Digital technologies: tensions in privacy and data

Digital technologies offer data monetization and sharing benefits to firms but have concomitant costs for consumers, especially with respect to privacy. Westin (1967) defines privacy as a person’s right “to decide what information about himself should be communicated to others and under what condition” (p. 10), whereas Altman (1975) regards it as “the selective control of access to the self” through social interactions and personal space (p. 24). Adopting these definitional premises of autonomy, access, and control, we conceive of three types of consumer privacy: information, communication, and individual (see also Hung & Wong, 2009). The simultaneous consideration of all three types offers an expansion of extant marketing studies of privacy that tend to focus solely on information privacy (Bornschein et al., 2020). In detail, information privacy refers to a consumer’s right to control the access to, use, and dissemination of her or his personal data (Westin, 1967). Thus people may decide for themselves when, how, and to what extent their information will be known by others. Communication privacy protects personal messages or interactions from eavesdropping, scanning, or interception. People generally prefer to keep their interpersonal communications confidential and safe from third-party surveillance, which would not be possible if conversations with friends were recorded by social media and messaging apps or their in-person discussions were captured by smart devices equipped with integrated microphones. Finally, individual privacy is being left alone without disruption (Westin, 1967). Threats to individual privacy involve personal space intrusions, emotional manipulation, and physical interference, including spam emails and retargeting practices. Such violations are on the rise, due to the presence of IoT and smart home devices installed in consumers’ personal, physical spaces. In turn, firms’ data strategies, enabled by digital technologies, have implications for each type of consumer privacy.

Extensive research details consumers’ privacy concerns (e.g., Okazaki et al., 2020), as well as some of the consequences for firm performance or regulatory interventions. However, we still lack a systematic understanding of how privacy issues arise from firms’ data strategies and their uses of various digital technologies to support such strategies. To articulate the critical tensions between firms’ technology uses for data sharing and data monetization purposes, and consumers’ privacy risks, we combine the three forms of privacy with the data sharing and data monetization strategies related to four digital technology classifications: (1) data capturing; (2) data aggregation, processing, and storage; (3) data modeling and programming; and (4) data visualization and interaction design (Table 1). It would be impossible to discuss all technologies; rather, we attend specifically to six broad groups of emerging technologies: SMAC (social media, mobile, analytics, cloud), digital surveillance, robotics, AI, IoT, and mixed (virtual, augmented) realities (VR, AR). Each of these is characterized by consumer-marketer interactions and is central to firms’ data monetization and sharing strategies (Poels, 2019). Digital technologies such as blockchain, digital fabrication (e.g., 3D printing), 5G, and quantum computing are beyond the scope of this study, because they mainly support operations and digital infrastructure functions.

Data capture technologies, including various sources and methods of data extraction, fuel data sharing and data monetization practices. In this respect, instead of technologies that collect transactional data such as point-of-sale systems, we focus on social media, geospatial, biometrics, and web tracking technologies. To facilitate data sharing, the data gathered via these technologies can be shared readily with business partners and networks, such as between manufacturers and suppliers or across subsidiaries (e.g., WhatsApp shares phone numbers, device specifications, and usage data with other Facebook [recently rebranded to Meta] companies). The data collected from social media, geospatial, biometrics, and web tracking technologies can also be monetized in various ways. With user-generated social media content, location insights from geospatial technologies, biometric data, and web tracking technologies such as cookies, firms can improve marketing and business performance by developing market segmentation and (re)targeting strategies, by crafting personalized content, products, and experiences, and by building and strengthening customer relationships (de Oliveira Santini et al., 2020). They also can conduct data wrapping, for example, through customization and optimization practices such as facial recognition and medical alerts (e.g., Apple watch). Firms also can apply extended data wrapping or sell data to other entities. Facebook, as noted, sells in-depth insights and analytics based on its users’ personal data (Appel et al., 2020), and Twitter sells third-party subscriptions to its API that allow other firms to explore users’ behaviors.

