Reason Foundation submitted comments in response to a request for information regarding a federal comprehensive data privacy and security framework. Comments were submitted to the Privacy Working Group within the U.S. House of Representatives Committee on Energy and Commerce on April 7, 2025.
On behalf of Reason Foundation, we respectfully submit these responses to the prompts contained in the February 21 request for information on the parameters of a federal comprehensive data privacy and security framework. Reason Foundation is a national 501(c)(3) public policy and education organization with expertise across a range of policy areas, including technology policy. Our responses below are numbered to correspond to the individual prompts.
III. Existing privacy frameworks and protections
A. Please provide any insights learned from existing comprehensive data privacy and security laws that may be relevant to the working group’s efforts, including these frameworks’ efficacy at protecting consumers and impacts on both data-driven innovation and small businesses.
Efficacy at protecting consumers
Comprehensive privacy laws such as the European Union’s General Data Protection Regulation of 2016 (GDPR) and the California Consumer Privacy Act of 2018 (CCPA) were enacted with the intent to give consumers more control over their data and set clearer expectations about how that data would be used. However, economic and social science research has not yet determined whether these laws provide meaningful additional protection for consumers. Moreover, these regulations appear to have had unintended negative effects on consumer behavior and business activity.
With respect to Europe’s GDPR, our own analysis of the Survey on Internet Trust (Ipsos) found that consumer trust did not change before (2017) or after the introduction of GDPR (2019). Another group of researchers, using the same data, looked at the interval between 2019 and 2022 and found that Internet users’ trust in the Internet has actually dropped. We have also previously warned that overbroad privacy regulations could make the Internet less user-friendly.
These concerns have been validated by the findings of a recent study funded by the European Research Council. The authors examined how GDPR affected online user behavior and found it had a negative impact on website traffic. After GDPR took effect, weekly website visits dropped by approximately 5% within three months and by about 10% after 18 months.
These traffic declines caused significant revenue losses—averaging $7 million for e-commerce websites and nearly $2.5 million for ad-supported websites after 18 months. However, the impact varied depending on website size, industry, and user location. Larger websites suffered less, suggesting that GDPR may have unintentionally favored large websites and increased market concentration by harming smaller competitors.
In an analysis of the California Consumer Privacy Act (CCPA), scholars from the University of California, Irvine, and New York University found significant correlations between the regulation and shifts in consumer behavior on commercial websites. Specifically, Californians decreased their purchases by approximately 4.3% and increased their product returns by 3.0%, resulting in an average reduction of $96 in discretionary spending per consumer within one year of the CCPA’s introduction. Browsing behavior data from commercial websites indicates that Californians spent more time online and visited more pages per website, suggesting that increased privacy restrictions may have compelled consumers to expend greater effort to locate suitable products or services.
Full Comments: Comments in Response to Data Privacy and Security Request for Information