How Do Privacy Laws Impact the Value for Advertisers, Publishers and Users in the Online Advertising Market? A Comparison of the EU, US and China

Regulators worldwide have been implementing different privacy laws. They vary in their impact on the value for advertisers, publishers and users, but not much is known about these differences. This article focuses on three important privacy laws (i.e., General Data Protection Regulation [GDPR], California Consumer Privacy Act [CCPA] and Personal Information Protection Law [PIPL]) and compares their impact on the value for the three primary actors of the online advertising market, namely, advertisers, publishers and users. This article first compares these three privacy laws by developing a legal strictness score. It then uses the existing literature to derive the effects of the legal strictness of each privacy law on each actor’s value. Finally, it quantifies the three privacy laws’ impact on each actor’s value. The results show that GDPR and PIPL are similar and stricter than CCPA. Stricter privacy laws bring larger negative changes to the value for actors. As a result, both GDPR and PIPL decrease the actors’ value more substantially than CCPA. These value declines are the largest for publishers and are rather similar for users and advertisers. Scholars and practitioners can use our findings to explore ways to create value for multiple actors under various privacy laws.


Introduction
Regulators worldwide enact various privacy laws to alleviate users' privacy concerns about firms' intensive processing of personal data. These privacy laws regulate personal data processing by imposing obligations on firms and entitling users with rights, potentially impacting the value for firms (e.g., by raising costs) and users (e.g., by increasing utility from higher privacy). The impact of privacy laws on the value created in the online advertising market is likely to be substantial because firms operating in this market rely heavily on personal data processing to provide users with personalized offerings (Skiera et al., 2022).
Understanding how privacy laws affect value is a critical task for firms because they need to create (or at least prevent from destructing) value for multiple stakeholders, especially under policy shocks such as the enforcement of privacy laws (Kumar & Rajan, 2017;Kumar & Reinartz, 2016). Such knowledge is also important for users because they need to understand the consequences they may encounter (e.g., less relevant ads and more privacy choices) and how laws protect their privacy. In particular, this article focuses on three primary actors in the online advertising industry: advertisers, publishers and users.
However, it has been challenging to understand how different privacy laws affect value because little is known about the differences between the laws and how they impact each actor's value in the online advertising market. Therefore, this article examines the privacy laws of three important regions worldwide, namely, the General Data Protection Regulation (GDPR) in the European Union (EU), the California Consumer Privacy Act (CCPA) in an essential part of the United States (US) and the Personal Information Protection Law (PIPL) in China, to derive their effects on the value for actors in the online advertising marketadvertisers, publishers and users. Our study is the first to compare the three privacy laws simultaneously and to bring China's PIPL into the discussion.
This article adopts the method of theory synthesis (Jaakkola, 2020) that summarizes and integrates existing knowledge of a concept or phenomenon, which, in our context, is the creation and destruction of value by privacy laws. In the first step, we use a set of criteria to create a legal strictness score for each of the three laws to derive their similarity. In the second step, we provide an overview of the effects of legal strictness on the value for the actors affected. Specifically, we examine the exchanges between advertisers, publishers and users to (a) define the value for one actor by another actor (e.g., the value created or destroyed for users by publishers), (b) examine the existing literature to describe the effects of privacy laws on value and (c) quantify the total effects of legal strictness for each actor by adding up all effects on value-sum of effects on value. Thus, we add to the understanding of value creation and destruction from multiple stakeholders' perspectives in the context of privacy laws and the online advertising market.
In the third and final step, we derive the changes in value by multiplying the legal strictness score and the sum of effects on value that yield the effects that each privacy law has on each actor. We provide a method to quantitatively summarize different laws' effects on the value for multiple actors, allowing for detailed conclusions for each law and actor.

Existing Knowledge of Value and Privacy
Our study contributes to two streams of the literature. First, we offer a systematic overview of how privacy laws affect the value for firms and users. Many studies investigate the effects of privacy laws with a focus on one actor: publishers (e.g., Congiu et al., 2022), advertisers (e.g., Johnson et al., 2022) or users (e.g., Ichihashi, 2020). Few articles discuss multiple actors, but they do not shed light on the combined effects of the multiple mechanisms through which privacy laws change the value for actors (Johnson et al., 2020). Meanwhile, many discussions on consumer privacy concentrate on the GDPR in the EU, neglecting other privacy laws such as the CCPA and the PIPL (Aridor et al., 2020;Goldberg et al., 2021;Schmitt et al., 2021).
Second, this article adds to the understanding of value creation in the context of privacy. Kumar and Reinartz (2016) discuss value in the exchanges between firms and customers. They define the perceived value for customers and measure the value from customers. Kumar and Rajan (2017) define value for firms from a stakeholder's (e.g., customers, employees and investors) perspective and explain how stakeholders create or destroy value for firms. Nevertheless, there is a gap in understanding value creation and destruction for multiple stakeholders. Our study bridges the gap by examining the exchanges between publishers, advertisers and users and providing a detailed description of how these exchanges create or destroy value.

