For release May 9, 2001:
New Study Substantially Overstates Costs of Internet Privacy Protections
Professor Peter P. Swire
I am writing in response to a study by Robert W. Hahn, a Resident Scholar of the American Enterprise Institute, entitled "An Assessment of the Costs of Proposed Online Privacy Legislation." This study was reported on May 8 in the New York Times and elsewhere as estimating costs of $30 billion or more to comply with possible Internet privacy legislation. The study was sponsored by the Association for Competitive Technology. Unfortunately, based on the study's own assumptions, there are serious analytic flaws in the conclusions. The estimates are far too high, and should not be relied upon for decisionmaking by policymakers.
I have reached this conclusion based on my own extensive efforts to estimate the costs and benefits of privacy rules. In 1998, the Brookings Institution published a book by Robert Litan and myself entitled "None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive." As explained in Chapter 2 of the book, Dr. Litan and I concluded after substantial effort that we could not create a useful estimate of the likely costs of complying with the European Union Data Protection Directive.
In 1999, I entered the U.S. Office of Management and Budget as the Administration's Chief Counselor for Privacy. In that position, I participated in numerous issues that involved qualitative and quantitative assessments of the effects of privacy rules. Notably, I worked closely with the Department of Health and Human Services in developing the "regulatory impact assessment," or cost/benefit study, for the proposed medical privacy rule that was issued in October, 1999 and published in the Federal Register. After extensive public comments on the cost/benefit analysis and other issues, the final medical privacy rule was issued in December, 2000 and took effect last month. One omission of the Hahn study is that it makes no mention of that only published government analysis of which I am aware that makes quantitative estimates of the costs and benefits of privacy rules. For the health care industry, which is far larger than the current Internet industry, HHS estimated costs averaging $1.9 billion per year for a medical privacy rule that is more detailed than most observers expect for any possible Internet privacy legislation. Some industry estimates are higher than the HHS estimate, but the Hahn study would project out to costs per covered entity that are far higher than any estimate I have seen for medical privacy compliance.
My concerns with the Hahn study fall into two categories. First, the study does not adequately address the key issue for any cost estimate -- what is the baseline against which the cost comparison is made? In measuring the difference between a world with legislation and one without legislation, what behavior do we expect in the world without legislation? Without a clear picture of the world without legislation, we cannot assess the extra cost of the world with legislation.
Second, the assumptions in the study drive toward substantially overstated costs. The study assumes that small sites would spend as much as large sites to comply. It assumes too many sites. Each site would have to achieve unrealistically demanding standards. And each site is assumed to spend the large premium needed for a customized first-of-a-kind system, with no packaged software and no learning from experience.
A more complete analysis would address additional points. For instance, the Hahn study quantifies only the costs of privacy protection, with no estimate of the benefits. Yet it would be irrational to reach a conclusion on whether privacy should be protected without examining these benefits, as is done for example in the HHS regulatory impact analysis for the medical rule.
1. The importance of defining the baseline. The cost of privacy legislation is the difference between what industry would do in the absence of a law and what it would do if the law were enacted. As the Hahn study points out, Internet companies have made significant efforts in the privacy area. For instance, almost all significant Internet companies today have a stated privacy policy, and violations of the stated policy can lead to enforcement actions at the state and federal level. The cost of legislation is thus the extra, or incremental, cost of the new legislation.
There are many reasons that Internet companies address privacy in the absence of federal legislation. For instance, they do so to promote consumer confidence in Internet transactions, or to comply with legal standards for customers outside of the U.S. Importantly, companies take many measures that are simply good business practice. For instance, any responsible company has a firewall for its web site. If a law were passed requiring a firewall (and I am not advocating such a law in making this point), then the cost of the legislation might be almost zero -- most companies would already be taking that action.
The entire estimate of cost thus depends crucially on the baseline against which cost is measured. If companies are taking a level of appropriate action under self-regulation, as Hahn seems at some points to suggest, then a law setting that same standard would have low or no compliance costs. On the other hand, if companies are failing to follow basic good business practice, such as failing to have firewalls, then it is wrong to blame the law for the cost of the firewalls. The firewalls should be seen as part of the cost of doing business, and not some extraordinary burden imposed by legislation.
