Impact of the GDPR on the Global Mobile App Market:

Digital Trade Implications of Data Protection and Privacy Regulations

ABSTRACT

While regional data protection and privacy regimes are often cited as major barriers to cross-border

digital trade, mitigating consumer privacy concerns through regulations can potentially increase the

demand for foreign digital products or services. This study presents empirical evidence on this issue by

examining the impact of the General Data Protection Regulation (GDPR) on the global mobile app

market. We construct a comprehensive dataset of apps distributed by Apple’s App Store over a 26-month

period covering the enactment of the GDPR and employ econometric models to analyze the regulation’s

effects on app trade between country pairs. Contrary to assertions that regional data protection and

privacy regulations impede digital trade and aggravate fragmentation, the empirical results demonstrate a

significant increase in top-performing foreign apps compared to native ones in the European Union (EU)

countries post-GDPR. We further conduct a series of analyses to explore the underlying mechanisms

potentially driving these effects from both the supply and demand sides. Our findings lend support to the

demand-side mechanism whereby the GDPR helps alleviate consumer privacy concerns and provides

reassurance in adopting foreign digital products.

Keywords: Data protection and privacy regulations, digital product, GDPR, digital trade, mobile apps

1. Introduction

Digital trade encompasses “all international trade that is digitally ordered and/or digitally delivered”

(IMF 2023).¹ The global shift towards digitalization has underscored the pivotal role of digital

technologies in facilitating trade. Digital trade empowers businesses to access global markets more

readily and fuels trade activities in sectors involving the digital delivery of goods and services. According

to the U.S. Bureau of Economic Analysis (BEA 2023), in 2022, the United States exported digitally

deliverable services valued at $626 billion, constituting 75% of the nation’s total service exports. On a

global scale, the worth of digitally deliverable services has exhibited consistent growth, with an average

annual rate of 8.1% since 2005. The United Nations Conference on Trade and Development (UNCTAD

2023) reported that the global value of digitally deliverable service exports surpassed $3.9 trillion in

2022, accounting for 55% of total service exports. Moreover, in light of the anticipated transformative

impact of artificial intelligence (AI) in international trade (e.g., Goldfarb and Trefler 2019), digital trade

is expected to become the standard practice across nearly all industries worldwide (OECD 2022).

As the world becomes increasingly interconnected by digital trade, however, concerns regarding

data privacy, cybersecurity, and national security issues have surged (e.g., Cory and Dascoli 2021).

Governments and regional organizations have responded by implementing new regulations that impose

stricter rules on privacy and data protection. Prominent examples include the General Data Protection

Regulation (GDPR) in the European Union (EU), the California Consumer Privacy Act (CCPA), and the

Personal Information Protection Act (PIPA) in South Korea. These regulations have sparked heated

debates about their potential impact on innovation and digital trade (e.g., Goldfarb and Trefler 2019,

Meltzer 2019, United States International Trade Commission (USITC) 2017).

On the one hand, it has been argued that under a laissez-faire approach, existing privacy frictions

will hinder innovation and impede the expansion of the global digital economy (e.g., Barbier et al. 2015,

1 The IMF Handbook (2023) further defines digitally ordered trade as “the international sale or purchase of a good or service,

conducted over computer networks by methods specifically designed for the purpose of receiving or placing orders,” and digitally

delivered trade as “all international transactions that are delivered remotely in an electronic format, using computer networks

specifically designed for the purpose.”

Pepper et al. 2016). From this perspective, new regulations are urgently needed to mitigate concerns over

data processing and transmission as well as to facilitate the liberalization of trade in digital goods and

services. Notably, the World Economic Forum (2020) has called on regulators to promote greater

transparency, increase trust and confidence, and ensure system-wide efficiency and safety.

Meanwhile, researchers and governmental agencies also point out that strict data and privacy

regulations may put many opportunities at risk. These regulations are often criticized for slowing

innovation in emerging technologies, undermining the economic benefits of digital trade, and contributing

to fragmentation in international trade (e.g., Azmeh et al. 2020). Regional privacy regulations are also

viewed as a form of disguised digital protectionism (e.g., Ferracane et al. 2018). The USITC (2017) notes

that data protection and privacy regulations restrict data flow and impede digital trade in major global

markets. Moreover, citizens and policymakers around the world disagree on where and how to regulate

cross-border information issues such as intellectual property, privacy, cybersecurity, and censorship

(Castro and Atkinson 2014, Daigle 2015, World Bank 2016). Without a comprehensive understanding of

the various effects of data and privacy regulations, striking the right balance between harnessing the

benefits of digital connectivity and mitigating the risks remains a significant challenge (Ciuriak and

Ptashkina 2020, Cory 2020). The main objective of this study is to develop insights into the potential

impact of data and privacy policies on digital trade.

Specifically, we examine the effects of the EU’s GDPR on the cross-border trade of mobile apps.

We define the “exporter country” of an app as the country where its publisher is headquartered and the

“importer country” as the country where the app is downloaded and used. To analyze the trade patterns,

we collect the apps’ publisher country and their rankings on the charts of top-performing apps in the

importer countries. This allows us to construct a unique dataset of worldwide market performance of apps

covering 27,745 exporter-importer country pairs over a 26-month period from 2017 to 2019. With this

dataset, we examine how the GDPR, enacted in May 2018, influenced the performance of both native and

foreign apps in the EU markets. This empirical question holds particular importance for understanding the

economic implications of the GDPR because of its territorial scope: The GDPR protects the personal data

of all EU residents, regardless of where the data-processing entity is located. Thus, both EU and non-EU

apps offered in the EU are subject to the GDPR, and their market performance may both have changed as

a result. Our analysis reveals a significant impact of the GDPR on the top performing apps. We observe a

notable increase in the percentage of non-EU apps and a corresponding decrease of EU apps within the

top charts of the GDPR countries. The observed effects exist for both free and paid apps and are robust

across a comprehensive set of post-hoc analyses and robustness checks.

We investigate the underlying mechanisms behind the observed effects, considering possible

explanations from both the demand and supply sides. On the supply side, EU publishers might prioritize

GDPR compliance owing to their EU user base, which could potentially hurt app quality in comparison to

non-EU apps (referred to as the quality effect). In addition, compliance burdens could deter new entrants

and prompt existing publishers to exit, thereby altering the overall composition of the market (referred to

as the composition effect). On the demand side, the GDPR’s standardized regulations might bolster EU

consumers’ confidence in data protection, narrowing the gap in their privacy concerns between foreign

and native apps (referred to as the reassurance effect).

