FC: AEI's Bob Hahn replies to critics on cost of privacy study

From: Declan McCullagh (declanat_private)
Date: Wed May 16 2001 - 16:53:29 PDT

  • Next message: Declan McCullagh: "FC: Does .biz "lottery" violate the law? FTC stays mum..."

    **********
    Bob Hahn's study on the costs of privacy laws (up to ~$30 billion, he says):
    http://www.politechbot.com/p-01999.html
    Critical responses to it:
    http://www.politechbot.com/p-02005.html
    **********
    
    From: "Robert W. Hahn" <hahnrat_private>
    To: <declanat_private>
    Subject: response
    Date: Wed, 16 May 2001 19:35:38 -0400
    
    Dear Mr. McCullagh,
    
    Thank you very much for the opportunity to reply to the critics of my recent
    study analyzing online privacy legislation. Attached below is my response.
    Please let me know if you need any further information.
    
    Dr. Robert Hahn
    
    Director
    AEI-Brookings Joint Center
    www.aei.brookings.org
    
    
    The Costs of Online Privacy Legislation Revisited
    
    Robert W. Hahn
    
    Over the past week, my recently released study on the potential costs of 
    online privacy legislation has attracted some criticism. I am delighted 
    that this issue is getting the attention it deserves. One of my primary 
    purposes in drafting the paper was to focus debate on the measurable costs 
    and benefits associated with proposed online privacy legislation. My paper 
    presents an initial step in that debate by estimating the costs to website 
    operators and consumers that could arise from the access provisions in 
    several of the bills currently being considered by Congress. If implemented 
    now, some of those bills could cost billions, or even tens of billions, of 
    dollars.
    As I discuss in the paper, a meaningful debate must address both the costs 
    and the benefits of regulation, and should do so in a concrete way. 
    Quantification is a key aspect in this debatelaws that cost far more than 
    they provide in benefits to consumers are generally counterproductive. A 
    few studies estimating the costs and benefits of various aspects of online 
    privacy have been published, but more research is needed to understand the 
    implications of proposed legislation.
    Because of some confusion surrounding the assumptions and implications of 
    my paper, I would like to clarify a few points. First, I agree that a 
    baseline for comparison is necessary. In both the survey of information 
    technology (IT) consultants and in the text of my paper, I stated my 
    assumption that website operators were already posting notices of their 
    privacy policy and had an opt-out choice mechanism in place (see page 16 of 
    the study). The cost of complying with proposed access provisions is 
    therefore strictly incremental and does not include all of the various 
    costs associated with running a commercial website or complying with other 
    privacy provisions, such as notice and choice. Because I assumed that 
    complying with access was incremental, the IT consultants had to consider 
    the costs of integrating the new features with existing software systems. 
    Integration and testing costs are therefore a part of the cost estimates.
    Second, I also agree that costs for software that would ensure compliance 
    with access provisions are likely to come down over time (assuming that 
    regulations do not change willy nilly). If the regulations require rapid 
    implementation, however, implementation costs could be high because most 
    solutions will need to be customized. While new websites might have the 
    option of purchasing an off-the-shelf solution that incorporates access 
    compliance with other business features, the many sites operating today 
    that do not currently have standard systems in place would need at least 
    some degree of custom design.
    Third, I consider the point that not all operators would purchase a custom 
    software system, and try to account for some of the uncertainties. At the 
    upper end, I only assume that 10% of the active websites operating today 
    would need such a solution. The other 90% would either stop sharing 
    personal information with affiliates and third parties, close their site, 
    or would opt for a less expensive alternative. If costs decline 
    substantially over time as IT consultants learn by doing, that less 
    expensive alternative could include scrapping existing website software and 
    replacing it with a shrink-wrap version that contains elements that comply 
    with access provisions.
    Fourth, it is misleading to associate the number of users registered at a 
    website with the number of employees running the website. My estimate of 
    the number of active commercial websites is based on a study by eMarketer 
    (a description of the study is available at 
    http://www.emarketer.com/ereports/ecommerce_b2b/welcome.html). In that 
    study, eMarketer estimates that small companies (those with fewer than 100 
    employees) run around 3.6 million of the 3.7 million active commercial 
    sites. This breakdown says nothing about how many customers are registered 
    at each site.
    Finally, the size of a firm's registered customer base has little bearing 
    on its cost of implementing access requirements, but could affect the 
    number of firms that choose to do so. The bulk of the design and 
    programming costs would be incurred regardless of the number of users 
    registered at a site and can be considered fixed costs (see Appendix B of 
    the paper). A larger registered user base could require additional disk 
    storage space, but this represents one of the least expensive costs facing 
    website operators (and one that is not included in my basic estimates). 
    More importantly, the size of the registered customer base could affect a 
    website's decision to implement costly regulations. This is one factor 
    behind my decision to assume only 2% to 10% of commercial websites actually 
    implement access requirements. This area deserves further research.
    I would not argue that my approach is the only one to take. Instead, I 
    emphasize the need to quantify the costs and benefits of proposed 
    legislation using the most reliable numbers that can be found. With 
    potentially billions of dollars at stake for consumers and businesses, a 
    careful weighing of the costs and benefits is the least researchers can do 
    to move the debate forward and provide meaningful advice to Congress.
    
    Mr. Hahn is Director of the AEI-Brookings Joint Center for Regulatory 
    Studies.  He recently authored a study on the costs of online privacy, 
    supported by the Association for Competitive Technology, which is available 
    at www.actonline.com.
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if it remains intact.
    To subscribe, visit http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Wed May 16 2001 - 17:25:56 PDT