Overview of the Three Privacy Laws
We compare three privacy laws from important regions of the world: (a) the GDPR in the EU, (b) the CCPA in California in the US and (c) the PIPL in China. As top economies worldwide (measured by Gross Domestic Product), the EU (third), California (fifth) and China (second) have privacy laws that are likely to have a considerable impact on value for all actors. Meanwhile, the three areas have wide regional coverage, each representing a different continent.

Criteria for Comparison
We adopt the 5W1H method to develop the criteria for deriving the legal strictness score of the three privacy laws. The 5W1H method describes a situation with six dimensions: where, when, why, who, what and how. Adopting the method allows for better understanding, structuring and framing of a situation (Carmagnola, 2008). Specifically, • Scope (where): It describes the applicable activities, the protected actors and the regulated actors of the law. • Time of enforcement (when): It describes when the law takes effect.
• Aim (why): It describes the aim of the law.
• Role of the regulated firms (who): The role distinguishes the regulated actors by (a) firms determining why and how to process data and (b) firms processing data for the actors in (a). • Definition of data to be protected (what): The applicable data is categorized into (a) the data generally protected and (b) the data protected by special rules. • Legal bases, user rights, firm obligations and penalties (how): Each describes a key component of the laws to protect user privacy-the legal bases a law requires for data processing, the rights a law entitles users with, the obligations a law imposes on a firm and the penalties a law enforces. Table 1 presents a comparison of the three privacy laws. Each column of Table 1 contains one of the three privacy laws, and the rows display the criteria used for our comparison. We fill the cells with integrated information from law articles and industry reports (Jehl & Friel, 2018;Kulbeth, 2021;Marini et al., 2018). To draw conclusions based on quantitative evidence, we (a) develop a legal strictness score, (b) summarize each law's legal strictness and (c) check the similarities and differences between the laws in Table 2. Specifically, the legal strictness score, ranging from 0 to 2, is based on the relative ranking of legal strictness among the three laws, that is, we assign the highest score of '2' to the law ranking the first in legal strictness ('1' for the second and '0' for the third). Our evaluation of a higher ranking in legal strictness differs for each criterion: broader scope, earlier enforcement time, more aims to achieve, more roles of the regulated firms, broader definition of data to be protected, more legal bases, more user rights, more firm obligations and higher penalties.

Methodology for the Comparison of the Three Privacy Laws
When two laws are equally strict in a criterion, they get the same score. Take the criterion scope as an example. The GDPR and the PIPL have an extraterritorial scope, while the CCPA mainly applies to California. Hence, the GDPR and the PIPL tie at the first rank, having a legal strictness score of '2', while the thirdplaced CCPA scores '0'. For the criteria where the three laws are equally strict, all get the highest score of '2' as the legal strictness score.   Notes: a The ranking of legal strictness of the three laws yields the legal strictness score, that is, the strictest law gets the highest score of '2' ('1' for second and '0' for third strictest law). b We fill the cells with '1' if the respective two laws are equally strict and 0 otherwise.

314
Journal of Creating Value 8 (2) Then, we check the similarity conditions regarding legal strictness according to the legal strictness score. For example, when checking 'GDPR = CCPA' under the criterion 'where', we see whether '0 = 2' holds. Since the equality is false, the cell contains '0'.