These practices threaten information privacy because consumers lose control over who has access to their personal information and communicative exchanges (e.g., tweet, review on a public Facebook page). Geospatial data enable firms to identify customers’ positions; by monitoring consumers’ digital footprints, companies also can follow them across different platforms, raising concerns about individual privacy. Soft biometric data, about moods or emotions, raise security and ethical concerns, because they reflect personal feelings that can be manipulated for commercial purposes, which would represent individual privacy violations. Each user’s information might also include details about other users, due to the networked nature of social media. If a user tags a friend on a public Facebook post, their conversations get exposed, which violates both friends’ communication privacy if firms review and exploit these exchanges.

Firms often combine data sets from multiple novel sources, which allows them to effectively share and monetize such data. Key technologies in data aggregation, processing, and storing technologies are IoT, big data, and cloud computing, with capacities to process and manage massive amounts of information (Kobusińska et al., 2018). The convergence of IoT, big data, and cloud computing is central to data sharing as it enables firms to share applications and analytics with multiple parties in real-time and at reduced technology costs. Data can be shared via IOT-enabled devices in machine-to-machine communications. Insights and analytics based on big data can be exchanged with partners, whereas cloud technologies offer a cost-effective information storage cyber-infrastructure that is broadly available across time and space and accessible by multiple users simultaneously (Alsmadi & Prybutok, 2018). Data aggregation, processing, and storing technologies empower data monetization practices by establishing novel insights about customers from IoT-enabled devices and big data, facilitated by cloud technologies, which can inform consumer profiling, behavior prediction, and targeting efforts. In turn, these efforts can optimize marketing and business performance, supply chain management, and (extended) data wrapping (i.e., development of analytical functions). Accordingly, these technologies have been widely adopted by many businesses, such as Netflix (Izrailevsky et al., 2016) and Woolworths (Crozier, 2019), to improve their performance and profitability.

Both data sharing and monetization practices in this domain can result in significant privacy tensions. Data collected from IoT devices such as CCTV cameras that track people using facial recognition technology and wearable devices that gather real-time information about users’ medical conditions or physical activity are very sensitive and highly personal. A comprehensive personal picture created through data aggregation and algorithmic profiling using big data analytics increases information privacy concerns, because it can reveal identifiable attributes such as sexual orientation, religious and political views, and personality (Kshetri, 2014). Moreover, when their behavior can be predicted more accurately, consumers become more susceptible to marketing efforts. For example, gambling companies might pinpoint addicts and entice them with free bets (Cox, 2017). Less purposefully, cloud services rely on virtual storage, but such remote processing can compromize system security (Alsmadi & Prybutok, 2018), especially at the transition moment, when firms shift internal applications and data to the cloud, which risks information exposure to fourth parties, including unethical actors that seek to steal consumers’ personal data (Yun et al., 2019). The sheer volume of information, historical and real-time, that links connected consumers, especially those proximal to one another through IoT devices, heightens security risks involving stolen identities, personal violations, and intellectual property losses (Kshetri, 2014). These practices together threaten communication privacy and individual privacy because they are intrusive, invisible, and extraordinarily difficult to control.

Automation enabled by data modeling and programming technologies plays a key role in data sharing and data monetization. Considering our focus on privacy tensions, we discuss AI/machine learning and service robots as relevant amalgamations of engineering and computer science that produce intelligent automation, capable of learning and adaptation (Xiao & Kumar, 2019). These technologies facilitate data sharing as AI generally enables automated sharing of real-time data, and embodied AIs such as robots can exchange information in physical interactions. Moreover, AI-based systems enable data monetization by improving marketing and operational performance (e.g., personalized recommendations, smart content, programmatic media buys, chatbots, and predictive modeling) (Davenport et al., 2020). Modern robots, such as humanoid, programmable Pepper (Musa, 2020), can understand verbal instructions, interpret human emotions, and exhibit social intelligence to improve customer experiences and optimize performance. AI and service robots also enable data wrapping/extended wrapping by automating tasks and services; in addition, their data analytics–based features can adapt automatically to the real-time, physical environment.

