Filling the Void: How E.U. Privacy Law Spills Over to the U.S.

Abstract

There is mounting evidence that the EU’s General Data Protection Regulation (GDPR) has influenced the information privacy policies and practices that firms adopt in relation to people outside of the E.U., even when that is not required by the E.U. regulation. We use a hand-coded dataset of privacy policies from firms’ U.S. and E.U.-facing websites to document and explain these kinds of international regulatory spillovers. Our findings are consistent with the hypothesis that spillovers are driven by the costs of complying with different standards in different parts of the same firm. In fact, 75% of the firms in our sample use the same privacy policy for their U.S. and E.U.-facing websites. At the same time, our findings do not support the conclusion that firms comply with the GDPR in their U.S.-facing privacy policies out of fear of being sanctioned if the policy is somehow applied to E.U. residents. Finally, we find that spillovers are more prevalent among firms with a physical presence in the E.U. This suggests that international networks of compliance professionals may play a significant and understudied role in regulatory compliance, perhaps by providing channels for norms and resources to move across borders.