We perform a series of additional analyses to test these effects. Notably, we do not find strong

evidence supporting the supply-side effects, through quality or composition dynamics, as the main driver

of the changes. To test the quality effect, we assess the performance of EU and non-EU apps outside the

GDPR region. We find no evidence that any difference in compliance burdens had negatively affected the

performance of EU apps in the top charts of non-EU countries. To examine if the shift in the composition

of EU and non-EU apps in the EU market was the main catalyst of change, we conduct analyses at both

aggregate and individual-app levels. At the aggregate level, the composition effect predicts changes in the

characteristics of top apps in the EU, including their average age, turnover rate, and average publisher

size. However, we do not find evidence to confirm the post-GDPR change in any of these dimensions, as

predicted by the composition effect. Further, we examine the GDPR impact on the performance of

individual apps that remained active in the EU market both before and after its enactment. For this group,

we again find significant impacts that have the same signs as in our main country-pair analysis. This

result cannot be explained by the composition effect, since if the change in entry and exit of EU publishers

had favored foreign apps, it should have also benefited the native apps remaining in the market. Together,

these results suggest that while the quality and composition effects were operative to varying extents in

the market, they are unlikely to be the primary driving forces behind the observed shifts in the top-

performing apps within the EU.

In contrast, we find affirmative evidence that aligns with the reassurance effect of the GDPR on the

demand side. Demand-side mechanisms indicate a significant moderating role of privacy concerns.

Previous literature shows that paid apps are associated with fewer privacy concerns than free apps

(Kummer and Schulte 2019). In line with this, we find the impact on top-performing apps was larger for

free apps than paid apps. Moreover, our analysis also demonstrates that the GDPR’s effect was

particularly significant within app categories characterized by more data requirements, and it was most

pronounced in EU countries with the highest privacy-sensitivity scores. Post-GDPR, the EU top charts

also showed increased app turnover and featured a higher proportion of apps with an unknown publisher

country. Overall, these results align with the idea that the GDPR reduced demand-side frictions,

mitigating privacy concerns and boosting consumer confidence in new foreign digital products.

This study contributes to the existing literature in several important ways. First, it joins the rapidly

growing literature on the economic impact of the GDPR (see Johnson 2022 for a comprehensive survey).

To the best of our knowledge, this is the first empirical study to examine the impact of the regulation’s

territorial coverage on cross-border digital trade. Our investigation into the supply- and demand-side

mechanisms builds on the important findings of previous GDPR studies and contributes to the

understanding of the GDPR’s multifaceted impact on global trade (Goddard 2017, Chen et al. 2022).

Second, our study also relates to the literature concerning the law of gravity and home bias in online and

digital trade (e.g., Blum and Goldfarb 2006, Gomez-Herrera et al. 2014, Potluri et al. 2020). Privacy

researchers have pointed out that clearly communicated privacy protection and improved control over

data collection can alleviate privacy concerns, foster trust, and augment data allowances and disclosure

(e.g., Cavusoglu et al. 2016, Godinho de Matos and Adjerid 2022). Consistent with this view, our results

suggest that strict privacy regulations can provide assurance and, to a certain extent, mitigate home bias in

digital trade. Lastly, our research enriches the literature on privacy issues in the context of mobile apps

(e.g., Janssen et al. 2022, Kummer and Schulte 2019, Mayya and Viswanathan 2022) by highlighting the

GDPR’s effects on both the supply and demand sides of this important digital product market.

Regional privacy regulations have been criticized as barriers erected by nation-states to compete for

power in cyberspace, potentially contributing to “Internet Balkanization” (e.g., Meltzer 2019, Nicola and

Pollicino 2020, USITC 2017). In contrast, the evidence we present shows that privacy regulations,

regardless of the true intentions behind their enactment, can in effect reduce privacy concerns towards

foreign products on the demand side and promote cross-border digital trade. To some extent, this supports

the proposal of “embracing national interest over global Internet” (Mueller 2017). In this regard, our

study provides insights into the potential benefits of implementing strict and transparent data protection

regulations in facilitating digital trade.

The remainder of this study is organized as follows. After introducing the background of the GDPR

and reviewing the relevant literature, we describe our dataset, present model-free evidence, and report the

empirical results of the main econometric model. This is followed by supplementary analyses and

robustness checks to validate our findings. We then discuss and investigate the underlying mechanisms

that could drive the observed results. Finally, we summarize our findings and highlight their academic

and practical contributions.

2. Institutional Background and Related Literature

In this section, we first introduce the key elements of the GDPR in relation to the focus of our study.

Next, we review the related literature on (1) the GDPR and digital trade, (2) privacy issues in the context

of mobile apps, and (3) consumer privacy decision-makings.

2.1 Institutional Background of the GDPR

The GDPR is a significant and influential EU regulation that governs the processing of personal data.

Enacted in May 2018, it applies to 31 EU and European Economic Area (EEA) countries.² The regulation

aims to standardize data processing practices, prevent data misuse, and protect consumer privacy. Article

4 of the GDPR defines “personal data” as any information relating to an identified or identifiable person

and broadly defines “data processing” as any operation or set of operations on personal data, including its

collection, storage, structuring, analysis, and retrieval. The regulation provides six legal bases for

processing personal data. Among them, the legal basis that has caused the most noticeable changes in

consumer-facing applications is “consent,” defined in Article 6(1a): Under this provision, firms are

required to obtain explicit individual consent for processing personal data for specific purposes. Article 7

of the regulation establishes a high standard for consent and ensures that individuals can easily update or

withdraw their consent, thereby granting them better control over data collection.

In addition, the GDPR grants consumers other data rights, such as the rights to access, rectify, and

erase their personal data. Meanwhile, firms and organizations that process personal data must adhere to

the principle of data minimization, meaning they should only collect data that is necessary for their

purposes. They are also required to maintain records of their data processing activities and provide

individuals with the means to exercise their data rights, such as correction and erasure. For firms dealing

with a large amount of highly sensitive data, they need to designate a data protection officer. Furthermore,

the GDPR mandates that firms report data breach incidents to regulators and promptly notify affected

consumers. Finally, non-compliance with these requirements can result in substantial fines, reaching up to

20 million euros or 4% of the firm’s global annual revenue, whichever is greater.³

2 For conciseness, we refer to these 31 countries, including those in the EEA, as either “EU countries” or “GDPR

countries” henceforth.

3 For services offered without charge, violations can still result in fines. The CMS.Law GDPR Enforcement Tracker

(https://www.enforcementtracker.com) provides an overview of fines imposed by EU authorities under the GDPR.

Our empirical context is the mobile app market, which has emerged as a prominent globalized

digital product market connecting millions of app developers with billions of smartphone owners.⁴ The

GDPR imposes obligations on developers and publishers offering apps in the EU to implement the above

privacy and data protection requirements. Campanile et al. (2022) and Castelluccia et al. (2017) provide

several design strategies tailored for software and mobile app developers to ensure compliance with

privacy protection.⁵ Overall, the costs of becoming compliant with the GDPR are substantial. We discuss

how these compliance costs may influence our findings when investigating the economic drivers of our

results.

It is important to note that the GDPR’s scope extends to the personal data of all EU residents,

regardless of where their data is processed. In our context, it means the regulation applies not only to app

publishers located within the EU but also to non-EU publishers offering their apps to EU residents. This

explicitly extraterritorial reach of the GDPR is a key motivation for our study examining the effects on

digital trade of apps and has important consequences for various aspects of our empirical investigation, as

detailed later in the paper.

