ABSTRACT
There is mounting evidence that the EU’s General Data Protection Regulation (GDPR) has influenced the information privacy policies and practices that firms adopt in relation to people outside of the EU, even when that is not required by the EU regulation. We use a hand-coded dataset of privacy policies from firms’ US and EU-facing websites to document and explain these kinds of international regulatory spillovers. Our findings are consistent with the hypothesis that spillovers are driven by the costs of complying with different standards in different parts of the same firm. In fact, 75% of the firms in our sample use the same privacy policy for their US and EU-facing websites. At the same time, our findings do not support the conclusion that firms comply with the GDPR in their US-facing privacy policies out of fear of being sanctioned if the policy is somehow applied to EU residents. Finally, we find that spillovers are more prevalent among firms with a physical presence in the EU. This suggests that international networks of compliance professionals may play a significant and understudied role in regulatory compliance, perhaps by providing channels for norms and resources to move across borders.
Marotta-Wurgler, Florencia and Davis, Kevin E, Filling the Void: How EU Privacy Law Spills Over to the US (February 20, 2024), New York University Law and Economics Research Paper No 24-15; Journal of Law and Empirical Analysis, Forthcoming.
Leave a Reply