Results of the Comparison of the Three Privacy Laws
We observe in Table 2 that the GDPR and the PIPL are similar in their legal strictness, based on the considerable overlap of eight out of nine criteria. The legal strictness score can also support the conclusion as the GDPR has a total score of 18 while the PIPL scores 16 in legal strictness. Both laws have an extraterritorial scope and protect certain sensitive data with special rules. Besides, the two laws require firms to support data processing with analogous legal bases, share one set of analogous user rights and punish serious violations with fines up to millions (even billions) of dollars.
In addition, we find the CCPA is less strict than the GDPR and the PIPL (legal strictness score: 5 CCPA � 16 PIPL ≈ 18 GDPR ). First, the CCPA has a narrower scope than the other two laws: (a) collecting, selling or sharing versus any operation, (b) California residents versus natural persons and (c) California firms ('businesses') under certain conditions versus explicit extraterritorial long arm. Second, the CCPA has a narrower definition of data to be protected. In particular, certain health and finance data is exempted from protection under the CCPA but is protected with even stricter rules under the other two laws. Third, the CCPA entitles fewer user rights than the GDPR and the PIPL. Last but not least, the CCPA imposes penalties of a smaller scale than the other two laws, let alone the PIPL's additional punishment on the person in charge.
Despite their comparable legal strictness scores, there are distinctions between the GDPR and the PIPL, and both can be stricter than the other one under specific criteria. On the one hand, the PIPL can be stricter than the GDPR. Apart from most shared legal bases, the PIPL does not support using legitimate interest 1 -a legal basis that is widely adopted by EU firms under the GDPR. Moreover, the PIPL requires establishing a dedicated entity or appointing a representative inside China for international firms overseas, while the GDPR does not. On the other hand, the GDPR also has stricter rules than the PIPL. The firms processing data on behalf of others have to fulfil several obligations explicitly pointed out under the GDPR ('data processors'), which is not the case for the PIPL ('entrusted persons').

Actors Affected by Privacy Laws in the Online Advertising Market
There are three primary actors in the online advertising industry: (a) advertisers that aim to draw users' interest to the advertisers' offerings, (b) publishers (e.g., websites or apps) that monetize their services by selling ad spaces to advertisers and (c) users who are mainly interested in the publishers' offerings and sometimes interested in the ads displayed. Figure 1 illustrates the three exchanges among the actors (Skiera et al., 2022): • Exchange 1: Publishers provide users free content in exchange for processing users' data and providing contact between users and advertisers. • Exchange 2: Advertisers pay publishers to contact users and pay more if receiving users' personal data help to improve the ad effectiveness. • Exchange 3: Users may purchase the advertisers' offerings after seeing the ads targeted for the users.
Tracking and profiling play a vital role in each exchange because it enables advertisers to target users with ads and measure their ads' performance (e.g., clickthrough rate or conversion rate). Privacy laws provide users with rights and impose obligations on firms (e.g., advertisers or publishers) to restrict data processing (i.e., tracking and profiling). Therefore, we identify advertisers, publishers and users as the actors affected by privacy laws in the online advertising market and list them in the first column of Table 3 .

Definition of Value for Actors
Following Kumar and Rajan (2007), we define value for an actor as the net accrued benefits (tangible and intangible) over the associated costs that firms and individuals realize in an exchange process. The creation and destruction of value happen alongside the exchanges in Figure 1 .   Skiera et al. (2022) Source: The authors. Notes: a In this column, the arrows (shown in brackets) represent the direction of changes in value (relative effects). For example, an increase in cost negatively affects the value, hence the cell has a down arrow even though it is an 'increase'. When finding a mixture of no effect and effects in one direction in the literature, we list both effects and conclude in one row. When finding a mixture of effects in opposite directions, we list them in two separate rows. Examples of an advertiser offering: products and services.
( Table 3 continued) Columns 2-5 of Table 3 specify the value for each actor and point out the sources of value creation and destruction within each exchange. For each actor (Column 1), we first define the value (Column 2), then categorize value change into creation and destruction (Column 3) and examine (Column 4) the sources of value creation and destruction in every exchange (Column 5). In economic studies, the fundamental assumption for a firm's objective is profit maximization (Mas-Colell et al., 1995). Given the assumption, we define the value for publishers and advertisers as profit, which is the difference between revenue and cost. Thus, gaining revenue represents value creation, and bearing cost denotes value destruction. Likewise, the value for users is the net utility, which equals (gross) utility minus disutility. Obtaining utility is a way to create value for users, while having disutility destroys user value.
From each actor's perspective, value creation and destruction happen simultaneously in every exchange. Take Exchange 1 as an example: publishers create value for users by providing (personalized) offerings (e.g., news and videos). At the same time, publishers destroy user value because the processing of personal data infringes user privacy. Users create value for publishers with their exposure and personal data while destroying publisher value due to the associated cost of creating the offerings and processing the data.

Effects of Privacy Laws on the Value for Actors Detailed Effects of Privacy Laws on the Value for Actors
After defining value and outlining how value is created and destructed, we take a privacy law as a policy shock to the market and investigate its effects on value, with the counterfactual being no privacy law in force. The final four columns of Table 3 display the outcomes. We first point out the conclusion (Column 6) and explain the underlying mechanism (Column 7), then we propose a few exemplary measures of value (Column 8) and show the academic studies and industry reports that we base on (Column 9).