2.2 Related Literature

2.2.1 GDPR and Digital Trade

The literature documenting the impact of personal information and privacy regulations is extensive,

dating back well before the GDPR (e.g., Acquisti et al. 2016, Adjerid et al. 2016, Goldfarb and Tucker

2011, Hoel and Iversen 2002, Kim and Wagman 2015, Miller and Tucker 2009). Since the enactment of

the GDPR, its unique breadth and depth has inspired a rapidly growing body of new studies specifically

examining its intended and unintended consequences across diverse domains, including website traffic

4 For statistics on global smartphone users and app developers, refer to

https://www.statista.com/statistics/330695/numberofsmartphoneusersworldwide/

and http://www.businessofapps.com/12millionmobiledevelopersworldwidenearlyhalfdevelopandroidfirst/.

5 For example, apps should limit their access to sensors (e.g., GPS, cameras, microphones, and biometric scanners)

and locally stored data (e.g., pictures and contacts) to the minimum necessary for the proper functioning of the app.

and technology (Aridor et al. 2022, Goldberg et al. 2023, Johnson et al. 2023, Lefrere et al. 2022, Peukert

et al. 2022), online search (Zhao et al. 2021), advertising (Godinho de Matos and Adjerid 2022), new

ventures (Janssen et al. 2022, Jia et al. 2021), and the personal data market (Ke and Sudhir 2022).

Johnson (2022) provides an overview of this literature, focusing on the impact of the GDPR on

consumers and firms. Our study aims to advance the research frontier by examining the GDPR’s impact

through the lens of cross-border digital trade. Our investigation into the underlying mechanisms driving

the effects on app trade builds on the findings of existing studies. Moreover, the important issues

discussed in Johnson (2022) relating to the global impact of the GDPR and the observability of

compliance also hold direct implications for our analysis, which we discuss later in the paper.

Our analysis focuses on comparing the performance of native and foreign apps. One stream of

literature related to this focus documents the law of gravity and home bias in online and digital trade (e.g.,

Blum and Goldfarb 2006, Cowgill et al. 2013, Gomez-Herrera et al. 2014, Potluri et al. 2020). The

potential impact of the GDPR on digital trade has been discussed in policy-oriented works. For example,

Meltzer (2019) suggests that the GDPR might impede data flows and create trade barriers. Campanile et

al. (2022) point out that the GDPR’s strict requirements could lead to high compliance costs and

increased operational complexities, particularly in the software industry, impacting developers’ ability to

compete in the global market. Chen et al. (2022) find that compliance costs associated with the GDPR

reduced financial performance for global technology firms targeting EU consumers. On the demand side,

the rules and standards imposed by the GDPR are anticipated to foster trust and confidence among

consumers in global data flows (e.g., Yakovleva and Irion 2020). However, to the best of our knowledge,

there exists no empirical study that examines the impact on digital trade using large-scale datasets. This is

an important gap our paper seeks to fill.

2.2.2 Consumer Privacy in the Context of Mobile Apps

Given our research context, this study is also closely related to the literature on privacy issues in the

context of mobile apps. The common theme of this literature centers around the interplay among privacy

policies, data collection practices, and market structure and dynamics. For instance, Kesler et al. (2020)

study the correlation between apps’ market power and their data collection tendencies. Kesler (2023)

examines the impact of Apple’s App Tracking Transparency Framework on app monetization strategies.

Bian et al. (2021) demonstrate how policies of data collection disclosure can influence app demand.

Mayya and Viswanathan (2022) propose a measure of privacy sensitivity using Android apps’ permission

requests and examine developers’ upgrade decisions in response to platform policy change. Kummer and

Schulte (2019) emphasize the tradeoff between monetary costs and privacy gains, finding that an app’s

ability to collect private information is an important factor considered by both app publishers and users.

Janssen et al. (2022) focus on the broader implications of the GDPR on the dynamics of entry and exit

and overall consumer surplus, revealing that the high compliance costs imposed by the GDPR hinder

innovation and deter entry, undermining the availability of potentially valuable apps to consumers. To

understand the end-user perspective on these changes, Al-Natour et al. (2020) explore how privacy

concerns and uncertainties can shape user intentions and behaviors in the app market. Collectively, this

body of research underscores the complex relationship between regulatory changes and user responses

from both supply and demand sides. Our study complements these insights by analyzing how the GDPR

affects cross-border trade of apps through these supply- and demand-side effects.

2.2.3 Consumer Privacy Decision-Making

Early privacy research emphasized efficient data use (Posner 1981, Stigler 1980) while often neglecting

the impact of consumers’ privacy concerns on product adoption. Information systems (IS) research shows

that data protection regulations can enhance consumer trust by reducing privacy risks (Awad and

Krishnan 2006, Hui et al. 2007, Tang et al. 2008) and firms’ misuse tendencies (Lee et al. 2011).

Privacy decision-making research also highlights the direct impact of data and privacy regulations

on consumer concerns, perceived risks, and trust. Perceived control over their data decreases consumer

concerns (Dinev and Hart 2006), and the transparency of the regulation further bolsters trust (Godinho de

Matos and Adjerid 2022). Lower privacy concerns boost personal data sharing in location-based services

(Xu et al. 2012), mobile apps (Wottrich et al. 2018), social networks (Cavusoglu et al. 2016, Stutzman et

al. 2013) and advertising (Johnson et al. 2020). Gerber et al. (2018) show that disclosure decisions tie to

perceived benefits. Notably, the GDPR’s requirement for consumer consent increases data sharing and

enhances targeted marketing (Godinho de Matos and Adjerid 2022). Our context is the mobile app

market, where research shows that numerous apps personalize user experience using data from

interactions (e.g., Bertschek and Kesler 2022 and Tambe et al. 2012). This increased data access often

raises privacy concerns that influence users’ app download intentions, especially in markets where trust in

foreign businesses and regulations is low (Pew Research Center 2015). Our investigation regarding the

demand-side mechanism builds on these findings and provides new insights into the GDPR’s impact on

perceived privacy risks of digital products.

3. Data and Measures

3.1 Data

Our dataset consists of top-performing apps in 155 countries or regional markets (henceforth, countries)

served by Apple’s App Store.⁶ The App Store provides country-specific top charts, such as “Top Free”

and “Top Paid” apps, which represent the most downloaded and used apps at the individual market level.⁷

For each country, we recorded the top free and paid apps daily (along with their store listing information

such as title, release date, publisher, and category) from March 3, 2017 to April 30, 2019.

To reconstruct the pattern of cross-border trade of apps, the key additional information needed was

each app’s country of origin, which we define as the country where the app publisher is headquartered.

Collecting publisher country information was challenging because it is not programmatically retrievable

6 Appendix A provides the complete list of App Store countries. Our dataset includes 30 of the 31 GDPR countries

(except Liechtenstein).