However, optimizing machine learning requires enormous amounts of data, collected from consumer interactions, often without their knowledge. In general, AI might extract sensitive information such as people’s political opinions, sexual orientation, and medical conditions from less sensitive information (Davenport et al., 2020), then manipulate users through predictive analytics or create deception such as deep fakes (Kietzmann et al., 2020), which threaten information privacy. Robots equipped with computer vision and machine learning both see and sense the environment, implying greater penetration into consumers’ private, physical, and emotional spaces and threats to individual and communication privacy.

Finally, data sharing and monetization activities rely on data visualization and interaction design technologies, as each enables connected realities known as the “metaverse,” predicted to become an important part of digitial future (Kim, 2021). Data can be visualized through display technologies, such as mixed, augmented (AR), and virtual (VR) realities, which deliver realistic virtual experiences involving synthetic worlds in which users become immersed through interactions and sensory stimulation (Roesner et al., 2014). In terms of data sharing, these technologies allow immersive data presentations and experiences, especially data storytelling, that can be shared virtually, visually, and seamlessly among different groups of users (customers). In addition, these technologies enable firms to monetize data because they enhance customer interactive experiences (Hilken et al., 2017); they allow marketers to build increasingly intimate customer relationships, as in the examples of Sephora’s virtual product try-on or Facebook’s social VR platform Horizon (Appel et al., 2020), thereby improving marketing and operational performance. Both VR and AR technologies offer great potential for data wrapping/extended wrapping by realistically depicting analytics-based features.

Privacy tensions created are similar to those created by the IoT. Notably, alternate realities require sophisticated input from cameras, GPS, and microphones to enable the simultaneous functioning of various applications (Roesner et al., 2014). Blending mixed reality also requires sensitive information, such as personal communications, images captured by cameras, and movements captured by sensors, posing a risk to information and communication privacy. Some of the latest privacy concerns involve bystanders in social AR in public spaces, because the data of passers-by, such as their faces or behaviors, can be captured by AR devices without their realization (Nijholt, 2021). The processed data then could be transferred to other applications for display or rendering too, such that their personal information is exposed to an unknown system that might access and manipulate the data without users’ consent. “Clickjacking” tricks people into clicking on sensitive features by using transparent or deceptive interfaces, which then allows the illegitimate actor to extract their data (Roesner et al., 2014). Finally, an extensive range of sensitive sensors can capture rich information, as when visual data produce spatial mapping information also validate spatial elements, such as exteriors or physical articles. Such exposures of physical space threaten individual privacy.

According to structuration theory, structures such as regulatory frameworks (i.e., rules) can both constrain and enable consumer and firm actions in the digital landscape, exacerbating or offsetting privacy tensions. Privacy regulatory frameworks or policies seek to provide fairness, trust, and accountability in consumer–firm data exchanges. Similar to other consumer-focused public policies, major privacy frameworks attempt to improve overall societal well-being and protect people’s rights, in balance with countervailing societal goals such as firm profitability and economic prosperity (Davis et al., 2021; Kopalle & Lehmann, 2021). Digital technologies have evolved significantly, smoothing processes that allow firms to monetize and share customer data while simultaneously adding complexity to consumer-side privacy prevention. Therefore, it is critical for regulators to address privacy tensions that arise from digital technology use.

