Europe has led the world in protecting consumers’ privacy. E-commerce companies catering to European customers had to comply with the European General Data Protection Regulation (GDPR) starting in May of 2018. Now, many states in the U.S. are adopting similar legislation. California’s Privacy Rights Act and Virginia’s Consumer Data Protection Act went into effect on January 1, 2023, while the Colorado and Connecticut Privacy Acts will become operative on July 1, 2023.
How GDPR Changed European Companies’ Tech Stacks
As companies adapt their IT infrastructure to deal with new privacy regulations, they are coming up against a tradeoff between flexibility and efficiency. Highly integrated technologies facilitate the exchange and use of customer data. The problem is that these very interdependencies are an obstacle on the path toward compliance. Their efficiency has become a liability. That raises an interesting paradox. Can companies achieve competitive advantage by deploying less integrated technologies? To explore this, the authors of this article conducted a large-scale empirical study of 400 e-commerce firms to understand the implications of the tension between efficiency and flexibility on firm performance in response to GDPR. They found that firms that had built their websites for efficiency, electing tightly integrated services from closely linked suppliers, suffered disproportionately when GDPR came into force. In contrast, companies that deployed new combinations of technologies not extensively used before performed much better.