Data Curiosity

Data Curiosity

Share this post

Data Curiosity
Data Curiosity
Data storage and access: An economic approach
Copy link
Facebook
Email
Notes
More

Data storage and access: An economic approach

How should cost-benefit analysis approach data storage?

Antony Dnes
Feb 21, 2025

Share this post

Data Curiosity
Data Curiosity
Data storage and access: An economic approach
Copy link
Facebook
Email
Notes
More
Share
Cost Benefit Analysis - Free of Charge Creative Commons Notepad 1 image

Editor’s note

Topical questions about data include:

  • What is the value of data?

  • How far can rich data collection support free ad-funded content without straying into undue externality?

  • How would one assess evidence of harm relative to the valuable use of data?

  • How should one approach the so-called privacy paradox: the divergence of stated and observed preferences about data?

  • What happens with safeguards such as de-identification of data, and how does the harm analysis change when safeguards are used?

These topical questions are currently the focus of an important live consultation by the UK Information Commissioner’s Office. This ICO draft updated guidance on storage and access technologies would set important principles relating to data-rich businesses, and it is currently in draft with a deadline of Friday 15 March.

Importantly, a welcome cost benefit analysis accompanies the proposals.

This reflects the ICO’s 2025 strategic plan, which requires, inter alia:

  • An “evidence-led and predictable approach to our enforcement action based on the potential risk posed or actual harm caused”

  • The promotion of growth through the “responsible use and sharing of personal information.”

  • “Impact assessments where appropriate.”

Accordingly, cost-benefit analysis is increasingly common, and increasingly influential, in ICO work, as with the recent Privacy Enhancing Technologies cost benefit tool.

Indeed, the absence of meaningful cost-benefit analysis by Google in relation to the Privacy Sandbox, and the failure to provide meaningful consumer welfare analysis when repeatedly prompted by the UK CMA, was one of the major reasons for the cookies U-turn last summer.

How exactly this cost-benefit analysis works, and whether it engages an economically sound approach, is an underappreciated but important question with significant impact on future data use for innovation and growth.

Therefore, there is a premium on thoughtful and detailed cost-benefit analysis of data regulatory proposals. The following piece considers how to approach cost-benefit analysis of data use and how the ICO’s approach compares.

In this case it is a particular pleasure because the comments happen to come from my father, Professor Antony Dnes, who is a regulatory economist. (Yes, there were plenty of economics jokes at the dinner table growing up!)

One of the greatest pleasures in my data competition work is that it is an example of a family business in an age when they are quite rare.

Thanks for reading Data Curiosity! Subscribe for free to receive new posts and support my work.

An Economist’s Note on Draft ICO Guidance Use of Storage/Access Technologies Impact Assessment

By Antony Dnes, Senior Economic Counsel, Dnes & Felver PLLC and editor-in-chief, Managerial and Decision Economics

Clearly there are major obstacles to information gathering that make the ICO’s position very difficult since it is charged with regulating infotech. We sympathize.

Yet the draft guidance document is neither extensive nor detailed and makes several errors in relation to well-established principles of regulatory economics.

The guidance is not properly based in welfare economics, misconstruing the impact of information asymmetry, which is a pervasive phenomenon. It also confuses lost revenue with opportunity cost, where the true comparison should be with lost surplus, including profits.

Harm

The draft guidance is vague.

The ICO believes (p1) that increasing regulatory certainty reduces the risks of “harms” materializing and that “without intervention the potential for these harms will rise.” It does not however clearly identify the harms or their rising (p6; p20). It is guidance in search of a problem.

The ICO claims without giving examples (p20) that “non-compliant use of storage and access technologies can lead to market failures such as imperfect information.” It particularly identifies possible problems from information asymmetry where an “advertiser or data processor may hold disproportionately more information” than the consumer. Furthermore (p20), “Imbalance in knowledge and decision-making power” leaves consumers “vulnerable to exploitation and harm.” No transmission mechanism from information asymmetry to harm, nor example of exploitation or harm, is provided.