As discussed in my 1998 book, it is a difficult challenge to define a baseline clearly enough to permit quantitative estimates of the costs and benefits of privacy legislation. After much effort, my co-author and I decided we could not provide a quantitative estimate in that instance. In the medical privacy rule, there is extensive discussion of this issue of baselines, and the eventual quantitative estimates are made after explicit discussion of the issue.
Unfortunately, in the Hahn study, the baseline is not defined clearly enough, with the result I believe of overstating the likely costs of legislation. The study at some points seems to support the view that the Internet industry has already taken substantial and effective steps to provide privacy protection. Yet the expenses already incurred are never netted against the gross estimates of cost. It is as if one reports the cost of building a house without subtracting out the cost of a foundation and a couple of walls that are already in place.
2. The Study's assumptions lead to substantially overstated cost estimates. The principal assumptions that lead to an overstated cost estimate are the failure to distinguish between large and small sites, an excessive number of sites, the use of unrealistically demanding and expensive standards for each site, and the assumption that all compliance will be customized rather than having any reduction in cost after the first company has complied.
(a) Large and small sites are different. The study surveys consultants about how much it would cost for a large site to comply, for a site with at least 100,000 current customers and the capability to scale to millions of customers. The survey finds an average cost per site of $100,000 (more on that figure below). But that cost is based entirely on the estimated cost for building a complex large site. As the study itself discusses, it is unreasonable to expect that a small Internet site will spend $100,000 for privacy compliance. Furthermore, as Response 2 to the survey illustrates, the cost would be much lower for a small site even though the survey failed to ask for the difference in cost.
(b) Too many sites. The press release announcing the ACT/Hahn study says that "Analysis of Internet Privacy Regulation Says Costs Could Exceed $30 Billion." Press accounts have reported the study as showing "costs of over $30 billion." Yet the $30 billion estimate, called "conservative" in the study, cannot be defended on the basis of the study itself. That estimate assumes that 360,000 sites do the expensive $100,000 compliance solution. But the study itself also says that there is a grand total of only 94,000 "medium to large" commercial Internet sites. The extra 246,000 sites are "small" sites, and the estimate for a site serving millions of customers simply does not apply. Each of these "small" sites, however, was counted at the $100,000 per site compliance rate.
The study's lowest cost figure is $9 billion. That figure assumes that every single large and medium site spends the full $100,000 per site for compliance. (The study defines size based on the company size, with "large" having over 500 employees, "medium" 100 to 500 employees, and "small" fewer than 100 employees. Some "large" companies may not have consumer sites scalable to millions of customers, so they may not have "large" sites. Some "small" companies, but proportionately likely not many, may have large sites that are designed to serve millions of customers.) This $9 billion estimate thus assumes too many sites for at least two reasons. First, it assumes that medium-sized sites will have to pay the same as large sites. Second, it assumes that the medium and large sites do not already have significant self-regulatory programs in place to provide privacy protections. Yet many of these larger sites have already instituted significant privacy programs. The cost of compliance should thus be reduced to take account of the measures already in place, and this was not done in the study.
(c) Unrealistically strict criteria. The study asks consultants to estimate what it would cost to build a new system that complies with a set of criteria. Defining those criteria is crucial. If the criteria are easy, then costs will be low. For instance, it would cost little if the law says: "Mention the word privacy on your web page." If the criteria are strict, then costs will be high. For instance, it would cost a great deal if the law says: "Design a state-of-the-art system that handles personal information in complex new ways that have never been done before."
The problem is that the study assumes criteria that resemble the latter. Two examples from a longer list give the flavor. First, the study assumes that every time personally identifiable information (PII) is sent to any third party the web site must have a complete tracking of all of its PII about that customer. If the web site sends out PII about that customer to someone the next day, it must keep a complete file of the changed PII that exists on that second day. This sort of time-and-date stamping of every item of information about every customer is either rare or unknown in the industry. It is highly unlikely to become law. Yet that is the system that the study assumes every web site will have to build. A second example is that the study assumes that the customer access rules will be significantly stricter than I believe anyone has seriously proposed legislating. In defining the access requirements so strictly, for instance, the study assumes not only that individuals will get online access to a complete log of every time their PII has gone to a third party. Customers will also gain access to the complete content of what is transferred to the third party. Again, this sort of time-and-date stamping of the content that is transferred is either rare or unknown in the industry.