7 While the exact algorithm used by Apple to generate the top charts is proprietary, it is widely accepted in the

industry and by researchers and experts in the field of mobile apps (refer to Blacker 2022 and Shaine 2022) that an

app’s ranking is determined based on four main factors: (1) total number of downloads/installs, (2) trends in daily

downloads and re-installs, (3) consumer rating scores, and (4) daily usage. Therefore, the ranking in the top charts is

a composite metric of app performance capturing downloads, usage, and engagement. Using the top chart ranking to

assess sales and user demand is also a long-standing practice in the prior literature (e.g., Garg and Telang 2013, Lee

and Raghu 2014, Liang et al. 2019).

from the App Store.⁸ To ensure comprehensive coverage for our sample of apps, we leveraged several

different data sources to perform the following steps. First, using data from a commercial mobile app

analytics service, we augmented our dataset by matching the official App Store app identification number

with publisher information provided by the service. Second, for cases where publisher information was

unavailable, we attempted to utilize the relevant app metadata, including the description, privacy policy,

developer website and support URLs, to identify the publisher country. Lastly, we resorted to manual

search (i.e., by using search engine and third-party app tracking sites) and inquiry (i.e., by communicating

with the app’s customer service team via email and social media) for the remaining apps.

Due to the substantial time and labor needed in acquiring publisher country information, we

construct two different samples to balance the coverage of countries and apps. The main sample includes

all 155 App Store countries and the daily top 30 free apps per country. We choose to focus on free apps in

our main sample because advertising is the primary revenue source for free apps; consequently, we expect

free apps to be more susceptible to the impact of privacy and data regulations than paid apps. For the

secondary sample, used for robustness analyses, we restrict the country selection to the top 50 countries

based on their smartphone penetration rates.⁹ However, we expand the app selection to include the daily

top 100 free apps and top 30 paid apps per country in this sample.

Despite our extensive efforts, we could not identify publisher country information for

approximately 41.6% of the distinct apps in our main sample and 11.8% of the distinct apps in our

secondary sample. The distribution of apps with missing publisher country information skews towards

those that reached the top charts infrequently and those outside the EU market. When considering the top

chart slots occupied by apps with missing publisher country information, the missing rate is much lower

8 Although publisher country is not separately listed for each app, there are several places on the app detail page

where users can potentially gather cues about an app’s country of origin. These cues may be found in the app

description, seller/developer name, support website, social media accounts, and privacy policy, among others. In our

later analysis, we also conduct robustness checks on our results concerning the salience of publisher country

information from the user’s perspective.

9 Refer to Appendix A for the list of the top 50 countries, sourced from Wikipedia:

https://en.wikipedia.org/wiki/List_of_countries_by_smartphone_penetration.

at 8.9% for the main sample (and even lower at 2.9% for the EU top charts) and 6.7% for the secondary

sample. We deal with apps lacking publisher country information in two complementary ways in

subsequent analyses. First, given our focus on comparing the performances of apps published within and

outside the GDPR region, we exclude apps with unidentified publisher country in our main analysis,

considering the fact that we could not identify the publisher country despite our best efforts suggests it

could be even more difficult for app users to ascertain their country of origin. Second, we include these

apps as a separate group in an additional analysis. The performance of these apps on the top charts can

reveal important information about consumers’ attitudes and preferences towards products that potentially

involve a higher level of uncertainty regarding privacy risks.

3.2 Model-Free Evidence

In this subsection, we use our main sample to provide model-free evidence concerning the impact of the

GDPR on the relative performance of native (whose publisher country is within the EU) and foreign apps

(whose publisher country is outside the EU) in EU countries. First, we calculate the average number of

native and foreign apps on the top 30 charts before and after the enactment of the GDPR. Taking the

mean across EU countries, Table 1 shows an average of 9.42 (7.74) native and 18.52 (20.47) foreign apps

before (after) the GDPR. The paired sample t-test shows that the differences in these numbers are

statistically significant at the 0.1% level, suggesting that the GDPR’s enactment was accompanied by an

increase in the number of top-performing foreign apps relative to native ones in EU countries.

Table 1. Model-Free Evidence: Average Number of Native and Foreign Apps among EU Countries’

Top 30 Free Apps Before and After the GDPR

Before GDPR

After GDPR

Difference

(After – Before)

Avg. number of native apps

9.42

7.74

-1.68

(𝑝 < 0.001)

Avg. number of foreign apps

18.52

20.47

+1.95

(𝑝 < 0.001)

Note: Averaging is first performed within each month to handle random missing days. The table values are then

obtained by computing the mean across both countries and months. The column “Before GDPR” utilizes 420

observations (30 countries × 14 months), while the column “After GDPR” is based on 360 observations (30 countries

× 12 months). Column sums are smaller than 30 due to top apps with an unknown publisher country.

Next, we examine the temporal change in the performance of EU and non-EU apps in both EU and

non-EU countries. We aggregate the countries in our main sample into EU and non-EU groups and

calculate the percentages of EU and non-EU apps among the top 30 in each region for each month

(excluding apps with missing publisher country information).

(a)

(b)

(a). Performance of Non-EU Apps (b). Performance of EU Apps

Figure 1. Model-Free Evidence: Temporal Change in the Performance of EU and Non-EU Apps in

GDPR and Non-GDPR Countries

As shown in Figure 1 (a), the proportion of non-EU apps on the top charts of countries covered by

the GDPR (blue line) increased compared to non-GDPR countries (red line). In Figure 1 (b), we observe a

decrease in the proportion of EU apps on the top charts of the GDPR countries (blue line) compared to

non-GDPR countries (red line). We present time series graphs for four countries, including two under the

GDPR and two not, in Figure B1. Figure B2 in Appendix B shows the trends for six additional GDPR-

impacted countries, demonstrating similar results at the individual country level.

In summary, the model-free analysis indicates that post-GDPR, the top charts in EU countries

featured more foreign apps and fewer native apps. Next, we proceed with econometric analyses to better

understand the impact and the underlying mechanisms driving this shift.

3.3 Key Variables in the Main Model

For the main analysis, we adopt a panel structure for our dataset that resembles the gravity model

specification commonly used in the international trade literature (e.g., Anderson 2011). Specifically, we

organize the data into pairs of exporter-importer countries and aggregate the observations at the monthly

level. We use 𝑖 to denote an exporter country (publisher country), 𝑗 for an importer country (user

country), and 𝑡 to index the month. The panel consists of 27,745 country pairs, including 179 and 155

distinct exporter and importer countries respectively, observed over 26 months.

The dependent variable measures the performance of an exporter country’s apps in an importer

country in a given period. We define 𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑡 as the percentage of country i’s apps in country 𝑗’s

top charts in month 𝑡,¹⁰ where a larger value indicates better performance of country 𝑖’s apps in country 𝑗

in month 𝑡. For robustness, we also use the absolute number 𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡𝑖𝑗𝑡, which is the daily average

count of apps from country 𝑖 in country 𝑗’s top charts, as an alternative measure.

