The digital economy has been defined in the economic literature as one with near zero marginal cost, unmonetized services but also an escalating data flow. After a careful review of the most recent economic papers, we offer an alternative theory on the cost of privacy and data protection regulations. We have observed that the characteristics of the regulation lead not only to the amplification of costs that have been traditionally assigned as variable costs by the literature, but also of costs that used to be fixed but have been outsourced in the digital economy, meaning that significant new variable costs might trigger diseconomies of scale. At the same time, privacy and data protection regulations have created incentives that are making the dominant firms insource, in what seems to be a way back to increased sunk fixed costs for these firms. Having all that in mind, we claim that the perception of deterrence and compliance costs has affected how firms might decide to incur higher risks to avoid costs. Although compliance costs are high, we claim that an efficient implementation of the regulation avoids much of these costs. Our claim is supported by evidence that a relevant share of the regulatory costs are now variable costs, leaving room for at least two efficient strategies that medium-sized firms might implement in order to avoid them. First, firms can lower the volumes of data that they use without significantly impairing the predictive functions of their algorithms. Second, firms can invest in security at a comparatively lower degree than dominant firms considering their lower exposure to strong regulatory action.