Exercises: The Economics of Privacy

Claude (AI-Generated Textbook)

Exercises: The Economics of Privacy

These exercises progress from concept checks to challenging applications. Estimated completion time: 3-4 hours.

Difficulty Guide: - ⭐ Foundational (5-10 min each) - ⭐⭐ Intermediate (10-20 min each) - ⭐⭐⭐ Challenging (20-40 min each) - ⭐⭐⭐⭐ Advanced/Research (40+ min each)

Part A: Conceptual Understanding ⭐

Test your grasp of core concepts from Chapter 11.

A.1. Section 11.1 describes privacy as a negative externality. Explain what this means using the economic concept of externalities. Who bears the cost of a privacy violation, and who captures the benefit of the data collection that made it possible?

A.2. Define the privacy paradox as described in Section 11.2. Provide two possible explanations for why people consistently state that they value privacy highly but behave as though they do not.

A.3. Section 11.3 presents data from the Ponemon Institute's annual cost of data breach studies. What is the difference between the direct costs and indirect costs of a breach? Which category is typically larger, and why?

A.4. Explain what a data broker is. Using examples from Section 11.4 (Acxiom, LexisNexis, Epsilon), describe the three main categories of data broker activity and how they differ from each other.

A.5. Section 11.5 discusses regulatory compliance costs. Explain why some economists argue that regulation like the GDPR has disproportionate effects on small companies compared to large ones. What is the counter-argument?

A.6. Ray Zhao argues in Section 11.6 that "privacy is a cost center, not a revenue center" for most companies. Explain what he means. Then explain why this framing, while common, may be incomplete.

A.7. Section 11.1.2 introduces the concept of information asymmetry in privacy markets. Why does information asymmetry make it difficult for individuals to make rational privacy decisions? How does this connect to the privacy paradox?

Part B: Applied Analysis ⭐⭐

Analyze scenarios, arguments, and real-world situations using concepts from Chapter 11.

B.1. Consider the following scenario:

A free mobile game collects precise GPS location data every 30 seconds while the app is open and shares it with data brokers. The game generates revenue through advertising and data sales. A user plays the game for an average of 20 minutes per day. The user values the game at roughly $0 — they would not pay for it but enjoy it as a free product.

Using the economic frameworks from this chapter, analyze: (a) What is the game's business model in terms of data economics? (b) Who captures value and who bears risk? (c) Why does the user accept this arrangement despite stating in surveys that they "care about privacy"? (d) What market failure does this scenario illustrate?

B.2. Section 11.3.2 discusses the distributional effects of data breaches — who ultimately pays. Analyze the Equifax breach from this perspective:

Equifax paid approximately $1.4 billion in total costs (fines, settlements, technology improvements).
147 million individuals had their personal information exposed.
Equifax's revenue in the year following the breach was approximately $3.4 billion.
Individual consumers received at most $125 in settlement claims (most received less).

Calculate the per-person cost to Equifax and the per-person compensation received by affected individuals. What does this ratio tell us about who bears the true cost of data breaches?

B.3. A mid-size e-commerce company is deciding whether to invest $500,000 in improved data security measures. The company's risk assessment estimates a 15% annual probability of a significant data breach, which would cost an estimated $4 million in direct and indirect costs.

Calculate the expected annual cost of a breach without the investment and compare it to the investment cost. Based on pure economic calculation, should the company invest? Now consider: What costs are not captured in this calculation (e.g., costs borne by affected customers)? How does the externality problem distort the company's decision?

B.4. Eli attends a city council meeting where a technology vendor proposes installing a "smart kiosk" network in Detroit neighborhoods. The kiosks provide free Wi-Fi, maps, and transit information. The vendor will operate them at no cost to the city, funding the project through advertising and "anonymized data analytics" sold to urban planners and retailers.

Analyze this proposal using the economic frameworks from this chapter. Who is the customer? Who is the product? What are the hidden costs, and who bears them? How does this compare to the data broker model described in Section 11.4?

B.5. Section 11.2.3 discusses the "notice and choice" model and its economic inefficiency. A study by Aleecia McDonald and Lorrie Cranor estimated that reading every privacy policy an average American encounters would take approximately 244 hours per year. At the federal minimum wage of $7.25/hour, this represents $1,769 in opportunity cost per person.

Using this estimate, calculate the total national opportunity cost if all 260 million adult Americans read every privacy policy they encounter. Compare this to the total revenue of the U.S. digital advertising industry (approximately $225 billion annually). What does this comparison reveal about the economic rationality of the "informed consent" model?

B.6. Ray Zhao tells Mira: "Here's the uncomfortable truth about compliance costs. When the GDPR went into effect, NovaCorp spent $14 million on compliance — lawyers, engineers, new systems, training. That's money that didn't go to product development, hiring, or customer service. And our small fintech competitor? They spent $2 million, which was a much larger share of their revenue. Two of them went out of business, and we acquired their customer bases. So who did the GDPR really protect — consumers, or incumbent firms?"

Evaluate Ray's argument. Is his concern about regulatory capture and anti-competitive effects legitimate? What evidence from Section 11.5 supports or contradicts his position? How might regulations be designed to address this concern?

Part C: Real-World Application Challenges ⭐⭐-⭐⭐⭐

These exercises ask you to investigate real economic data and practices.

