It is common lore in data privacy law and other fields that stringent regulatory standards (such as the ones introduced in the EU’s GDPR) can spread to other jurisdictions as the result of the “California Effect.” One explanation for this effect is that it can be costly for corporations to treat consumers in different jurisdictions differently. The results of a new empirical paper investigating the reactions of US digital platforms to the GDPR raise doubts about the widespread existence of such “cost-based” California Effects.
Globalization is often criticized, among other things, for its purported tendency to lower consumer protection standards. But not everyone shares this view. One important counterargument is based on the concept of a “California Effect.” California Effects describe situations in which stringent regulatory standards adopted in one jurisdiction spread to other jurisdictions, increasing consumer protection everywhere.
The poster child for the California Effect is the adoption of restrictive automobile emission standards in California since the 1960s, which set in motion a process that led to the adoption of similar rules across the United States (this is also one of the key examples described by David Vogel in his 1997 book Trading Up, which coined the term “California Effect”). Similar effects are often described in relation to the regulatory activities of the European Union, most prominently by Anu Bradford in her work on the “Brussels Effect.” EU law is said to function as a global regulatory standard in various fields, including food safety, chemical safety, environmental law, online hate speech, and data privacy law.
What explains the existence of California Effects? The literature discusses various explanations, including the idea that multinational corporations active in high-standard jurisdictions successfully lobby other governments to adopt similar regulations. In recent years, another theory has gained traction: It is often costly for multinational enterprises to treat consumers in different jurisdictions differently. Consequently, they treat everyone according to the most stringent standard they encounter. Importantly, in the latter scenario, consumers benefit from high standards of protection irrespective of whether their home governments adopt consumer-friendly regulations or not.
The implications of this type of “cost-based” California Effect are momentous. Their existence would allow jurisdictions like California and the European Union to unilaterally “export” their visions of a consumer-friendly economy to other jurisdictions. Of course, this might be good news for ardent advocates of higher consumer protection standards. But multinational corporations would also have to apply seemingly consumer-friendly rules in jurisdictions where consumers prefer low standards of protection (for example, because lower standards would allow businesses to roll out new features more quickly, or because companies could sell their products at lower costs).
Furthermore, if California Effects of this type exist, they are likely not limited to well-intentioned regulations adopted by jurisdictions like the European Union. Instead, it seems reasonable to believe that they also occur in the context of repressive rules adopted by other jurisdictions. This is because cost-based California Effects are primarily a function of the costs businesses face in treating consumers in different jurisdictions differently. As a consequence, the same mechanism that might lead Google to offer better privacy protections to a consumer in the US might also make businesses censor free speech.
But do these cost-based California Effects really exist? And if they do, how widespread are they? A closer look at the existing literature reveals a striking dearth of empirical research in this area. Most observers base their findings on little more than anecdotes.
My recent article “The Missing ‘California Effect’ in Data Privacy Law” (forthcoming in the Yale Journal on Regulation) helps fill this gap by investigating California Effects in data privacy law, a field in which these effects have been said to be particularly important.
“GOOGLE’S AND FACEBOOK’S DECISIONS TO ROLL OUT NEW, SEEMINGLY GDPR-COMPLIANT PRIVACY POLICIES ON A GLOBAL LEVEL WERE OUTLIERS, NOT THE NORM.”
The most important piece of evidence supporting the existence of California Effects in data privacy law is perhaps the reaction of a handful of major online services like Google and Facebook to the European Union’s General Data Protection Regulation (GDPR). When the GDPR became the law of Euro-land in May 2018, both Google and Facebook announced that they would change their privacy practices to comply with the GDPR—not only in the European Union but also in the United States. This was despite the fact that the GDPR does not apply to transactions between US-based online services and their customers in the United States, and that compliance with the GDPR is usually considered burdensome and costly.
But are these decisions typical of how online services reacted to the GDPR? Or are they outliers, driven by factors specific to these services? Facebook, for example, announced its decision to revise its global privacy policy in 2018, in the midst of the public relations crisis it faced over the revelations surrounding Cambridge Analytica. Is it possible that this decision was more driven by a desire to assuage consumers and regulators than by concerns about the costs of maintaining different data practices for different consumers?
In my paper, I systematically study the reactions of US online service providers to the GDPR’s entry into force, relying on a dataset containing the privacy policies of around 700 online service providers gathered weekly over two years. This dataset allows me to understand which services changed the text of privacy policies around the time that the GDPR took effect. I also measure the extent of these changes and compare them to changes observed in privacy policies used in the EU. Furthermore, I use the dataset to determine whether US online service providers complied with the requirement in the GDPR to inform consumers about their privacy rights (for example, the famous “Right to be Forgotten”), and whether they promised to treat US consumers according to the same standards they offered to consumers in the European Union.
The most important findings are the following:
- While many US online services changed their privacy policies around the time of GDPR going into effect, these changes are markedly smaller than the changes observed for EU privacy policies over the same period.
- US online services with substantial exposure to EU consumers generally made some efforts to bring their privacy policies in line with the new requirements introduced in the GDPR. However, they also designed their policies in a way that ensured that some of the most consequential rights would not apply to consumers outside the European Union.
In sum, the paper reveals that the impact of EU law on the operations of US online services is substantially more limited than most observers assume. Most importantly, it shows that Google’s and Facebook’s decisions to roll out new, seemingly GDPR-compliant privacy policies on a global level were outliers, not the norm.
The results also suggest that it is generally not particularly costly for online services to treat consumers in different jurisdictions differently. In other words, these results are at odds with theories that describe cost-based California Effects as a major force in data privacy law. In particular, the fact that most services find it easy to differentiate between consumers in different jurisdictions calls into question whether costs of differentiation played a significant role in Google’s and Facebook’s announcements that they would treat everyone the same. After all, there seems to be little reason to believe that companies like Google and Facebook (whose resources and internet-savviness vastly outstrip those of other services) face technical hurdles that most other companies can easily overcome.
While the analysis shows that California Effects are less common in online transactions than is often assumed, it also provides some important leads on the conditions under which these effects can occur. Beyond particularly prominent services like Google and Facebook, two groups of online services seem particularly prone to rolling out GDPR-style privacy protections globally: dating services and “adult entertainment” sites. This finding could suggest that online services use GDPR-compliant privacy policies to signal superior privacy protection standards in industries in which consumers exhibit strong demand for privacy. More generally, stringent standards might spread from one jurisdiction to another not because companies have trouble offering multiple product specifications at the same time, but because consumers in these other jurisdictions want them.
Of course, the results in this paper do not (on their own) imply that California Effects or Brussels Effects are similarly scarce in other legal areas. Nor do they show that it is never costly for businesses to offer different products to different consumers (one potential explanation for the findings in this study is that digital products are relatively easily customizable, while the same might not be true for physical products like cars).
But on a different, more general note, this study exemplifies how anecdotal evidence (particularly when based on a handful of companies that occupy singular positions in their industries) can convey a misleading picture of what is happening on the ground. Accordingly, the paper also serves as a rallying cry for more empirical studies to validate theories based on anecdotes and theoretical considerations.
Learn more about our disclosure policy here.
