17 to 19 September 2018 - Bruce Lyons presented "The Investment Effects of the GDPR Opt-In Requirement when Consumers are Loss Averse" at the NIBS September workshop.

He continues on this theme, presenting "Data Protection Legislation and Investment Incentives when Consumers are Loss Averse" at a CeDEx Seminar (Nottingham) on 28 November 2018. 

Abstract: A common theme in the business models of leading digital firms is that they provide a subsidised service to attract consumers, then collect and commercialise personal data (e.g. by efficiently targeted advertising). The latter also incentivises firms to offer service enhancements to attract consumers and data security measures to make consumers more comfortable with sharing their data.  These require separate types of investment. Data protection legislation such as the European GDPR uses publicity, fines and a new consumer opt-in requirement as an additional incentive for firms to keep data secure. The opt-in requirement would have little effect on consumer behaviour, and so on firm incentives, if consumers were traditionally rational.  However, experimental evidence suggests a strong reference point effect for personal data, suggesting that opt-in legislation may have an effect through consumer loss aversion. We set out the conditions under which opt-in increases investment in both security and service quality and when security comes at the expense of service quality. We also study the welfare consequences of opt-in for loss-averse consumers. We compare the effects of fines and the opt-in requirement and find that efficient legislation should include an opt-in requirement.