Data Regulation and Technology Venture Investment: What Do We Learn From GDPR?

The European Union’s General Data Protection Regulation, which governs how businesses manage, process, and handle their European users’ data, came into effect in May 2018. Using venture investment data, we examine how the regulation may have affected investors’ appetites to invest in European technology ventures, as a function of the investors’ locations. Our findings indicate a reduction in the number of investment deals in nascent European technology ventures following the implementation of the legislation, including reductions in repeat investments, and particularly by foreign investors, in comparison to technology ventures in the United States.

By Jian Jia,¹ Ginger Zhe Jin² & Liad Wagman³

In a fast-evolving industry driven by technology, government policies have the potential to unleash innovation or create barriers that stifle market access. The stark contrast of these potential effects is particularly acute in data regulation.

On the one hand, data is a key input in technology-driven innovation and production. Data is also a key input in the matching processes between consumers and products, and is increasingly important for efficiently servicing consumers. On the other hand, data-driven operations have raised concerns about privacy intrusion and misuse of data without the knowledge or consent of the data source.⁴ In response to growing consumer privacy concerns, the European Union began enforcing the General Data Privacy Regulation (“GDPR”) on May 25, 2018, and the State of California rolled out the California Consumer Privacy Act (“CCPA”) in 2020. Both regulations aim to enhance data protections.

These data regulations differ from their predecessors in important ways. First, the definition of ‘personal data’ has been arguably broadened to cover items ranging from pseudonymized data to advertising identifiers on consumers’ phones. In addition, recent regulations have explored new mechanisms of enforcement, and included more significant penalties for violations. For instance, fines under the GDPR can be up to 4 percent of a firm’s global annual revenue, and CCPA (specifically, Proposition 24) calls for the establishment of the California Privacy Protection Agency.

Data protections, however, entail tradeoffs. On the positive side, a strengthening of consumer privacy rights could offer some benefits to individuals who value privacy, data security, and the ability to more readily exercise control over personal data. On the negative side, restricting firms’ access to data can result in outcomes that those same consumers do not like, such as higher prices (Taylor & Wagman, 2014).⁵ To the extent that data regulations increase firms’ compliance costs, existing economic theories also show that compliance costs can disproportionately impact nascent firms (Campbell et al., 2015)⁶ and reduce new venture formation (Krasteva et al., 2015).⁷

In two recent papers, we empirically investigate whether a sweeping data regulation such as the GDPR has had an impact on technology venture investment and, thus, on current and future innovations (Jia et al., 2020a and 2020b).⁸ From Crunchbase and VentureXpert, our dataset covers technology-oriented venture deals taking place between 2014 to 2019 in the EU, U.S., and the rest of the world (primarily comprising venture deals in Australia, Canada, China, Israel, India, Japan, Russia, and South Korea). Because GDPR was enacted in April 2016 and implemented in May 2018, our data includes 2+ years before the enactment, 2 years interim, and 1.5 years following the actual rollout of GDPR.

We find negative differential effects on EU ventures after the rollout of GDPR relative to their counterparts in the U.S. and in the rest of the world. The negative effects manifest in the number of financing rounds, which, after GDPR’s rollout, exhibit a 26.1 percent reduction in the number of monthly venture deals by EU ventures compared to their U.S. counterparts. A comparison between EU ventures and their counterparts in the rest of the world not including the U.S. also points to a similar large negative effect. The negative effects are larger in the 6-month period immediately after GDPR’s rollout in 2018, but some of them are sustained in 2019. Furthermore, our analysis suggests that consumer-facing ventures in the EU incur larger deal reductions than their business-facing counterparts, though deal reductions apply to both types of ventures.

One explanation is that the regulation may have introduced compliance costs and uncertainties for new technology ventures. For investors, GDPR may have increased due diligence costs with respect to EU venture deals, raising risks and uncertainty. And these costs may be particularly heightened for foreign investors who are less familiar with European institutions.