Methodology for the Investigation of Detailed Effects
This study primarily focuses on the direct effects 2 of privacy laws and discusses some of the indirect effects at the end of this section. Our conclusions come from a literature review on the effects of privacy laws on the online advertising market. We use the following data and procedure for our literature review: We then categorize findings from the sampled literature by actors, whether value creation or destruction, the exchanges involved, and sources of value creation and destruction. Next, the categorized findings fit in the appropriate row. We assume the conclusions hold for all general privacy laws. Note that the studies either examine the impact of the GDPR directly or discuss it in the context of general privacy laws because very few studies build on the CCPA and the PIPL.
Column 6 of Table 3 displays the absolute effects on value in words and shows the relative effects brought to the value (with arrows shown in brackets: up arrow for a positive effect, down arrow for a negative effect and right arrow for no effect). For example, an increase in cost negatively affects the value, hence having a down arrow even though it is an 'increase'. We take the average outcomes when finding heterogeneous effects among actors in the literature. When finding a mixture of no effect and effects in one direction, we list both effects and conclude in one row. When finding a mixture of effects in opposite directions (e.g., some studies find an increase, others find a decrease), we list them and conclude in two separate rows.

Results of the Investigation of the Detailed Effects
We observe that the effects of privacy laws on the value for actors are heterogeneous. On the firm side, the size and sometimes even the sign of the impact of privacy laws differ for different firms. Regarding the size of a firm, Congiu et al. (2022) find an inverted U-shaped relationship between publisher size and change in user contacts due to privacy laws, while other studies suggest that smaller firms suffer more losses (Campbell et al., 2015;Peukert et al., 2022;Sharma et al., 2021). Regarding the category of a firm, Schmitt et al. (2021) find negative effects on publishers' user contacts throughout the observation period for some industries (e.g., Arts and Entertainment) and positive effects for some others (e.g., Business and Consumer Services), whereas positive effects occur in the short term and negative effects in the long term for categories such as e-commerce and shopping.
On the user side, privacy laws have heterogeneous effects on users with different preferences for personalization. For those who used to be in favour of personalized offerings from publishers and advertisers (e.g., recommending content or products that may interest the user), utility from personalization decreases because privacy laws make personalization more costly with the opt-in consent banner (or the opt-out consent banner under the CCPA). Meanwhile, for those who do not obtain utility from personalization, the consent banners do not change their utility from personalized recommendation. Besides, privacy laws have heterogeneous effects on users with different sensitivity to privacy infringement. Users more sensitive to a privacy loss benefit more from the protection from privacy laws.
The indirect effects of privacy laws also impact the value change of actors. For instance, the ad revenue of publishers (respectively, the ad spending of advertisers) may stay unchanged. Since most ads whose value varies with the amount of personal data available are behavioural targeting ads, firms may strategically adjust their ad budgets toward contextual targeting ads, rendering an overall stable value from advertising. Another example is that user utility from consuming publisher offerings may decrease; hence, value decreases. Due to reduced ad revenue, publishers cannot afford the cost of providing high-quality offerings. Therefore, the quality of publisher offerings drops.