The three broad classes of privacy risks created by firms’ data monetization and sharing strategies are addressed to varying degrees by global data protection laws such as the GDPR, Australian Privacy Act, and CPRA, each of which attempts to limit the collection, use, storage, and transmission of personal information. Although data privacy regulations differ from country to country, the GDPR has become a global standard (Rustad & Koenig, 2019). New privacy laws tend to reflect its foundations (Bennett, 2018), and the global nature of business implies that many international firms must comply with its rules. Most U.S. state-based and global data protection frameworks share three common principles as their foundation (Helberger et al., 2020), which also align with structuration theory themes. First, consumers are both content receivers and data producers, making consent and ownership critical. Second, transparency is paramount to balance power discrepancies between consumers and firms. Third, data move throughout marketing ecosystems and across multiple parties, making access and control of data streams and consumer education about data collection, uses, and potential consequences critical.

Data protection laws also tend to involve two main enforcement methods, related to firms’ privacy policies and managerial practices, which might be categorized as more reactive or more proactive. Reactive conditions imply minimal changes and less impact on existing firm structures and performance; proactive conditions require more expansive changes. In relation to a firm’s privacy policy, for example, a reactive requirement might stipulate its availability and visibility on the firm’s website. For example, CPRA requires a privacy policy hyperlink on the firm’s home page that is noticeable and clearly identifiable (e.g., larger font, different design than surrounding text). A proactive version might require firms to disclose consumers’ rights and information access, use, and storage rules as important elements of their privacy policy. Through either enforcement mechanism, the regulatory goal is that consumers learn easily about data security, data control, and governance measures enacted by the firm.

In terms of managerial practices, a reactive approach would mandate notice of data breaches. Most data protection laws also set penalties for noncompliance; under GDPR, firms convicted of privacy violations face fines of up to 20 million euros or 4% of their global revenue. A proactive version might require firms to obtain consumer consent for information collection and usage. For example, websites often use a pop-up window that details the different types of cookies used for tracking and parties with which data may be shared. Consumers may review this information, then opt-out or request that the firm delete their information or stop sharing it with third parties. Both GDPR and CPRA enforce these consumer protections. Other regulations address firm profiling practices, facilitated by AI, to prevent harmful consumer alienation or exclusion practices. However, such laws differ in notable ways. For example, under the GDPR, firms must conduct a regular privacy impact assessment, which is not required by CPRA.

According to structuration theory, augmented by the SDL, firms as actors operate in broader systems that affect their behaviors (Vargo & Lusch, 2016). Firms are influenced by structure (e.g., regulations) and by their relationships with other actors (e.g., consumers) (Park et al., 2018). In response to regulatory and consumer actions, firms might comply with privacy rules (reactive response) or go beyond them to engage in privacy innovation (proactive response), which potentially shapes new structures (Luo, 2006).

We propose that digital technologies function as resources that enable firms’ data monetization and data sharing strategies. Using digital technologies such as big data, IoT, and AI in the ways previously described, firms can convert data and analytics into value for their customers and increase their profitability (Najjar & Kettinger, 2013). For example, a recent estimate of the value of Facebook users’ personal information is $35.2 billion, or 63% of Facebook’s revenues (Shapiro, 2019). As a shared general consensus, the interviewed senior managers agreed that data analytics boost firms’ performance. Internal data monetization practices can enhance firm performance, because the data collected from digital platforms represent consumer insights that firms can use to tailor solutions to meet consumers’ preferences and also make better business decisions (Bleier et al., 2020). As the head of product marketing in an electronics firm noted: “By using data we can offer the right product, right value at the right touchpoint to the end-user [using the] right approach.” An informant who performs customer analytics in the banking and finance sector also provided an example of data wrapping practices, such that the organization packaged its products with data insights as value-added features:

[Some of the data] that we capture [from individual customers] can be used to provide insights to our B2B customers…. With what we have today we could provide insights into their business based on their data to help them grow their business.

Similarly, external monetization, such as selling data to clients for marketing and targeting purposes, offers significant economic benefits for sellers. These three approaches are not mutually exclusive; firms can use more than one to generate revenue. Such data monetization practices increase the profitability of a firm and thereby enhance its performance.