The main independent variables are two binary indicators: 𝐺𝐷𝑃𝑅𝑖𝑗𝑡 and 𝐺𝐷𝑃𝑅−𝑖𝑗𝑡. 𝐺𝐷𝑃𝑅𝑖𝑗𝑡 equals

one in the post-GDPR period—May 2018 to May 2019 in our panel—for country pairs where both

countries are within the GDPR region. 𝐺𝐷𝑃𝑅−𝑖𝑗𝑡 is an indicator that equals one in the post-GDPR period

if importer 𝑗 is in the GDPR region while exporter 𝑖 is not. Appendix C presents summary statistics and

Pearson’s correlation coefficients of the key measures, along with descriptive statistics for an expanded

list of variables used in the analyses.

4. Empirical Results

4.1 Main Model and Results

Our main model estimates the impact of the GDPR on app trade at the country-pair level. The model can

be understood as adopting the difference-in-differences (DID) design from the event study literature. Our

treatment event is the enactment of the GDPR in May 2018. Since the GDPR protects EU consumers and

applies to all apps sold in the EU, irrespective of the publisher’s location, two groups of country pairs are

directly affected: (1) country pairs where both the exporter and importer are in the GDPR region and (2)

10 We exclude apps with unidentified publisher countries when calculating 𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑡. For a given month, we

first calculate the percentage at the daily level and then take the average percentage for the days with complete data.

country pairs where the importer is in the GDPR region while the exporter is not.¹¹ We focus on these two

groups as the two treatment groups. The model specification is as follows:

𝑌𝑖𝑗𝑡 = 𝛽0 + 𝛽1𝐺𝐷𝑃𝑅𝑖𝑗𝑡 + 𝛽2𝐺𝐷𝑃𝑅−𝑖𝑗𝑡 + 𝛾𝑖𝑗 + 𝜕𝑡 + 𝜌𝑖𝑡 + 𝜃𝑗𝑡 + 𝜀𝑖𝑗𝑡,

(1)

where the dependent variable 𝑌𝑖𝑗𝑡 is either 𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑡 or 𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡𝑖𝑗𝑡. The two indicators 𝐺𝐷𝑃𝑅𝑖𝑗𝑡

and 𝐺𝐷𝑃𝑅−𝑖𝑗𝑡 capture the treatment effects of the GDPR on app trade between two EU countries and

trade from a non-EU country to an EU country, respectively.¹² 𝛾𝑖𝑗 controls for time-invariant country-pair

fixed effects, such as geographical proximity and cultural similarity, while 𝜕𝑡 controls for time fixed

effects. In addition, we also include 𝜌𝑖𝑡 and 𝜃𝑗𝑡 , denoting exporter-year and importer-year fixed effects.

Finally, 𝜀𝑖𝑗𝑡 is an unobserved error term. Similar model specifications have been used in the international

trade literature to study the effects of regional trade agreements (e.g., Baier and Bergstrand 2007). We

estimate the equation using our main sample that consists of the top 30 free charts in 155 countries. In the

first set of regressions, we use the ordinary least squares (OLS) estimator with standard errors clustered at

the country-pair level. The results are presented in Table 2.

In Column (1) of Table 2, the dependent variable is 𝑙𝑛(𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑡)¹³ and we use the full

sample of country pairs. The results show that after the GDPR’s enactment, the performance of foreign

apps (𝐺𝐷𝑃𝑅−𝑖𝑗𝑡) on the top charts significantly increased, whereas that of native apps (𝐺𝐷𝑃𝑅𝑖𝑗𝑡)

significantly decreased. On average, the percentage point of an EU country 𝑖’s apps in another EU

country 𝑗’s top charts decreased by approximately 0.24, while that of a non-EU country 𝑖’s apps in EU

country 𝑗’s top charts increased by approximately 0.05. Using the numbers of EU and non-EU publisher

countries in our dataset (30 and 149, respectively), the result indicates that approximately 7% of the top

11 There could exist spillover effects to other regions. For example, non-EU publishers who did not serve the EU

market may voluntarily become compliant in anticipation of future privacy regulations in their own jurisdiction—an

example of the so-called Brussels effect. We note that such spillover effects should work against finding significant

results in our model.

12 The additional analysis in Section 5.1 also provides insights on the potential GDPR effects on app trade from an

EU country to a non-EU country and that between two non-EU countries.

13 We use the standard ln(1+x) transformation because the variable is highly skewed and zero values are present.

The results remain robust when using the un-transformed variable.

30 free apps in the GDPR countries changed from native to foreign apps. Given that app downloads and

usage are heavily skewed towards top-performing apps, this change is economically significant.¹⁴

The regressions in Columns (2) and (3) of Table 2 are variants of that in Column (1). In Column

(2), we use the (log-transformed) absolute number of top apps (𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡𝑖𝑗𝑡) as the dependent variable.

In Column (3), we use the subsample of country pairs where 𝑖 ≠ 𝑗; that is, we exclude within-country

trade and consider pure international trade. Across these results, we find robust and consistent effects of

the GDPR on the relative performances of EU and non-EU apps in the top charts of GDPR countries.

Table 2. OLS Results of the Main Model: App Trade between Country Pairs

Dependent Variable

(1)

(2)

(3)

𝑙𝑛(𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑡) 𝑙𝑛(𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡𝑖𝑗𝑡)

𝑙𝑛(𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑡)

𝐺𝐷𝑃𝑅𝑖𝑗𝑡

-0.0024***

-0.0356***

-0.0020***

(0.000)

(0.004)

(0.003)

𝐺𝐷𝑃𝑅−𝑖𝑗𝑡

0.0005***

0.0064***

0.0004***

(0.000)

(0.001)

(0.000)

Country Pair FE

Yes

Month FE

Yes

Importer -Year FE

Yes

Exporter -Year FE

Yes

Estimator

OLS

Country Pairs

All

Excluding pairs 𝑖 = 𝑗

Number of Country Pairs

27,745

27,590

Observations

721,370

717,340

R-squared

0.969

0.896

0.969

Robust standard errors clustered by country pair in parentheses. *** 𝑝 < 0.01, ** 𝑝 < 0.05, * 𝑝 < 0.1

One potential concern is that the OLS estimator may not be able to adequately handle a large

number of country pairs with effectively zero trading volume. Moreover, clustering standard errors may

not address heteroscedasticity for the error term in the log-linear model. Guided by the methodology

literature (e.g., Silva and Tenreyro 2006), we re-estimate the model using the Poisson Pseudo Maximum

14 To translate the estimated 7% change into a dollar value, we reference statistics from a third-party mobile app

analytics firm. Their data suggest that in Germany, apps in the top 30 free chart of the iOS App Store generate an

average annual revenue of around 6 million dollars, and Germany’s total app market revenue is roughly 20.3% of

the EU total (based on 2022 statistics). Using these numbers for a back-of-the-envelope calculation, the economic

impact estimated from our main analysis is roughly 62 million dollars annually, within the top 30 free charts in the

EU.

