The argument against aggressive privacy compliance has always rested on a simple economic assumption: more restrictions mean less data, less data means less insight, less insight means less revenue.
New research from Harvard Business School says that assumption is wrong — and the evidence is striking enough to change how every compliance-minded organization should be framing the business case for privacy investment.
A study by HBS professors Ayelet Israeli and Eva Ascarza, co-authored with Ozge Demirci of Imperial Business School, tracked nearly 16,000 consumers across the United States before and after California and Virginia’s sweeping privacy regulations took effect in 2023. The finding: consumers in those states didn’t share less data after the laws passed. They shared more. Significantly more.
The paper — “In Privacy We Trust: The Effect of Privacy Regulations on Data Sharing Behavior” — may be the most important piece of compliance business-case research published this decade. Here is what it found, why it matters, and what it means for organizations still treating privacy compliance as a cost to be minimized.
The Study: What Was Measured and How
The researchers worked with what they describe as a “leading customer engagement” app — a platform that invites users to submit shopping receipts in exchange for discounts and rewards, while collecting behavioral data that brands pay to access for consumer insights.
It is, in other words, an explicit data-for-value exchange. Users know they are trading information for rewards. The platform’s entire value proposition depends on users willingly sharing behavioral data.
If privacy regulations were going to suppress data sharing anywhere, this would be the place.
The research team analyzed behavior across nearly 16,000 randomly selected customers, comparing what happened before and after California’s CCPA updates and Virginia’s Consumer Data Protection Act took effect in 2023. Over the six-month study period, those customers collectively received more than 2,500 offers from the app.
To validate the results, the team also analyzed data from two independent sources: participation rates in the U.S. Bureau of Labor Statistics’ Consumer Expenditure Surveys, and Google search trend data showing consumer awareness of privacy protections in the affected states.
The results were consistent across all three data sources.
The Numbers: More Compliance, More Data
Compared with users in states without equivalent privacy law changes, consumers in California and Virginia — after the laws took effect — submitted:
- 9% more purchase receipts overall
- 1.5 additional receipts per month, indicating greater general openness to sharing
- 5% more unique store visits logged in the app
- 4% more distinct retail categories reported — a wider variety of behavioral data
- More data from food and beverage and department store categories specifically
- A greater number of unique store zip codes — indicating broader geographic data sharing
That last point — the variety of data shared — is worth emphasizing. It is not just that users submitted more of the same. They shared more dimensions of their behavior.
“The finding that customers now share more variety of information about themselves is exciting,” says Israeli, the Marvin Bower Associate Professor of Business Administration at HBS. “As a marketer, I don’t just see more of the same about my customers, but I also observe more distinct behaviors, so I get to know them better.”
Why It Happened: The Trust Mechanism
The research team didn’t just document the increase — they investigated the cause. The leading explanation, supported by the Google search data and consumer survey patterns, is trust.
“The new regulations seem to have changed customers’ perceptions about privacy protections,” says Ascarza, a professor in the Marketing Unit at HBS. “The evidence suggests that increased trust is a key mechanism driving this change.”
The mechanism is intuitive once you see it. A consumer who doesn’t know what happens to their data, who has no rights over it, and who has no recourse if it is misused has every rational reason to share as little as possible. A consumer who knows they have the right to access their data, correct it, opt out of its sale, and request its deletion is operating in a fundamentally different risk environment. The downside risk of sharing has been reduced. And when the downside risk of sharing decreases, sharing increases.
This is not a privacy paradox — the well-documented phenomenon where consumers say they care about privacy but behave as if they don’t. This is privacy infrastructure working as designed: creating the conditions under which people can make genuinely informed, genuinely comfortable decisions about their own data.
Who Changed Their Behavior Most
One finding deserves particular attention from a strategic standpoint.
The largest increases in data sharing were not among users who were already comfortable sharing information. They were among users who, prior to the privacy law changes, had been the least inclined to share.
The research found that privacy protections were “particularly effective in increasing participation among more hesitant individuals.”
This is a significant strategic insight. The consumers most resistant to data sharing — the ones most likely to share nothing, opt out of everything, and avoid engagement with data-for-value platforms — are precisely the consumers who respond most strongly to visible privacy protections. Their hesitance was not about the value exchange. It was about trust. Fix the trust problem, and their behavior changes.
The Financial Implication: Privacy as a Revenue Lever
The researchers draw an explicit comparison between privacy regulation and financial incentives — and the comparison favors compliance.
“Privacy protections can be as influential as financial incentives in encouraging user engagement,” the authors write. “Unlike monetary awards, however, privacy regulations may have lasting effects by building trust and reducing perceived risks over time.”
