Data privacy continues to be an important issue. In the U.S., Congress is considering the proposed American Privacy Rights Act, and many states have enacted their own data privacy laws. India’s DPDP recently joined what are perhaps the two best-known privacy laws, Europe’s GDPR and California’s CCPA.
One rationale for privacy laws is to protect people from harms like identity theft and fraud, although addressing cybersecurity rather than privacy might be a more effective way of handling some of these issues. Another rationale is the more amorphous feelings that people have of data collection being “creepy” or intrusive even if it leads to no measurable harm.[3] People’s perceptions, however, have real value (negative or positive) even if those perceptions lead to no market-based costs or benefits. If people care enough one way or the other, then it makes sense for policymakers to take those preferences into account.
Privacy preferences can be complex since they may vary across individuals, data types, and the platform collecting the data. For example, people may care more about keeping certain aspects of their health data private than they do about keeping their music preferences private. If citizens value privacy of one data type more than another, we may expect that to influence the relative protections the law provides for those two data types.[4] Additionally, different cultural norms across geographies might also affect how residents feel about data privacy, meaning that any given set of rules could pass a cost-benefit test in one region but not another.
Through two separate projects, one published and one under review, we have assembled one of the most internationally expansive collections of privacy preference estimates to date, covering twelve countries that represent approximately one third of the global population. The first, which we administered in 2019, examined relative data privacy preferences across six countries, with a heavy focus on Latin America (United States, Germany, Brazil, Colombia, Mexico, and Argentina). The second, in 2022, focused on preferences for data localization across a wider range of countries, both geographically and culturally (United States, United Kingdom, Italy, France, South Korea, Japan, and India). The second project also served to validate and expand the findings of the first.
Together, the projects show:
- Relative preferences for data privacy are highly correlated across countries
- People consistently value privacy of financial and personal contact (address, phone number) data relative to other commonly collected data, including even health data
- Northern European countries (France, UK, Germany) appear to have, relatively, the highest value for data privacy[5]
Research Method
In the two projects, we designed, collected and analyzed data from nine separate surveys that employ repeated discrete choice experiments (DCEs). The first set of surveys pertained to respondents’ wireless carrier, Facebook use, checking account at a bank, and smartphone. The second set of surveys pertained to respondents’ financial institution, healthcare app, home smart device, smartphone, and social media. The surveys cover a wide range of data types, with some overlap across platforms and years. Data categories include: financial, health, biometric, social, location, and tastes (e.g., music preferences).
The choices respondents make in DCEs mimic typical choices in the marketplace (comparisons of features and payments) and have been shown to be capable of eliciting respondents’ tradeoffs. Importantly, unlike more common surveys that people are familiar with, they never directly ask about the issue in question, making it more difficult for respondents to “game” the survey or provide answers that do not match their actual preferences.
In our DCEs, each survey asks respondents to make choices among data sharing options that vary according to which data are shared and monthly payments that the respondents would receive. The first project allows for either full or no sharing for each data type; the second allows for more nuance, where data again can be fully shared or not shared at all, but also could be shared with certain international restrictions. To make the two sets of results comparable, in this piece we focus only on the comparison both projects have in common: full sharing versus no sharing.
To illustrate the choices respondents made, consider the following simple example. Here, a respondent is asked to choose which of two bank account options she would choose if presented with the two below while everything else about the accounts remains the same.
Neither option is inherently better than the other. A consumer would choose Option A only if being paid $2.00 per month is enough to be willing to allow the bank to share the data. Some people will choose A, and some will choose B; the choice depends on how much they value keeping their bank balance private. By observing many choices with many combinations of data sharing and payment features, the researcher can pin down privacy preferences.
We administered hundreds of thousands of such (optimally constructed) choices to many thousands of respondents across twelve different countries spanning the globe. The choices made by our respondents allow us to determine what are the data types they want kept private the most, and are particularly well suited for illustrating relative preferences.
Results and Implications
The charts below show the average willingness-to-accept (adjusted for purchasing power of each currency in U.S. dollars) for each data type across both projects and all nine surveys. The color scheme indicates the relative strength of privacy preferences for each data type (darker blue meaning respondents must be paid more to share data; darker green meaning respondents willing to pay more for their data to be shared). For each project, we first show the point estimates entirely, and then just the subset that are statistically significant.