Likelihood (PPML) estimator to address the zero-inflation and heteroscedasticity problems. The PPML

results are reported in Appendix Table D1. The estimates are qualitatively consistent with the results in

Table 2. Overall, after the enactment of the GDPR, foreign apps achieved better performance relative to

native apps in the GDPR countries.

4.2 Supplementary Analyses

To ensure the robustness of the results, we conduct a series of model identification and sensitivity checks.

These include examining the parallel trends assumption, performing placebo and falsification tests, and

using alternative samples of lower-ranked apps. Our results hold across these supplementary analyses.

Below we describe the rationale and results for each test. Due to the page limit, the details of the analyses

are provided in the online appendix.

4.2.1 Parallel Trends Assumption

The key assumption underlying the DID design is the parallel trends assumption: In the absence of the

treatment event, both the treatment and control groups should exhibit the same trend in the dependent

variable. To examine whether this assumption holds in our dataset, we conduct two tests. First, using a

subsample containing only pre-GDPR observations, we create a 𝑃𝑠𝑒𝑢𝑑𝑜_𝐺𝐷𝑃𝑅 indicator with the

(fictitious) GDPR enactment time set at the middle of the pre-treatment period (i.e., October 2017) and re-

estimate equation (1). As shown in Table E1 of Appendix E, we find no significant change in app trade

patterns before the GDPR. Second, we apply the relative time model to systematically evaluate the pre-

treatment trend and the dynamics of the GDPR effects over time. As detailed in Table E2 of Appendix E,

we find no significant pre-trend before the enactment of the GDPR. However, after the GDPR, the

estimates of the month-specific effects are statistically significant. Together, these findings suggest that it

is unlikely that the pre-treatment trends would have caused the observed effects we attribute to the GDPR

and that the observed effects appeared to persist, at least within the period covered by our dataset.

4.2.2 Synthetic DID

To enhance the robustness of our findings, we also apply the synthetic difference-in-difference (SDID)

approach of Arkhangelsky et al. (2021). While the parallel trends assumption is not violated in our

setting, there could still be the concern regarding the comparability between the EU and the rest of the

world as a group. The SDID method addresses this issue by creating “synthetic controls,” re-weighting

control units to best match the treated units prior to the treatment event.

The estimation procedure involves two steps. First, we calculate unit and time weights that

minimize the divergence in pre-treatment trends between the treated and control groups, as well as the

difference in outcomes between pre- and post-treatment periods for the control group. Second, we

estimate a weighted version of the main model, utilizing the weights from the first step. We use clustered

bootstrapping at the country-pair level for standard error estimation. The SDID results are reported in

Appendix F. According to the results, the GDPR effects are estimated to be statistically significant, and

their signs and sizes are consistent with those in Table 2. Since SDID puts more weight on control units

and time periods that are similar to the treated ones, this provides reassuring evidence to support the

robustness of our results with respect to the heterogeneity in the control group.

4.2.3 Other Alternative Explanations and Robustness Checks

To further validate if the association between the GDPR’s enactment and the change in the performance

of native and foreign apps in GDPR countries is causal, we conduct a systematic placebo test using the

permutation approach (Appendix G). Reassuringly, the placebo effects are estimated to be well centered

around zero, with an extremely low probability (𝑝 < 0.1%) of observing the actual effect by chance. The

results alleviate the concern that our estimated effects could have picked up some spurious relationship—

e.g., unobserved long-term behavioral changes in the EU that could trigger both the adoption of the

GDPR and the substitution of foreign apps for native ones (in which case the placebo effects should be

nonzero). Another concern that cannot be directly addressed by the tests above is that there might be

sudden changes (e.g., in the design or operation of the App Store) around the time of the GDPR’s

enactment that favored foreign over native apps. Although our search of industry reports and news articles

does not retrieve any anecdotal evidence supporting this alternative explanation, we nonetheless conduct a

falsification test for verification (Appendix H). We assume that at the same time as the GDPR was

enacted, (imaginary) privacy regulations were implemented in other regions of the world and then

estimate their effects on app trade into these regions. We do not find any statistically significant effects

for these pseudo-regulations. We also examine how our findings relate to the rise of app exporters in the

US and China (Appendix I). We find that apps originating from the two countries played a significant role

in the observed relationship between the enactment of the GDPR and the change in app trade. However,

this relationship is not solely driven by apps from the US and China, as the estimated effects remain

significant after excluding them from the sample. All these findings together provide further support that

the observed changes in the relative performances of foreign and native apps in EU countries were indeed

due to the GDPR rather than alternative explanations such as pre-existing time trends, unobserved long-

term behavioral changes, or idiosyncratic country effects.

Finally, we test whether our findings are robust to alternative model specification and data sample

used in estimation. Specifically, we conduct a country-level analysis using the main sample, and the

results, reported in Appendix J, are directionally consistent with our analysis at the country-pair level. We

also test whether the observed effects hold as we extend the set of apps beyond top 30 free charts. We

replicate the main regression using our secondary sample, which consists of the top 50 countries selected

based on their smartphone penetration rates. As shown in Appendix K, the results remain consistent for

the top 50, 80, and 100 free charts and align consistently with those in Table 2 for our main sample.

5. Underlying Mechanisms

Having established the credibility of the impact of the GDPR, we explore in this section the underlying

mechanisms potentially driving the observed changes, considering factors from both the demand and

supply sides. Table 3 provides an overview of the proposed mechanisms and the post-hoc analyses

conducted to investigate whether these mechanisms could explain our findings.

Table 3. Summary of Underlying Mechanisms

Supply Side

Demand Side

GDPR

Impact

• Increased compliance costs

• Reduced quantity and quality of

consumer data

• Enhanced confidence in privacy and

data protection

Proposed

Mechanisms

• Quality effect

EU publishers may face a higher

compliance burden due to their

primary user base being in the EU,

leading them to focus more on

compliance instead of app

development.

• Composition effect

The higher compliance burden may

result in relatively fewer entries and

more exits for EU publishers,

changing the composition of apps

available in the EU market.

• Reassurance effect

Before the GDPR, EU consumers

might have reservations about using

digital products from regions with

different privacy and data protection

standards. The GDPR’s transparency

and uniformity may provide

reassurance, foster consumer

confidence, and reduce privacy

concerns, potentially increasing the

demand for foreign apps relative to

native apps.

Analyses

• Frequency of app updates around

GDPR enactment

• App performance outside EU

• Change in the age of top apps

• Change in top chart turnover

• Change in publisher size of top apps

• App-level analysis

• Moderating effect of category-level

privacy sensitivity

• Heterogeneity effects across EU

countries

• Change in top chart turnover

• Change in the performance of apps

with an unknown publisher country

On the supply side, the enactment of the GDPR may have negatively impacted app publishers for

two main reasons. First, the GDPR requires app publishers to invest significant resources in implementing

privacy policies and data protection measures. This can involve redesigning their apps, investing in robust

data storage and security systems, obtaining user consent, and hiring legal experts and data protection

officers. Second, the GDPR limits the amount of consumer data that app publishers can collect and use,

making it more difficult for them to personalize their services and target users with data-driven

advertising. As a result, the GDPR may have a negative impact on the proper functioning of certain types

of apps as well as on the revenue potential of apps that rely on the advertising model.