Privacy tensions can stem from consumer–firm interactions through digital technologies (Park et al., 2018). Drawing from the notion in structuration theory that structure can both shape and be shaped by social practices, we note that the inherent privacy tensions of data monetizing practices provoke consumer and regulatory privacy responses, which have direct implications for firm performance. Data monetization thus may lead to privacy tensions and open firms to legal challenges, especially as data privacy regulations grow stronger. After the Cambridge Analytica scandal, heated debates about consumers’ privacy rights arose, and policymakers sought to increase the stringency of data regulations, such that Facebook’s CEO was called to testify before Congress and the company was fined US$5 billion by the U.S. Federal Trade Commission for deceiving users about their ability to control the privacy of their personal information (Lapowsky, 2019). In addition, trust in Facebook plunged by 66% (Weisbaum, 2018) and customers, including influential figures such as Elon Musk, joined the #DeleteFacebook movement in response. As this example shows, monetizing data may spark consumers’ privacy protection behaviors, which can jeopardize firms’ relationships with them. Even requests for data or perceptions that firms profit from consumer data can trigger reactive and proactive privacy protection behaviors, such as information falsification or outright refusal (Table 2). One consumer informant recalled an experience that felt like “an invasion, like I visited a website once because we got a new kitchen and now I get ads constantly for kitchen stuff. And it’s like, I might need that, but I don’t want you to know that I need it, but I want to find it myself.” A senior manager, head of digital marketing for an apparel firm, echoed this sentiment by acknowledging that “society is a lot more worried about data.” The inherent privacy tensions of data monetization can increase regulatory scrutiny, damage customer–firm relationships, and spark consumer privacy protection behaviors. We propose the following tenet and propositions:

From the integration of structuration theory and the SDL, we determine that digital technologies enable data sharing among actors within a business network, so multiple parties can access the data, anytime and from anywhere, which increases efficiency, in line with the prediction that value is co-created by multiple actors in an ecosystem (Vargo & Lusch, 2016). Data sharing also strengthens relationships among supply chain partners and fuels network effectiveness, which refers to the “viability and acceptability of inter-organizational practices and outcomes” (Sydow & Windeler, 1998, p. 273). Firms might collectively improve their performance by complementing their data with others’ information, thus generating second-party data (Schneider et al., 2017). Manufacturers gather market analytics from distributors for new product design, demand forecasts, and the development of marketing strategies. Take the automobile industry as an example. Data sharing enables carmakers, including BMW and its suppliers, to pinpoint production bottlenecks or parts shortages, then formulate effective responses to potential supply chain problems and boost the performance of all firms involved (BMW, 2021). A chief financial officer of a manufacturing firm affirms the value of data sharing:

Definitely, you know, for us as a supplier when we receive our clients’ market data, that’s entirely valuable for us. [Data sharing] is a critical part of making sure that we do the best job that we can.

Yet similar to data monetization, the multiple-actor, collaborative nature of data sharing can result in privacy tensions. The more data a firm shares, the more control it must surrender to other parties, creating vast uncertainty. Therefore, data sharing may jeopardize consumer information privacy and trigger both consumer and regulatory responses. These responses may imply performance losses for the focal firm, especially if requisite security measures are missing (Schneider et al., 2017). Considering the interactions between structure and social practices of data sharing, we offer the following tenet and propositions:

The dynamic interplay of structures and actors, again, guides our theorizing. Privacy tensions that occur from data monetization and data sharing (i.e., social practices) tend to alert policymakers, who often respond by strengthening regulatory frameworks. This change in structure (i.e., data regulation), together with objections from consumers that result in privacy-protective behaviors, requires firms to develop data privacy actions to reduce privacy tensions. Firms that aspire to address privacy tensions proactively must devote resources and create processes for updating their digital technologies, which is a particular challenge for small firms: “I think we would like to focus more on innovation. But we’re probably not that big a company at the moment that we can put a lot of resources towards it” (head of digital marketing, apparel).

