**********
Bob Hahn's study on the costs of privacy laws (up to ~$30 billion, he says):
http://www.politechbot.com/p-01999.html
Critical responses to it:
http://www.politechbot.com/p-02005.html
**********
From: "Robert W. Hahn" <hahnr_at_erols.com>
To: <declan_at_well.com>
Subject: response
Date: Wed, 16 May 2001 19:35:38 -0400
Dear Mr. McCullagh,
Thank you very much for the opportunity to reply to the critics of my recent
study analyzing online privacy legislation. Attached below is my response.
Please let me know if you need any further information.
Dr. Robert Hahn
Director
AEI-Brookings Joint Center
www.aei.brookings.org
The Costs of Online Privacy Legislation Revisited
Robert W. Hahn
Over the past week, my recently released study on the potential costs of
online privacy legislation has attracted some criticism. I am delighted
that this issue is getting the attention it deserves. One of my primary
purposes in drafting the paper was to focus debate on the measurable costs
and benefits associated with proposed online privacy legislation. My paper
presents an initial step in that debate by estimating the costs to website
operators and consumers that could arise from the access provisions in
several of the bills currently being considered by Congress. If implemented
now, some of those bills could cost billions, or even tens of billions, of
dollars.
As I discuss in the paper, a meaningful debate must address both the costs
and the benefits of regulation, and should do so in a concrete way.
Quantification is a key aspect in this debatelaws that cost far more than
they provide in benefits to consumers are generally counterproductive. A
few studies estimating the costs and benefits of various aspects of online
privacy have been published, but more research is needed to understand the
implications of proposed legislation.
Because of some confusion surrounding the assumptions and implications of
my paper, I would like to clarify a few points. First, I agree that a
baseline for comparison is necessary. In both the survey of information
technology (IT) consultants and in the text of my paper, I stated my
assumption that website operators were already posting notices of their
privacy policy and had an opt-out choice mechanism in place (see page 16 of
the study). The cost of complying with proposed access provisions is
therefore strictly incremental and does not include all of the various
costs associated with running a commercial website or complying with other
privacy provisions, such as notice and choice. Because I assumed that
complying with access was incremental, the IT consultants had to consider
the costs of integrating the new features with existing software systems.
Integration and testing costs are therefore a part of the cost estimates.
Second, I also agree that costs for software that would ensure compliance
with access provisions are likely to come down over time (assuming that
regulations do not change willy nilly). If the regulations require rapid
implementation, however, implementation costs could be high because most
solutions will need to be customized. While new websites might have the
option of purchasing an off-the-shelf solution that incorporates access
compliance with other business features, the many sites operating today
that do not currently have standard systems in place would need at least
some degree of custom design.
Third, I consider the point that not all operators would purchase a custom
software system, and try to account for some of the uncertainties. At the
upper end, I only assume that 10% of the active websites operating today
would need such a solution. The other 90% would either stop sharing
personal information with affiliates and third parties, close their site,
or would opt for a less expensive alternative. If costs decline
substantially over time as IT consultants learn by doing, that less
expensive alternative could include scrapping existing website software and
replacing it with a shrink-wrap version that contains elements that comply
with access provisions.
Fourth, it is misleading to associate the number of users registered at a
website with the number of employees running the website. My estimate of
the number of active commercial websites is based on a study by eMarketer
(a description of the study is available at
http://www.emarketer.com/ereports/ecommerce_b2b/welcome.html). In that
study, eMarketer estimates that small companies (those with fewer than 100
employees) run around 3.6 million of the 3.7 million active commercial
sites. This breakdown says nothing about how many customers are registered
at each site.
Finally, the size of a firm's registered customer base has little bearing
on its cost of implementing access requirements, but could affect the
number of firms that choose to do so. The bulk of the design and
programming costs would be incurred regardless of the number of users
registered at a site and can be considered fixed costs (see Appendix B of
the paper). A larger registered user base could require additional disk
storage space, but this represents one of the least expensive costs facing
website operators (and one that is not included in my basic estimates).
More importantly, the size of the registered customer base could affect a
website's decision to implement costly regulations. This is one factor
behind my decision to assume only 2% to 10% of commercial websites actually
implement access requirements. This area deserves further research.
I would not argue that my approach is the only one to take. Instead, I
emphasize the need to quantify the costs and benefits of proposed
legislation using the most reliable numbers that can be found. With
potentially billions of dollars at stake for consumers and businesses, a
careful weighing of the costs and benefits is the least researchers can do
to move the debate forward and provide meaningful advice to Congress.
Mr. Hahn is Director of the AEI-Brookings Joint Center for Regulatory
Studies. He recently authored a study on the costs of online privacy,
supported by the Association for Competitive Technology, which is available
at www.actonline.com.
-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------
Received on May 17 2001
Intro