Given these adverse effects, two supply-side mechanisms might be driving the outcomes observed

in our study. First, EU publishers, whose primary user base tends to be in the EU, might have higher

compliance rates than non-EU counterparts. The higher compliance rate would result in reduced resources

for marketing, development, and research activities, as well as a lower quantity and quality of user data

collected—these factors could then negatively influence the quality of EU apps compared to non-EU apps

(referred to as the “quality effect”).

Second, as shown in Janssen et al. (2022), the costs associated with GDPR compliance can create

substantial barriers for new app publishers entering the market. While the GDPR applies to both EU and

non-EU publishers, the negative entry effect could be more pronounced for EU publishers due to their

geographic and cultural proximity to the market (e.g., potential differences in enforcement and the

reputational risks they face in the market if non-compliant). In addition, the higher compliance burden

might lead more existing EU publishers to exit the market. This change in entry and exit patterns could

consequently result in a systematic shift in the composition of apps available in the EU market (referred

to as the “composition effect”).

On the demand side, the GDPR is expected to foster confidence among consumers in privacy and

data protection within the EU. Prior to the GDPR, there might have been reluctance among EU consumers

to use digital products from regions with differing standards and practices in consumer privacy and data

protection. Without stringent privacy regulations, information asymmetry could lead consumers to

preferentially trust and use digital products from geographically and culturally closer regions (e.g.,

Gomez-Herrera et al. 2014, Potluri et al. 2020). However, with the enactment of the GDPR, which

establishes a clear and consistent framework for both EU and non-EU suppliers, consumers may feel

more secure and open to exploring and adopting foreign digital products. This shift could reduce the

previous tendency to favor local products. As a result, the GDPR could have led to a more significant

increase in perceived privacy protections for non-EU apps relative to EU apps, thus contributing to the

enhanced performance of non-EU apps within the GDPR region (referred to as the “reassurance effect”).

In the following, we conduct analyses to assess whether the evidence from our dataset aligns with

the proposed quality, composition, and reassurance effects delineated above. It is important to emphasize

that our objective in devising these analyses is to investigate which of these mechanisms could have been

the primary driver(s) of the outcomes identified in the preceding section. We are not conducting formal

hypothesis testing on the existence of any of these effects. As previous studies have demonstrated, all of

these effects were likely at work to varying degrees and scales.

5.1 Quality Effect

Before testing the quality effect, we note that an important presumption underlying the argument is the

existence of a compliance disparity between EU and non-EU apps offered in the EU market. Whether this

is true in reality is unclear.¹⁵ To our knowledge, no empirical study has systematically examined the

difference, likely because compliance is multifaceted and difficult to observe (Johnson 2022). Since our

dataset contains version history for the sampled apps, we explore disparities in one aspect of compliance

by examining the frequency of version updates around the enactment of the GDPR. Our analysis, reported

in Appendix L, shows that while (both EU and non-EU) apps previously featured on EU top charts

released more updates around May 2018 than the rest of the sample, there was no significant difference in

update frequency between EU and non-EU apps within the group. We emphasize that this result does not

disprove a compliance difference, as redesigning the consumer-facing frontend represents only a portion

of the compliance effort. Nevertheless, it indicates that, in terms of app updates—the most observable

aspect of compliance for users to discern—there is no substantial evidence of a compliance gap during the

GDPR’s enactment.

15 Contradictory evidence has been documented regarding the compliance disparities between EU and non-EU firms

in other domains. For example, Hu and Sastry (2019) find that top non-EU websites did not achieve equivalent

compliance levels as their EU counterparts in terms of serving cookie notices. Conversely, Johnson et al. (2023) find

that after the GDPR’s enactment, foreign websites serving EU users exhibited a greater reduction in technology

vendor usage compared to EU-based websites. Their study attributes this higher compliance level for foreign

websites to the GDPR’ fine structure, which can reach up to 4% of a firm’s global revenue. Furthermore, Peukert et

al. (2022) and Schmitt et al. (2022) also find supporting evidence of spillover effects of the GDPR to non-EU

websites. Based on these findings, we may not necessarily expect a significant compliance difference between the

EU and non-EU apps.

We test the quality effect more directly by examining the performance of both EU and non-EU apps

outside the GDPR region. If the difference in compliance burden adversely affected EU apps’ quality

more compared to non-EU apps, we would observe a corresponding negative impact on the performance

of EU apps in the top charts of non-EU countries. We test this prediction by modifying the main country-

pair model in Equation (1). In addition to 𝐺𝐷𝑃𝑅𝑖𝑗𝑡 and 𝐺𝐷𝑃𝑅−𝑖𝑗𝑡, we introduce 𝐺𝐷𝑃𝑅𝑖−𝑗𝑡 and

𝐺𝐷𝑃𝑅−𝑖−𝑗𝑡 to capture the effects on app trade from an EU to a non-EU country and that between two

non-EU countries. 𝐺𝐷𝑃𝑅−𝑖−𝑗𝑡 is a binary indicator that equals one in the post-GDPR period for country

pairs where both exporter 𝑖 and importer 𝑗 are outside the GDPR region. 𝐺𝐷𝑃𝑅𝑖−𝑗𝑡 is an indicator that

equals one in the post-GDPR period if exporter 𝑖 is within the GDPR region and importer 𝑗 is not. Table 4

presents the OLS and PPML results using our main sample.

Table 4. Estimation Results on EU App Performance in Non-EU Countries

Dependent Variable

(1)

(2)

𝑙𝑛(𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑡)

𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑡

𝐺𝐷𝑃𝑅𝑖𝑗𝑡

-0.0025***

(0.000)

-0.2692***

(0.027)

𝐺𝐷𝑃𝑅−𝑖𝑗𝑡

0.0005***

(0.000)

0.1259***

(0.021)

𝐺𝐷𝑃𝑅𝑖−𝑗𝑡

-0.0002

(0.000)

-0.0163

(0.022)

𝐺𝐷𝑃𝑅−𝑖−𝑗𝑡

0.0000

(0.000)

0.0031

(0.009)

Country Pair FE

Yes

Importer -Year FE

Yes

Exporter -Year FE

Yes

Month FE

Yes

Estimator

OLS

PPML

Number of Country Pairs

27,745

Observations

721,370

R-squared

0.968

0.5512

Robust standard errors clustered by country pair in parentheses. *** 𝑝 < 0.01, ** 𝑝 < 0.05, * 𝑝 < 0.1

In each column, the coefficients of 𝐺𝐷𝑃𝑅𝑖−𝑗𝑡 and 𝐺𝐷𝑃𝑅−𝑖−𝑗𝑡 are statistically indistinguishable from

zero, and their differences are also insignificant. This finding suggests that the GDPR had minimal impact

on the performance of EU apps in the top 30 charts of non-EU countries. Furthermore, we obtain similar

results with the secondary dataset focusing on the top 100 free charts. These results thus indicate that the

conjectured quality effect is unlikely to be the main driving force behind our findings in the last section.