Strictly speaking, information asymmetry is not a market failure because information may not be perfectible. It also arises in non-market settings. In fact, the ICO implicitly claims it has the best information in regulating storage and access tech. Information impactedness of any kind can be seen as a pervasive phenomenon not caused by the operation of commercial markets. Bator’s (1958) survey of market failure does not include information impactedness because the theory of perfect markets fails for externalities even with perfect information. As Fox (2017, p. 13) put it in relation to Akerlof’s (1970, p. 489) canonical example of adverse selection in the market for used cars (where buyers have less information than sellers):

“There are three main problems with the state of market failure theory on the question of asymmetric information. The first problem is that the theory is often over-generalized, along the lines of “asymmetric information causes market failure (inefficiency).” What economists generally have in mind is really “Fraud causes market failure (inefficiency).” Asymmetric information is a broader category of phenomena than fraud. … The second problem is … [assuming] away the process of social coordination and adaptation to change …. A third problem is that the existing theory fails to acknowledge problems of asymmetric information in the policy process. In doing so, it commits what Demsetz [(1970)] has called the Nirvana Fallacy, comparing the performance of actual social institutions with an idealized government solution.”

Fox’s comment on fraud and asymmetric information is consistent with the common law’s permitting trading on private information except where mistake is palpable or engages misrepresentation of fact.

Practical illustration of harm is sketchy and speculative in the draft guidelines. Assumptions are made (p16) that are not accurate. Consider the treatment of financial harm.

“Financial harm could be experienced where personal information obtained through storage and access technologies is used to target advertising at users, through encouraging negative purchasing habits or exploiting financial vulnerabilities through marketing of high interest loans.”

It is not clear why personal information would target sale of high interest loans or encourage negative purchasing habits, even were we to know what those are. Information is a public good and absent compelling arguments to the contrary, such as a clear demonstration of net harm, should not be restricted.

For example, significant benefits such as avoiding a 2008-style meltdown could arise from lenders having more information and not making bad loans. There is no a priori reason to assume that data handling is only negative. Thus, by failing to weigh benefits, the approach in the draft is one-sided and the analysis needs to be expanded.

The ICO needs to show exactly how information impactedness harms people and provide a precise statement over how it will cost-effectively improve information flows to the advantage of consumers.

Purpose

For the purpose of the guidelines we are told (p4)

“The purpose of impact assessment is to improve regulatory interventions and policy-making by:

  • informing decision-makers about potential economic, social, and (where relevant) environmental ramifications;

  • providing a mechanism to consider the impact of interventions on a range of stakeholders, including different groups of citizens and organisations;

  • improving the transparency of regulation by explicitly setting out the intervention theory of change and the quality of underlying evidence;

  • increasing public participation in order to reflect a range of considerations, improving the legitimacy of policies;

  • clarifying how public policy helps achieve its goals and priorities through policy indicators; and

  • contributing to continuous learning in policy development by identifying causalities that inform ex-post review of interventions and improve future policy-making.”

It is unclear how any of these information provisions, mechanisms, transparencies, participations, clarifications, and contributions affect human welfare in relation to data storage and access technologies. What we really need to know is how alternative policies might affect company profits and consumer surplus in the long term. The ICO admits it cannot carry out such an exercise. Instead it is proposing policies for which the main purpose is to explain the policies themselves and future policy making.

Similarly p17 states:

“Disclosure of this information [treatment for alcoholism] had the potential to cause psychological harms including stigma, embarrassment, and emotional distress to the users. It could also have led to financial harms through the ability to obtain and/or retain employment, housing, health insurance, or disability insurance.”

It could equally be argued that ex ante awareness of the possible psychological harms from disclosure will deter some from choosing to take on the risk of alcoholism - also a benefit to the individual. Also, that employers, housing providers and insurers (and their employees/clients) are better off for having full information.

The ICO’s claims are not obviously correct. Particularly in its discussion of financial harms, it fails to consider the important distinction between technological (resource using) externality, which is Pareto significant (affects social welfare) and pecuniary (price effect) externality, which is not (Bator, 1958; Lemieux, 2021). Financial effects where one party gains and another loses from higher prices are prime candidates for Pareto irrelevance, where overall welfare remains unaffected.

Options

The ICO considers several options for intervention (p22) but in a highly subjective procedure. The options are:

  • Do nothing: Do not update the current version of the cookies guidance.

  • Provide a significant update to guidance (preferred option):

  • Provide a significant update to the cookies guidance, that will:

  • Clarify and expand on established policy positions where we can provide further regulatory certainty.