A common centerpiece of privacy legislative frameworks is an emphasis on consumer consent. Adhering to such practices may reduce the collection and use of data and limit the number of parties with which data can be shared, which can engender diminished firm performance due to the constraints on personalization, customization, targeting, and prediction efforts. In addition, privacy laws might restrict firms’ ability to sell data and analytics and increase legal expenses, causing a significant disadvantage for businesses that are unable to collect data on their own. However, the effects of data privacy regulation can be mitigated by proactive privacy responses. Technology innovations might be exploited to circumvent regulatory limitations. For example, Airbnb and Uber personalize predictive models without compromising consumer privacy by using smart pricing algorithms based on anonymized, aggregated, or market-oriented (event- or object-based) data, rather than personally identifiable information (Greene et al., 2019). Whether they enhance privacy practices or technological processes, privacy innovations allow firms to reap critical data benefits, meet or exceed legal and regulatory obligations, accommodate consumer expectations, reduce privacy tensions, and, ultimately, mitigate the impacts of consumer responses and regulation stringency. Even though they involve data monetizing for marketing, operational efficiency, and data wrapping practices, Apple’s privacy initiatives (e.g., App Tracking Transparency, Privacy Nutrition Labels) have boosted customers’ loyalty to the brand even higher, such that 92.6% of Apple users claim they would never switch to an Android (O'Flaherty, 2021). The initiatives also alter industry norms and impose greater pressure on competitive firms, such that Google has announced plans to consider an anti-tracking feature for Android devices (Statt, 2021). As a chief executive officer of a telecommunication service provider explained:

You certainly got to comply, ticking that box, but I do think that if you were going that extra mile and looking at ways [of] being innovative, then you’re going to be servicing your customers even better.

We offer the following tenet and propositions:

Data harvesters engage in limited, internal data monetization and data sharing practices, leaving them less exposed to consumer privacy behaviors and regulations. Many of them seek to “harvest” their own data to create customer value. The head of digital marketing of an apparel firm shared:

We don’t have as much access to that sort of [third-party] data but yet we do have first-party data, which will be those [data] of those people within our leads database in our customer base.

However, if restrictions were imposed on their internal consumer data collection and use, they would have to rely on third-party data providers or brokers. Therefore, data harvesters likely comply closely with government regulations and tend to adopt reactive privacy strategies to protect consumer privacy.

Data patrons’ monetization approaches resemble those of data harvesters, such as developing customer intelligence for better internal marketing efforts. However, data patrons such as Apple, Microsoft, and PayPal are more likely to undertake data wrapping to create customer value, because they have greater digital technology capabilities. In addition, they are cautious about the many partners involved in their business networks which can create significant risks for sharing practices. Echoing this view, the head of customer analytics of a banking and finance firm stated:

We do have some partnerships that we share [our data with], but again it depends on our terms and conditions on what we share and what it is related to, especially if it has to do with the customer experience and if it is in the right interest of our customer.

These firms are moderately affected by consumer privacy behaviors and regulatory frameworks. Innovative patrons can navigate sophisticated regulatory frameworks and consumer privacy protection behaviors; for example, Apple’s App Tracking Transparency promotes its image as a responsible tech firm.

Data is the bloodline of data informants’ business models, as described by the president of a software development firm: “We don’t produce any physical goods. We operate only in the informational space. That means data is everything.” To maximize profits, some data informants use questionable methods to identify people’s interests in sensitive topics. These firms face substantial scrutiny; some regulators suggest they should be listed in public registries and allow consumers to request clarifications about data ownership. Their size and scope also make these firms prime targets for cyberattacks (Bleier et al., 2020). Finally, their privacy innovation tends to be low, because few incentives (or punishments) limit their data exploitation.