Sum of Effects of Privacy Laws on the Value for Actors
To provide an overview of the effects aggregated by actors, we create a measure called the sum of effects on value and summarize the effects in Table 4. In Panel A, we assign a sum of '1' to the cells with up arrows, indicating a positive sum of effects on value ('0' to right-arrow cells, '−1' to down-arrow cells, '−0.5' to rows with down and right arrows). The final column of Table 4 Panel A aggregates the sum of effects on value by each actor, assuming (a) each row contributes equally (with equal weight) to the total outcome of the actor and (b) the effects within each row are homogeneous among actors. Panel B displays a summary of the sum of effects on value. Notes: a In this column, the arrows (shown in brackets) represent the direction of changes in value (relative effects). When finding a mixture of no effect and effects in one direction in the literature, we list both effects and conclude in one row. When finding a mixture of effects in opposite directions, we list them and conclude in two separate rows. b We assign '1' to the sum of effects on value where the row contains an up arrow, indicating a positive sum of effects on value ('0' to rows with right arrows, '−1' to rows with down arrows, '−0.5' to rows with down and right arrows). c We add up the sum of effects on value for each actor, assuming each row contributes equally (with equal weight) to the total sum of effects on value. d Example of a publisher offering: news, videos. e Example of an advertiser offering: products, services.
( We conclude that the overall effects of privacy laws on value are most negative for publishers (sum of effects on value = −2.5; 3.5/6 negative, 1/6 positive and 1.5/6 none) and is similar for advertisers (sum of effects on value = −1; 3/5 negative and 2/5 positive) and users (sum of effects on value = −1; 2/6 negative, 1/6 positive and 3/6 none).
According to the literature review, we summarize that the negative effects of privacy laws come from three sources: (a) users or the consent management tools (e.g., a browser extension) making choices to opt-out from data processing, (b) firms making choices to work with fewer firms to avoid legal risks and (c) legal requirements imposing compliance cost to users and firms. As a result of (a) and (b), fewer user contacts and user data for tracking and profiling are available. Fewer personal data lower firms' targeting accuracy, decreasing publisher ad revenue and advertisers' revenue from their offerings. Because of (c), firms bear the cost of creating technical and legal infrastructures, as well as the risk of violating the laws. Users have the decision cost to take control of their data, both opt-in and opt-out.
The positive impact of privacy laws mainly originates from three sources: (a) users gaining utility from privacy protection; (b) industry leaders such as Facebook and Google benefiting from the increased market concentration-a larger share of a smaller pie; and (c) zero-sum value transfer from advertisers to publishers-the decrease of publisher ad revenue equals the decrease of advertiser ad spending, that is, lower cost and higher value for advertisers. Table 5 quantifies the changes in value brought by each privacy law for each actor. The measure changes in value is the product of (a) the legal strictness score (developed in the section titled Comparison of the Three Privacy Laws) and (b) the sum of effects on value (introduced in the section titled Effects of Privacy Laws on the Value for Actors). With changes in value, this study compares the changes in value across each privacy law and each actor. Note: Numbers in the brackets are the total legal strictness score for each privacy law (Row 2) or the total sum of effects on value for each actor (Column 1). We fill each cell with changes in value (product of legal strictness score and sum of effects on value) brought by each privacy law for each actor in the online advertising market.

Results of the Comparison of the Effects of the Three Privacy Laws on Value
First, stricter privacy laws bring larger negative changes to the value for actors. Specifically, the GDPR brings the largest negative changes to value (−81), 3 followed by the PIPL (−72) and the CCPA (−22.5), which holds for the whole market and all actors. Many academic studies find that regulatory strictness correlates with various economic outcomes such as decreased page views and revenue (Goldberg et al., 2021), decreased publisher-vendor connections (Johnson et al., 2022) and decreased venture investment (Jia et al., 2021), and, thus, support this conclusion.
We provide some examples to explain the conclusion. Recall the criteria for comparing the contents of privacy laws we adopt in concluding strictness in the section titled Methodology for the Comparison of the Three Privacy Laws. Take penalties as an example. Privacy laws with penalties of a smaller scale are less strict. Therefore, the CCPA (legal strictness score in penalty = 0) is less strict than the GDPR and the PIPL (for both, legal strictness score in penalty = 2) in terms of penalty. The changes in the value for actors brought by the CCPA are smaller than the other two laws. As Johnson et al. (2022) point out, publishers with larger potential penalties cut off more connections with technology vendors.
Second, the changes in value are the largest in absolute terms for publishers, followed by users and advertisers. The final column of Table 5 supports the conclusion with publishers having a change of −97.5, advertisers a change of −39 and users a change of −39. The finding holds for all privacy laws, as we observe in each column of Table 5.

Limitation of Comparison
To provide quantitative evidence for the conclusions, we develop a method with three measures: the legal strictness score, the sum of effects on value and the changes in value. The assumptions this study imposes on the measures generate limitations. Take the legal strictness score as an example. First, the rule of scoring legal strictness built upon the rankings and, thus, neglects the size of the differences. A time difference (enforcement) of three years, two year and one year has an identical score with a time difference of nine years, five years and one year. Second, calculating the total score for each privacy law by adding up assumes an equal weight of each criterion. However, some criteria may contribute less to the overall strictness, such as the enforcement time. Therefore, we primarily interpret the ranks of the measures and not the absolute values.

Conclusion and Implication
This article discusses the different changes in the value for actors in the online advertising market (publishers, advertisers and users) brought by three different privacy laws (GDPR, CCPA and PIPL). Our study concludes that stricter privacy laws bring larger negative changes to the value for actors. The changes in value are the largest in absolute terms for publishers, followed by users and advertisers.
Besides, the overall effects of privacy laws on value are negative, which holds for the whole market and each actor. The effects can be heterogenous for the actors though.
The overview of differential effects of privacy laws on the value for various actors provides more information for regulators who have to balance the value for all actors when introducing new privacy laws or amendments. Firms, especially international firms, gain more insight into how to create value for users and how others create value for them under different privacy laws. We also offer a method for academics and practitioners to systematically compare differential effects under various regulations.