********** Bob Hahn's study on the costs of privacy laws (up to ~$30 billion, he says): http://www.politechbot.com/p-01999.html Critical responses to it: http://www.politechbot.com/p-02005.html ********** From: "Robert W. Hahn" <hahnrat_private> To: <declanat_private> Subject: response Date: Wed, 16 May 2001 19:35:38 -0400 Dear Mr. McCullagh, Thank you very much for the opportunity to reply to the critics of my recent study analyzing online privacy legislation. Attached below is my response. Please let me know if you need any further information. Dr. Robert Hahn Director AEI-Brookings Joint Center www.aei.brookings.org The Costs of Online Privacy Legislation Revisited Robert W. Hahn Over the past week, my recently released study on the potential costs of online privacy legislation has attracted some criticism. I am delighted that this issue is getting the attention it deserves. One of my primary purposes in drafting the paper was to focus debate on the measurable costs and benefits associated with proposed online privacy legislation. My paper presents an initial step in that debate by estimating the costs to website operators and consumers that could arise from the access provisions in several of the bills currently being considered by Congress. If implemented now, some of those bills could cost billions, or even tens of billions, of dollars. As I discuss in the paper, a meaningful debate must address both the costs and the benefits of regulation, and should do so in a concrete way. Quantification is a key aspect in this debatelaws that cost far more than they provide in benefits to consumers are generally counterproductive. A few studies estimating the costs and benefits of various aspects of online privacy have been published, but more research is needed to understand the implications of proposed legislation. Because of some confusion surrounding the assumptions and implications of my paper, I would like to clarify a few points. First, I agree that a baseline for comparison is necessary. In both the survey of information technology (IT) consultants and in the text of my paper, I stated my assumption that website operators were already posting notices of their privacy policy and had an opt-out choice mechanism in place (see page 16 of the study). The cost of complying with proposed access provisions is therefore strictly incremental and does not include all of the various costs associated with running a commercial website or complying with other privacy provisions, such as notice and choice. Because I assumed that complying with access was incremental, the IT consultants had to consider the costs of integrating the new features with existing software systems. Integration and testing costs are therefore a part of the cost estimates. Second, I also agree that costs for software that would ensure compliance with access provisions are likely to come down over time (assuming that regulations do not change willy nilly). If the regulations require rapid implementation, however, implementation costs could be high because most solutions will need to be customized. While new websites might have the option of purchasing an off-the-shelf solution that incorporates access compliance with other business features, the many sites operating today that do not currently have standard systems in place would need at least some degree of custom design. Third, I consider the point that not all operators would purchase a custom software system, and try to account for some of the uncertainties. At the upper end, I only assume that 10% of the active websites operating today would need such a solution. The other 90% would either stop sharing personal information with affiliates and third parties, close their site, or would opt for a less expensive alternative. If costs decline substantially over time as IT consultants learn by doing, that less expensive alternative could include scrapping existing website software and replacing it with a shrink-wrap version that contains elements that comply with access provisions. Fourth, it is misleading to associate the number of users registered at a website with the number of employees running the website. My estimate of the number of active commercial websites is based on a study by eMarketer (a description of the study is available at http://www.emarketer.com/ereports/ecommerce_b2b/welcome.html). In that study, eMarketer estimates that small companies (those with fewer than 100 employees) run around 3.6 million of the 3.7 million active commercial sites. This breakdown says nothing about how many customers are registered at each site. Finally, the size of a firm's registered customer base has little bearing on its cost of implementing access requirements, but could affect the number of firms that choose to do so. The bulk of the design and programming costs would be incurred regardless of the number of users registered at a site and can be considered fixed costs (see Appendix B of the paper). A larger registered user base could require additional disk storage space, but this represents one of the least expensive costs facing website operators (and one that is not included in my basic estimates). More importantly, the size of the registered customer base could affect a website's decision to implement costly regulations. This is one factor behind my decision to assume only 2% to 10% of commercial websites actually implement access requirements. This area deserves further research. I would not argue that my approach is the only one to take. Instead, I emphasize the need to quantify the costs and benefits of proposed legislation using the most reliable numbers that can be found. With potentially billions of dollars at stake for consumers and businesses, a careful weighing of the costs and benefits is the least researchers can do to move the debate forward and provide meaningful advice to Congress. Mr. Hahn is Director of the AEI-Brookings Joint Center for Regulatory Studies. He recently authored a study on the costs of online privacy, supported by the Association for Competitive Technology, which is available at www.actonline.com. ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 17:25:56 PDT