They illustrate the economics directly: one or two extra receipts per month per user sounds modest. But for a platform with tens of millions of users, that volume of incremental data would cost far more to acquire through direct financial incentives — cashback bonuses, increased rewards, promotional offers — than it costs to implement the compliance infrastructure that produces it as a side effect of building trust.
The cost comparison is stark. Compliance infrastructure is largely a fixed cost — you build it once, maintain it, and the trust benefit compounds over time. Financial incentives are a per-unit variable cost — you pay for every additional piece of data you want. At scale, compliance is not just better for consumers. It is more economically efficient for the business.
What This Means for Organizations Still Fighting Privacy Compliance
The researchers make the strategic implication explicit.
“Consumers get more privacy protections and businesses get more of the information they want,” says Ascarza. “It’s a somewhat surprising result, but when you think about it, it’s not. People appear to feel more protected by the new laws, which might explain their greater willingness to share information.”
For organizations — and industry groups — that have invested in lobbying against privacy regulations, or treating compliance as a pure cost center to be minimized, this research presents a direct challenge to that posture.
The study found that “contrary to expectations, more transparency requirements, opt-out controls, and well-communicated privacy measures could help companies collect potentially more and better data.”
That sentence is worth reading twice. The features of privacy law that businesses most consistently oppose — transparency requirements, opt-out controls, visible privacy measures — are exactly the features that appear to be driving the trust increase that produces more data sharing.
Three Strategic Shifts for Compliance-Forward Organizations
The HBS research has concrete implications for how organizations should position and invest in privacy compliance.
1. Reframe Compliance as Customer Acquisition Infrastructure
The conventional framing treats compliance spend as a cost of doing business — a risk mitigation expense, like insurance. The trust-building effect documented in this research reframes it as customer acquisition and engagement infrastructure. Privacy compliance that increases willingness to share data among previously hesitant consumers is, in effect, expanding your addressable audience for behavioral data. That is a marketing investment, not a legal cost.
2. Make Privacy Protections Visible
The study’s trust mechanism depends on consumers actually being aware of the protections in place. Google search data confirmed that awareness of privacy protections increased in California and Virginia after the laws took effect — and that increase in awareness correlated with the increase in data sharing.
The practical implication: buried privacy disclosures in dense legal language don’t produce trust. Visible, plain-language explanations of consumer rights, prominent consent mechanisms, and well-communicated opt-out processes do. Organizations that communicate their privacy protections clearly — rather than hiding them in fine print — are likely to capture more of the trust effect documented here.
3. Target Hesitant Consumers With Privacy-First Messaging
The finding that privacy-hesitant consumers showed the largest behavioral changes suggests an underexplored marketing opportunity. Consumers who have historically opted out of data sharing, limited their engagement, or avoided platforms because of privacy concerns represent a segment that responds to trust signals more strongly than average. A privacy-first value proposition — not as compliance messaging, but as a genuine market differentiator — may be the most effective acquisition tool for that segment.
The Broader Context: 18 State Privacy Laws and Counting
The HBS research focused on California and Virginia’s 2023 implementations, but the landscape has expanded significantly since then. Eighteen U.S. states now have comprehensive privacy laws in effect, with more in progress. The consumer awareness effect documented in the research is likely to compound as more states enact visible privacy protections and as federal privacy legislation continues to be debated.
Organizations that build proactive privacy programs now — before the laws compel them to — are positioned to capture the trust benefit ahead of their competitors. Organizations that wait for enforcement pressure to drive compliance will be catching up on trust-building at exactly the moment when consumer awareness of privacy rights is highest.
The Research in Summary
| What Was Measured | Result |
|---|---|
| Overall data sharing | +9% more receipts submitted |
| Monthly sharing volume | +1.5 receipts per month |
| Breadth of behavioral data | +5% more unique store visits |
| Variety of data categories | +4% more distinct retail categories |
| Most affected consumers | Previously hesitant sharers |
| Mechanism | Increased trust from visible privacy protections |
| Cost comparison | More economically efficient than financial incentives |
The Bottom Line
The business case for privacy compliance has always rested on risk avoidance: avoid fines, avoid enforcement, avoid reputational damage. That case is real. But this Harvard research adds a second, affirmative business case that deserves equal weight: build trust, and the consumers you most need to reach will share more, more willingly, and across more dimensions of their behavior.
“Privacy protections can be as influential as financial incentives in encouraging user engagement.”
That is not a regulatory argument. That is a revenue argument.
If your organization is still treating privacy compliance as the thing your legal team handles to keep the company out of trouble, this research is a signal that the strategic framing needs to change. The compliance infrastructure you are building to satisfy regulators may be, simultaneously, one of the most effective trust-building investments your organization can make.