Digital technologies evolve rapidly, and privacy regulations must account for that rapid evolution. Although future-proofing privacy regulations is untenable, regulatory parameters that govern fundamental data exchanges, rather than specific technological techniques for gathering or processing data, can protect consumers more broadly, even as technologies change. In addition, such regulations would prevent firms from applying technologically advanced workarounds to subvert the restrictions. Both the GDPR and CPRA are designed to be technology neutral, governing the data exchanged between a customer and a firm rather than the technology through which the data are exchanged. Nevertheless, emerging digital applications such as deep fakes, the rampant spread of misinformation, and the growth of advertising ecosystems can challenge even the most technologically broad regulatory mechanisms. It is thus imperative that regulatory frameworks adequately protect consumer data, regardless of technological advances, with legal and protective parameters drafted with a technology-neutral approach that avoids regulatory obsolescence and prevents innovative subversion by firms.

Beyond imposing constraints though, we also recommend that regulators work closely with firms to learn how the regulations they propose are likely to play out in practice. For example, novel technologies can make the enforcement of various privacy regulatory dimensions more or less effective; requiring customer consent is a cornerstone of the GDPR framework, but its operationalization and enactment in practice has led to increased consumer annoyance with the required pop-ups (Fazzini, 2019). Monitoring efforts also should go beyond identifying violations or demanding strict, high-level compliance. In summary, even if technology advances too quickly to be subject to specific regulation, it strongly influences the implementation and effectiveness of regulation in practice, such that it can support or hinder intended regulatory purposes, so policymakers need to pursue and maintain an up-to-date, clear understanding of recent technology developments.

The GDPR may have had the unintended consequence of empowering the big technology companies (Facebook, Google) that it originally sought to constrain (Lomas, 2020). Large companies with many resources (financial, legal, personnel) are better poised to accommodate vast regulatory changes, including privacy regulatory mandates. In particular, firms that already house vast troves of customer data easily can reduce their reliance on external or third-party data providers. Their in-house data capabilities enable them to conform with regulatory parameters, even if their data use might seem ethically questionable. We recommend that regulators examine firms’ specific data sharing and data monetization practices closely, with particular monitoring efforts focused on firms with extensive engagement in data monetization, such as data informants and data experts. This targeted means to privacy regulation avoids some of the weaknesses of a “one-size-fits-all” approach. For example, many data informants are developers that offer free apps in exchange for customer data, and their external monetization practices are largely unknown to consumers. By applying the proposed data strategy typology, policymakers can detect areas of data concentration with the potential for misuse, such as among data experts and data patrons. Such considerations also could help limit the dominance of major tech firms. Regulators might apply the typology to understand the adverse effects of privacy regulation, such as data portability on data harvesters, that might harm small businesses or start-ups. If they cannot acquire large troves of data on their own, these smaller competitors must rely on larger actors to obtain data-based insights.

To the extent possible, regulatory frameworks should impose proactive enforcement of both privacy policy requirements and managerial practices, including privacy by design and privacy by default principles. Monitoring a firm’s data protection behavior can indicate the effectiveness of the regulatory framework, beyond just capturing violation occurrences or noncompliance. Even with comprehensive data protection regulations in force, multinational corporations appear to adopt reactive privacy strategies for the most part, while continuing to engage in behaviors and practices that put them and their customers at risk for data breaches (Norwegian Consumer Council, 2020). By recognizing and rewarding proactive firm responses (data innovation), perhaps in collaboration with industry bodies or aspirational firms, regulators also could encourage the reproduction of best practices.

Finally, transnational cooperation among enforcement authorities is necessary to deal with the many multinational firms and online businesses whose operations transcend national borders. Harmonization efforts proposed by the United Nations provide a potentially useful platform; its Personal Data Protection and Privacy Principles can help member organizations navigate the diverse patchwork of regulatory coverage, given their business scope and reach, by developing a coherent set of widely applicable rules that embody strong, proactive standards. Effective enforcement of privacy regulation and true protection of consumer privacy can be realized only if globally cooperative mechanisms are in place.