law requires individuals to have the ability to opt out, then a company may provide incentives for users to not opt out of sharing their data. However, even these market-based solutions will often lead to sub-optimal societal welfare as individuals may under-share or companies may pay too much.

Information Asymmetry in Data Markets

Coase’s theorem works best if all parties have equal knowledge about the transaction to negotiate an efficient outcome. However, there is often information asymmetry between businesses and consumers. Some consumers may not understand a company’s privacy practices and may incorrectly believe a company’s privacy policy provides more protections than it does, or vice versa. Jensen et al. showed that users seldom consulted a website’s privacy policy and often had inaccurate perceptions about their own knowledge of how online technologies may affect their privacy. This information asymmetry might suggest that policymakers should favor opt-in requirements because it minimizes the chance that data will be used against the individual’s wishes. However, recent studies suggest that consumer behavior is not influenced by whether they read privacy notices. Ben-Shahar and Chilton found that consumers’ willingness to share highly sensitive information was the same, regardless of what the privacy policy said and whether the participants had read it.

Transaction Costs of Privacy Decisions

Coase’s theorem requires transaction costs to be near zero for parties to negotiate an efficient outcome. However, the transaction costs of privacy decisions can be significant, especially when consumers must opt in for companies to be able to use the data. Bloom et al. calculated that obtaining consent for each child born in Texas would cost roughly $1.4 million annually, while switching to an opt-out system would reduce this cost to $110,000. Similarly, Qwest found that obtaining affirmative consent for using customer information was too costly and inefficient. If companies are forced to live with opt-in rules, the higher costs involved would ultimately be passed along to consumers in the form of higher prices or fewer free services.

Public Goods and Positive Externalities

Many uses of data generate positive externalities, and these benefits grow as more parties share the data. For example, health researchers can use data to track diseases, research cures, and accelerate innovation in health care. However, many of these benefits are public goods, such as reduced traffic congestion or more efficient energy production, creating a free rider problem where individuals benefit from data sharing even if they opt out individually.

Negative Consequences of Opt-In Rules

If Coase’s economic theory does not adequately fit the opt-out versus opt-in discussion, then additional academic studies can help determine which option is better. Research suggests several negative consequences for implementing opt-in rules and regulations for data privacy.

First, opt-in rules restrict market innovation. Goldfarb and Tucker found that privacy regulations can negatively impact the efficacy of online advertising, limiting the primary funding mechanism for today’s Internet. After the EU’s opt-in policy went into effect, the effectiveness of online ads reduced by approximately 65 percent, leading to a significant drop in revenue for online display advertising.

Second, requiring users to opt in to data collection imposes other burdens on consumers, such as unwanted calls or emails. Staten and Cate illustrated that opt-in requirements force companies to solicit permission from everyone in a population, even though they only want data from a subset, leading to inefficiencies and increased costs.

Third, opt-in requirements frame consumer choices in ways that lead to less-than-optimal data sharing. Tversky and Kahneman found that how choices are framed influences decisions. Johnson, Bellman, and Lohse showed that twice as many people signed up to share their information when the default option used an opt-out framing compared to an opt-in framing.

Consumer Behavior and Privacy Preferences

While public opinion surveys find support for stronger privacy laws, in practice, this is often not the case. Preibusch et al. found that when offered a discount, participants chose to buy from a cheaper, privacy-invasive firm. Similarly, Happ et al. showed that over a third of respondents would give up their personal passwords for a bar of chocolate. Strahilevitz and Kugler found that despite unease with automated content analysis, 65 percent of participants were unwilling to pay for an alternative.

In conclusion

Opt-in regulations are suboptimal because only a small group of highly-motivated individuals are extremely concerned about their privacy. Kumaraguru and Cranor found that only a small fraction of individuals, referred to as “privacy fundamentalists,” are unwilling to share their information under almost any condition. Most users are willing to share their information in exchange for some value, making opt-out rules more efficient.