  • Provide equal weight to “similar technologies” (such as web storage and scripts and tags) alongside cookies by renaming the guidance products and providing new examples.

  • Provide clarity by using the new style guide and must / should / could framework.

  • Provide a light update to guidance (do less): Provide a light update to the detailed cookies guidance, that will:

  • Provide clarity by using the new style guide and must / should / could framework.

  • Provide sector specific guidance (do more): Provide sector specific guidance and/ or detailed device-specific guidance (ie a portfolio of multiple guidance products).

The ICO weighs up these alternatives qualitatively following HM Treasury critical success factors. These factors double count impacts and are implicitly equally weighted. “Strategic alignment” assesses how an option aligns with ICO’s objectives and the “wider policy landscape”. “Affordability” considers the cost and other financial impacts. “Achievability” refers to whether options are long-term solutions. “Risks” identifies legal and reputational risks posed to the ICO only. Finally, “impacts” considers positive and negative impacts on affected groups but with no recognition that pecuniary externalities match one person’s loss with another’s gain. The impacts also logically include other critical success factors such as wider policy effects and departmental risks.

The preferred option “Provide a significant update to guidance” simply scores fewer negatives and more positives compared with the other options in the view of the ICO. This is very much an administrative approach and does not correspond with the trade offs associated with conventional analysis in regulatory economics.

Benefit- Cost Analysis

The ICO freely admits it has not carried out a conventional quantified benefit-cost analysis. Instead, it links (p25-35) largely qualitative effects to a so-called “theory of change.” The theory is simply a box and line diagram (Figure 1) identifying possible links for the likely effects of updating the guidance, the preferred option. The diagram is not a theory in terms of conventional economic analysis, where mathematical modelling is required to prove that claims being made could be true in at least some state of the world (giving a basis for hypothesis testing in applied work). Theory should not be mere speculation.

The ICO’s Theory of Change (Figure 1 to the ICO Impact Assessment): Simply a box and line diagram of possible effects, and not an analysis of any testable hypothesis.

The ICO’s Table 2 (p35) lists potential impacts of guidance on storage and access tech. Unfortunately, it double counts and overestimates costs and benefits, a classic error in regulatory analysis:

  • One simple example: “improved understanding of relevant legislation” is to at least some extent the same benefit as the immediately following “reduction in costs of obtaining advice and support (e.g. legal advice)” because better understanding reduces the need for professional advice.

  • On the cost side, the table records “reduction in revenue” which would also provide some offsetting benefit in terms of reduced costs, possibly in cases of decreasing average cost as well as the more obvious cases of constant or increasing average cost. But instead of revenue, the focus should be on lost surplus of revenue over costs.

Conclusion

We understand the high bar to information gathering making the ICO’s position difficult. However, that does not excuse the substitution of a qualitative exercise that does not get to the heart of the welfare effects of regulating data storage/access infotech.

The draft guidance document has a danger of completely misleading the public apparently on the basis that the establishment of a regulator means that regulator must regulate, with or without knowledge of the precise effects of its actions.

The guidance is not properly based in welfare economics particularly because it misconstrues pervasive information impactedness as a market failure and confuses lost revenue with opportunity cost.

References

Akerlof, G. (1970). The Market for ‘Lemons’: Quality Uncertainty and the Market Mechanism. Quarterly Journal of Economics 84(3): 488-500.

Bator, F.M. (1958). The Anatomy of Market Failure. Quarterly Journal of Economics 72: 351-379

Demsetz, H. (1969) Information and Efficiency: Another Viewpoint. Journal of Law & Economics, 12(1): 1-22.

Fox, G. (2016). Asymmetric Information and Market Failure. J. Prices & Markets, 5: 11-23.

ICO (2024). Draft Guidance on the use of Storage and Access Technologies Impact Assessment.

Lemieux, P. (2021) The Threat of Externalities. Regulation. Fall 2021: 18-24.

Image credit: Nick Youngson, CC BY-SA 3.0

Share this post

Data Curiosity
Data Curiosity
Data storage and access: An economic approach
Copy link
Facebook
Email
Notes
More
Share
A guest post by
Antony Dnes
Senior Economic Counsel, Dnes & Felver PLLC

Discussion about this post

No posts

Ready for more?

© 2025 Stephen Dnes
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More