This latter concern is the focus of our second study, where we empirically investigate how an investor’s home location interfaces with the effects of GDPR on investments in technology ventures (Jia et.al., 2020b).⁹ To do so, we divide investors into three groups: group 1 refers to foreign investors, who belong not only to different states or countries, but also different unions (e.g. U.S. or EU); group 2 refers to investors in the same-union but different member states (e.g. California or New York in the U.S., and Germany or France in the EU); group 3 refers to domestic investors, who belong to the same member state. These three groups help capture a measure of “foreignness.” Following Bertrand et al. (2004),¹⁰ we use a difference-in-differences framework to compare technology venture investment activities in the EU, U.S. and the rest of the world before and after GDPR. Put simply, we find that foreign investors pulled back from investing in EU technology ventures after GDPR, more than non-foreign investors.

More specifically, we find that EU tech firms, relative to their U.S. counterparts, experienced an average 22.20 percent decline in the number of venture deals from foreign investors and a 41.89 percent reduction in their corresponding per-deal amounts after the rollout of GDPR. In comparison, the reductions were of 15.80 and 35.77 percent for same-union EU deals, and 12.1 and 28.08 percent for domestic EU deals. We also find that the effects are more pronounced for foreign investors who invested in more data-related ventures, in younger ventures, in early funding stages, and in consumer-facing ventures.Figure 1. Aggregate level trends of the average # of monthly deals per state (U.S.) and member state (EU)

To get a visual sense of our aggregate findings, Figure 1 depicts monthly trends for the average monthly number of deals of each type (foreign, same-union, and domestic in subfigures a, b, and c, respectively) per state (in the U.S.) or member state (in the EU). Note that there are no noticeable differential trends between the EU and the U.S. prior to the legislative enactment of GDPR in 2016. Figure 1(a) indicates a significant divergence between U.S. and EU ventures in the number of foreign investment deals after the rollout of GDPR in May 2018. Figures 1(b) and 1(c) suggest lesser effects for same-union and domestic venture investments.

One may wonder how the considerable reductions in venture investments, particularly foreign investments, affects the ability of European entrepreneurs to get new ventures started. Our analysis indicates that the number of first-round EU venture deals in our sample (i.e. the initial funding rounds that can help ventures get off the ground) incur a 17.8 percent decline after GDPR’s rollout in May 25, 2018. This reduction affects primarily consumer-facing ventures (a decline of 22.7 percent) but also business-facing ventures (a decline of 12.4 percent). A large portion of the decline appears to be driven by foreign investors pulling back from investing in new EU ventures – more than twice as much as domestic EU investors. These findings suggest negative effects from GDPR on nascent European technology ventures, particularly vis-à-vis foreign investors.

If foreign investors are indeed pulling back, one would anticipate a shrinkage in the geographic distance between investors and ventures in the EU. Our results indeed confirm this conjecture. Relative to their U.S. counterparts, the geographic distance between EU ventures and their lead investors shrinks by between 12.4 and 27.5 percent, on average, after the rollout of GDPR, if the venture has raised investment both before and after GDPR. Furthermore, lead investors in previous EU venture deals, relative to their U.S. counterparts, are less likely – a 31.7 percent decrease – to continue to be the lead investors in subsequent rounds for the same ventures after GDPR. Again, the negative effect is more pronounced for foreign investors.

In short, our analyses suggest that, no matter how we cut the data, GDPR appears to be driving distant investors to pull back more from investing in EU technology ventures, particularly younger ventures, independent of whether those investors have previously invested in a particular venture or not, and independent of whether the venture is business-facing or consumer-facing.

Why do domestic investors and others located closer to EU ventures appear to be more optimistic post GDPR? Local investors may be more confident in their information about the extent of local enforcement and compliance costs. They may be able to reduce or better handle risks and uncertainty due to their localness to their portfolio ventures. They may also have worse outside options relative to investors located in the U.S. and in the rest of the world.