C.1. ⭐⭐ Breach Cost Calculator. Using the most recent IBM/Ponemon "Cost of a Data Breach" report (available online), find the following figures: (a) the global average cost of a data breach, (b) the average cost per compromised record, (c) the industry with the highest average breach cost, and (d) the top three cost-reducing factors. Write a one-paragraph analysis of what these numbers reveal about the economics of data security investment.

C.2. ⭐⭐ Data Broker Investigation. Visit the Vermont Secretary of State's data broker registry (the first mandatory data broker registration system in the United States, established 2018). Identify at least five registered data brokers. For each, note: (a) the company name, (b) the types of data they collect, (c) whether they offer opt-out mechanisms, and (d) any notable information about their data sources or customers. Write a one-page analysis of what the registry reveals about the data broker industry.

C.3. ⭐⭐⭐ The Price of "Free." Select a "free" app or service you use regularly. Research its revenue model and estimate the annual revenue it generates per user from data monetization (advertising, data sales, or data-driven product placement). Compare this to the price of a hypothetical paid, privacy-respecting alternative. Write a one-page analysis addressing: Is the "free" version actually cheaper for the user when privacy costs are included? What would a fair exchange look like?

C.4. ⭐⭐⭐ GDPR Compliance Cost Survey. Research at least three published estimates of GDPR compliance costs for organizations of different sizes (small business, mid-size company, large enterprise). Compile your findings in a table and write a comparative analysis. Do the costs support or contradict the argument that regulation disproportionately burdens smaller firms?

Part D: Synthesis & Critical Thinking ⭐⭐⭐

These questions require you to integrate multiple concepts from Chapter 11 and think beyond the material presented.

D.1. The chapter presents two competing economic perspectives on privacy regulation. The market-failure perspective argues that privacy violations are externalities that markets cannot self-correct, justifying regulation. The innovation perspective argues that data-driven services create enormous consumer surplus and that regulation risks destroying this value.

Write a 400-500 word essay that engages both perspectives honestly and proposes your own framework for determining when regulation is justified and when it is not. Your framework should include specific criteria (not vague principles like "balance") and be tested against at least two examples from the chapter.

D.2. Section 11.4.3 describes the "GDP of surveillance" — the total economic value of the personal data industry. Some economists have proposed treating personal data as labor (users produce data, companies profit from it) and argued that users should receive direct payment for their data. Critics respond that individual data is worth very little (estimates range from $0.0005 to $0.10 per data point) and that a data payment system would be administratively impractical.

Evaluate both sides. Is "data as labor" a useful framework? What would a practical data payment system look like, and would it actually improve privacy outcomes? Or would it simply commodify privacy, making data extraction more efficient rather than less?

D.3. Consider the following thought experiment from Dr. Adeyemi:

"Imagine two cities. In City A, there is no privacy regulation. Companies collect whatever data they want, and the market decides what happens. Data-driven services are cheap and abundant. Innovation flourishes. Data breaches happen frequently, and consumers bear the cost. In City B, privacy regulation is strict. Companies collect minimal data. Services cost more because they cannot be subsidized by data monetization. Innovation is slower. Data breaches are rare. Which city would you rather live in — and does your answer change depending on your income level?"

Analyze this thought experiment. Does the choice between City A and City B depend on socioeconomic status? On race? On immigration status? What does this reveal about the distributional effects of privacy regimes?

D.4. The chapter discusses how the economic structure of the data broker industry creates a market where the people whose data is traded have no visibility into, let alone voice in, the transactions that affect them. This is distinct from most markets, where at least one party to a transaction is aware of it.

Compare the data broker market to another market with similar structural features — for example, the market for carbon emissions credits, the secondary market for mortgage-backed securities (pre-2008), or the market for insurance policy data. What structural parallels exist? What lessons from those markets might apply to governing data brokerage?

Part E: Research & Extension ⭐⭐⭐⭐

These are open-ended projects for students seeking deeper engagement. Each requires independent research beyond the textbook.

E.1. The Aftermath of Equifax. Research the Equifax data breach of 2017 in depth. Write a 1,200-word report covering: (a) what data was compromised and how, (b) the full scope of costs — to Equifax, to consumers, and to the financial system, (c) the regulatory and legislative responses, (d) whether the settlement was adequate compensation for affected consumers, and (e) what the case reveals about the incentive structures that shape corporate data security investment. Use at least four sources beyond this textbook.

E.2. Privacy Regulation and Market Structure. Some researchers have argued that the GDPR increased market concentration in European digital markets by raising barriers to entry. Research this claim. Write a report (800-1,200 words) examining: (a) the evidence for and against the claim, (b) specific examples of small firms that exited the market or were acquired following GDPR implementation, (c) whether similar effects occurred in other regulated industries (e.g., financial services after Dodd-Frank), and (d) design principles for privacy regulation that could minimize anti-competitive effects.

E.3. The Economics of Data Portability. The GDPR's right to data portability (Article 20) allows users to transfer their data between services. In theory, this should increase competition and reduce lock-in. Research the actual use and effectiveness of data portability. Write a report (800-1,200 words) covering: (a) how major companies have implemented portability, (b) how often users actually exercise the right, (c) the technical and practical barriers to effective portability, and (d) whether portability has increased competition or remains largely theoretical.

Solutions

Selected solutions are available in appendices/answers-to-selected.md.