It is thus no surprise that the consultants estimated that it would be expensive for each web site to comply. The criteria included features that have not been implemented in the industry and not seriously contemplated in legislation. As the consultants imagined what it would cost to build these new types of systems for the first time, they correctly stated that it would be very expensive. But the $100,000 average estimated cost is a reflection of an unrealistically strict set of criteria, rather than of the likely cost of actual compliance with legislation.
(d) All compliance is customized and there is no learning from experience. The survey asked consultants to estimate how much it would cost to build this complex, strict system for the first time. Their estimate of $100,000 per site for building a new system was then used as the average cost of compliance per site. The over $30 billion estimated total cost assumed that 360,000 sites (large and small) would each build a new system from scratch for that $100,000 per site.
But that is not the way that software works today. According to the study's figures, most of those 360,000 sites are small or medium sites. These sites will not ask expensive consultants to write entirely new one-of-a-kind software. Instead, small, medium, and many larger sites will buy software packages. Implementation may include a moderate amount of tailoring for a particular company. But the cost of that tailoring is much less expensive, often by an order of magnitude, than writing software from scratch. The incremental cost of compliance will further be reduced because privacy compliance will likely be undertaken as part of a broader upgrading of a site, of the sort that is often done in the rapidly changing Internet environment, rather than as a stand-alone cost item.
Put another way, the first system of a new type costs far more to build than the 360,000th. Experience gained in early systems makes it far less expensive to build later systems. Even if Congress surprises everyone by requiring every one of the unrealistically strict criteria that the study assumed, later systems will cost much less than the $100,000 that the study uses. And, Congress will not impose those criteria, so the cost of actual legislation will be even less.
Conclusion.
I have written this detailed analysis of the study because of my belief that it will be irresistably tempting for critics of privacy legislation to quote the $30 billion, or even the $9 billion, estimate as though these are realistic figures. For the reasons stated here, those estimates are far too high given the study's own assumptions. It is unrealistic to treat small web sites as though they will pay the same compliance fees as large web sites. It is unrealistic to estimate 360,000 sites paying the large-site cost when the study states that there are only 94,000 medium and large sites combined. It is unrealistic to use criteria for system performance that do not reflect industry practice or realistic Congressional outcomes. And it is unrealistic to believe that the 360,000th site will cost the same as a pioneer site that builds features that have never before been implemented. The combined effect of these unrealistic features could easily be to reduce the cost of compliance by an order of magnitude or even more. The actual costs of compliance should likely further be reduced to account for the actions industry would take and has already taken in the absence of legislation. And any ultimate decision about the desirability of legislation should consider the benefits of privacy protection, which this study does not do in a systematic way.
With all that said, the study does make the correct point that badly drafted legislation, in privacy as in other areas, can impose substantial and undesirable costs. If Internet privacy legislation is enacted, then it should be based on careful attention to how principles such as notice, choice, access, security, and enforcement would work in practice. My own goal, as a private citizen and while in the Clinton Administration, is to promote sharing of information where that is beneficial and to keep information confidential in appropriate situations, such as where the information is especially sensitive or is gathered or used contrary to the wishes of the individual. In seeking to discern useful information flows from invasions of privacy, policymakers need to rely on more realistic estimates of the effects of legislation than I am afraid this study provides.
There have been other studies released in recent months, sponsored by other groups, that have estimated the costs and benefits of privacy legislation. These other studies also deserve
=======
Peter P. Swire is Professor of Law at the Ohio State University. In the 2001-2002 academic year, he will be a Visiting Professor of Law at George Washington University. From 1999 until early 2001, Professor Swire served as the first Chief Counselor for Privacy in the U.S. Office of Management and Budget. With Lawrence Lessig, he is Editor of the Cyberspace Law Abstracts of the Social Science Research Network. Many of his writings appear at www.osu.edu/units/law/swire.htm. E-mail at swire.1@osu.edu. Phone: (301) 213-9587. Privacy documents from the Clinton Administration are available at the Presidential Privacy Archives of the Technology Policy Group, at www.privacy2000.org.