Short of these local “advantages,” foreign investors could syndicate more with local investors to dampen potential concerns about the information asymmetries and due diligence costs. To explore this possibility, we group deals in our dataset into three subsamples: (i) deals with foreign lead investors and domestic or same-union co-investors (deals with only foreign investors are relatively sparse in our sample, comprising about 1.3 percent), (ii) deals with non-foreign lead investors and foreign co-investors, and (iii) deals with only non-foreign investors. Our results suggest a more pronounced negative effect from GDPR on the first group – deals with foreign lead investors – indicating that our findings continue to hold even when foreign lead investors syndicate with local investors.

As similar data regulations roll out in other states and countries, would we expect to see similar consequences? It is difficult to generalize the results outside our statistical framework. Every jurisdiction has its own considerations and may thus adopt different regulatory approaches and enforcement plans. The recently enacted California Consumer Privacy Act, for example, in contrast to GDPR, utilizes an opt-out approach whereby firms, by default, can collect customer data. The difference between opt-in and opt-out default regimes, while seemingly subtle, may have significant market consequences as shown in other contexts (Kim & Wagman, 2015).¹¹

That being said, our findings do send a general message about data regulation: Policymakers considering any regulatory policy that aims to alleviate privacy and data concerns need to be cognizant of its potential effects on different investor types. For instance, a country that relies more on foreign investment may suffer larger decreases in venture capital upon implementing stricter data protections. By contrast, another country that tends to export larger amounts of investment may benefit from the perspective of retaining more venture capital for its own domestic firms once the other country adopts more stringent data policies. Our results thus point to a Prisoner’s Dilemma situation in some sense, where, under some objectives, each country may unilaterally have a dominant strategy to implement lax data policies in its home market, even if a more stringent data ruleset across the world may be welfare enhancing if all countries could commit to this ruleset.

While our sample comprises technology venture investments made up to a year and half after GDPR was rolled out, the effects we identify may have longer-run consequences: European technology ventures that could have benefited from access to foreign investors’ networks, marketing and revenue channels, as well as mentoring and expertise, may have failed to realize those benefits and opportunities, or ceded ground as a result to foreign competitors. Technology is a fast-moving market, with newer ventures often offering products and services that layer on top of their older counterparts’ products and platforms; consequently, short-run disruptions can have long-term effects, particularly if foregone benefits and opportunities translate to more of those older platforms being offered by foreign firms further down the line.

1 This work was completed while Jian Jia was a doctoral student in finance at the Stuart School of Business, Illinois Institute of Technology, Chicago, IL. Email: jjia5@hawk.iit.edu.

2 Department of Economics, University of Maryland, Baltimore, MD. Email: ginger@umd.edu.

3 Stuart School of Business, Illinois Institute of Technology, Chicago, IL. Email: lwagman@stuart.iit.edu.

4 Acquisti, A, C Taylor and L Wagman (2016), “The economics of privacy,” Journal of Economic Literature 54(2): 442–492.

5 Taylor, C. & L. Wagman (2014), “Consumer privacy in oligopolistic markets: Winners, losers, and welfare,” International Journal of Industrial Organization 34(1): 80–84.

6 Campbell, J., A. Goldfarb & C. Tucker (2015), “Privacy regulation and market structure,” Journal of Economics & Management Strategy 24(1): 47–73.

7 Krasteva, S., P. Sharma & L. Wagman (2015), “The 80/20 rule: Corporate support for innovation by employees,” International Journal of Industrial Organization 38(1): 32–43.

8 Jia, J., G. Z. Jin & L. Wagman (2020a), “The short-run effects of GDPR on technology venture investment,” Marketing Science, forthcoming; Jia, J., G. Z. Jin & L. Wagman (2020b), “GDPR and the Localness of Venture Investment,” SSRN working paper # 3436535.

9 Jia, J., G. Z. Jin & L. Wagman (2020b), “GDPR and the Localness of Venture Investment,” SSRN working paper # 3436535.

10 Bertrand, M., E. Duflo & S. Mullainathan (2004), “How much should we trust differences-in-differences estimates?” Quarterly Journal of Economics 119(1): 249–275.

11 Kim, J. H. & L. Wagman (2015), “Screening incentives and privacy protection in financial markets: A theoretical and empirical analysis,” RAND Journal of Economics 46(1): 1–22.