Project #1 Results
Project #2 Results
We highlight three takeaways from these charts.[6]
First, just “eyeballing” the surveys, we see a strong consistency in the relative valuations of data privacy across all of the countries, with few exceptions. We go further to try and formalize this finding by measuring the correlation matrices for the relevant countries for each survey. Positive values in these matrices indicate positively correlated valuations for data privacy between pairs of countries. We find the vast majority (about 97%) of these entries (correlation measures) are positive and typically near one (i.e., perfectly correlated), thus confirming the “eyeball” finding that relative data privacy preferences are highly consistent across countries.
We further perform a test more specifically designed to determine how similar rank-orders are across groups. Specifically, we calculate Kendall’s W, where a 0 indicates no relationship and 1 indicates the rankings are identical. The table below shows the results, confirming their similarity.
Our analyses lead to our three main findings. First, people around the world have similar relative values for the privacy of one type of data compared to another even if the magnitudes—how much they care about them—differ substantially.
Second, people consistently value financial and personal contact data highly relative to other data. Biometric data – and in particular fingerprint data – is also highly valued for a subset of the countries. Additionally, contrary to conventional wisdom, people do not seem to value the privacy of their health data more than any other type of data. Japan may be an exception based on the coefficient estimates, but as the figures show, zero is also within the 95% confidence interval.
Third, northern European countries (France, UK, Germany) appear to have, relatively, the highest value for data privacy, a preference not shared by the southern European country (Italy) in our sample. These results suggest that the European-wide extent of GDPR may be an overreach, at least when it comes to accommodating citizen preferences. The disparity between the UK, Germany, and France vs. Italy also points against any reverse causality regarding GDPR; that is, one may hypothesize that the proposal and passing of GDPR, per se, elevated privacy preferences for Europeans. The lack of such a finding for Italy suggests this is unlikely; rather, GDPR was more plausibly (at least partially) driven by the strong privacy preferences of a subset of European countries (including the three northern ones we study).
Conclusion
Our research provides insights into global data privacy preferences, drawing from surveys across twelve countries representing approximately one-third of the world’s population. The findings reveal several key points:
- Relative privacy preferences are consistent across diverse countries, pointing towards a universal hierarchy in how people value different types of personal data.
- People consistently value financial and personal contact information more highly than other data types, including health data. This challenges some common assumptions about privacy priorities.
- Northern European countries demonstrate relatively higher overall valuations for data privacy than other regions studied.
These findings have intriguing implications for privacy laws and corporate data practices:
- The consistency in relative preferences across countries suggests harmonizing global approaches to data protection could be efficient, at least in terms of prioritizing which data types receive the strongest protections.
- The variation in how much people value different types of privacy suggests that efficient levels of protection might differ around the globe.
By providing a comprehensive, cross-cultural view of data privacy preferences, this study contributes to the ongoing global dialogue on how best to protect individual privacy while fostering innovation and economic growth in the digital age.
[1] Professor and Chair of Business Economics and Public Policy at the Kelley School of Business, Indiana University.
[2] President and Senior Fellow, Technology Policy Institute
[3] E.g., https://yjolt.org/theory-creepy-technology-privacy-and-shifting-social-norms
[4] An example of the private sector taking these preferences into account is Apple, which seems to believe that people are more likely to share data with them if they credibly promise to protect that data.
[5] We believe these to be the most general takeaways from our analyses. We also will soon release a much more expansive exposition and discussion of our findings, including those that are more idiosyncratic.
[6] Note that the statistically insignificant results are driven by noisy estimates for utility of payment (not disutility of sharing data), likely due to a combination of statistical chance and relatively low stakes payments (meaning the differences across choices were pretty small, possibly leading some to pay little attention to the payments and more to which data are being shared). The negative WTA’s for the home smart device and smartphone for Japan may also be driven by these factors. Nonetheless, they do not prevent us from measuring relative preferences for data privacy, which we analyze more formally below.