5.2 Composition Effect

We now shift our focus to the composition effect. To investigate its role in driving the observed outcomes,

we conduct two sets of analyses. For the first set of analyses, we assume it was the composition effect that

caused changes in the top-performing EU and non-EU apps and derive predictions about the impact on

the characteristics of top apps in the EU. We then test whether our dataset provides consistent evidence to

support these predictions. In the second set of analyses, we conduct app-level regressions that are

analogous to the country-pair-level regressions in the previous section. Since the composition effect

entails a change in the competitive environment within the EU, our app-level analysis allows us to control

for app-level heterogeneity, including the competitive environment each app encounters.

5.2.1 Impact of the GDPR on the Characteristics of Top Apps

The first set of analyses and their underlying rationale are as follows: (a) We examine the average age of

apps on the EU top charts. If the reduced entry of new apps led to changes in the top charts, i.e., new EU

apps that could have reached the top charts were deterred from entering the market, we would expect an

increase in the average age of top apps in the EU post-GDPR. (b) We assess the turnover of apps on the

top charts. Should the entry and exit mechanism be responsible for the changes, we would expect more

entrenched market positions of established apps. Therefore, we should observe a decrease in the

percentage of new apps in the top charts of EU countries after the GDPR. (c) We analyze the average

publisher size of top apps. The entry and exit mechanism should disproportionately impact small app

publishers who may lack the resources to bear compliance costs (Johnson 2022). For instance, Chen et al.

(2022) observe that GDPR compliance costs significantly reduced small technology companies’

profitability, while larger firms were less impacted. Likewise, Peukert et al. (2022) and Schmitt et al.

(2022) report increased market concentration among technology vendors and websites. Therefore, if the

composition effect influenced the top charts in EU countries, it would imply post-GDPR dominance by

larger publishers. In the following, we present regressions to examine each of these predictions.

First, we investigate whether the enactment of the GDPR led to an increase in the average age of

apps featured in EU countries’ top charts. To measure the app age, we utilize the number of months since

an app’s release as the dependent variable, 𝐴𝑝𝑝_𝐴𝑔𝑒𝑖𝑡. We use our main sample to construct a country-

level panel and employ the standard DID specification with the EU countries being the treatment group

and other countries as the controls. We include the two-way fixed effects and allow for country-specific

(linear) time trends. As shown in Column (1) of Table 5, the regression results indicate no significant

change in the age of top apps in EU countries following the enactment of the GDPR.

We proceed with a regression regarding the impact of the GDPR on the turnover of top apps in EU

countries. We use the same country-level panel and DID specification. We operationalize the turnover

rate of the top chart in country 𝑖 in month 𝑡, 𝑁𝑒𝑤𝐴𝑝𝑝𝑠𝑖𝑡, as the percentage of top apps in month 𝑡 that did

not appear in country i’s top chart in the previous months. Since this calculation requires data from the

previous month, we exclude the first month from our panel. As shown in Column (2) of Table 5, the

percentage of new top apps in EU countries actually increased after the GDPR was enacted, indicating an

elevated rate of top app turnover that contradicts the notion that the top charts had become more

dominated by established apps.¹⁶

We further explore the impact of the GDPR on the average publisher size of top apps in the EU,

using the country-level panel. We measure publisher size by using the number of distinct apps it offers,

combining our dataset of top apps and publisher-portfolio data provided by a mobile app analytics

company. For each country 𝑖, we then calculate the average publisher size for apps that appeared on its

top chart in each month 𝑡. In three separate regressions, we examine the average publisher size of all top

apps, top apps published in the EU, and top apps published outside the EU. To minimize potential

censoring issues, we focus on 12 months of observations in the middle of the sample period, namely, six

months before and after the enactment of the GDPR, for our model estimation. As reported in Table 6, we

16 This result could also be explained by that EU consumers became more willing to try out new apps after the

enactment of the GDPR, which supports the demand-side explanation in Section 5.3.

do not observe any significant effect of the GDPR on the average publisher size across any of the top app

groups. For robustness, we also use an alternative measure of publisher size by incorporating app

popularity based on rankings and frequency of appearance on the top charts. The results remain consistent

(Appendix M).

Table 5. Estimation Results on the GDPR Impact on Age of Top Apps and Top Chart Turnover

(1)

(2)

Dependent Variables

ln(𝐴𝑝𝑝_𝐴𝑔𝑒𝑖𝑡)

ln(𝑁𝑒𝑤𝐴𝑝𝑝𝑠𝑖𝑡)

𝐺𝐷𝑃𝑅𝑖𝑡

0.0269

0.143***

(0.021)

(0.015)

Country FE

Yes

Month FE

Yes

Country-specific Trend

Yes

Estimator

OLS

Number of Countries

155

Observations

4,030

3,875

R-squared

0.672

0.750

Robust standard errors clustered by country in parentheses. *** 𝑝 < 0.01, ** 𝑝 < 0.05, * 𝑝 < 0.1. The number of

observations is smaller in Column (2) because of the exclusion of the first month in calculating new apps.

Table 6. Estimation Results on the GDPR Impact on Publisher Size of Top Apps

(1)

(2)

(3)

Dependent Variables

ln(𝑃𝑢𝑏𝑙𝑖ℎ𝑠𝑒𝑟_𝑆𝑖𝑧𝑒All)

ln(𝑃𝑢𝑏𝑙𝑖ℎ𝑠𝑒𝑟_𝑆𝑖𝑧𝑒𝑛𝑜𝑛𝐺𝐷𝑃𝑅)

ln(𝑃𝑢𝑏𝑙𝑖ℎ𝑠𝑒𝑟_𝑆𝑖𝑧𝑒𝐺𝐷𝑃𝑅)

𝐺𝐷𝑃𝑅𝑖𝑡

0.0063

0.0119

-0.0709

(0.020)

(0.012)

(0.049)

Country FE

Yes

Month FE

Yes

Country-specific

Trend

Yes

Estimator

OLS

Number of Countries

155

Observations

2,015

2,008

R-squared

0.765

0.734

0.541

Robust standard errors clustered by country in parentheses. *** 𝑝 < 0.01, ** 𝑝 < 0.05, * 𝑝 < 0.1. The sample

contains 155 countries over 13 months, with a total of 2,015 observations. In Column (3), the observations are fewer

because there were no EU apps on the top 30 charts for certain country-month observations.

Taken together, the expected changes in the average age, turnover rate, and average publisher size

of top apps in the EU as implied by the composition effect are not consistently substantiated by the

empirical evidence presented in Tables 5 and 6. Although these country-level analyses offer valuable

insights, they may not fully capture the entry and exit dynamics at the app level. To gain more nuanced

insights into the composition effect, we conduct app-level analyses next.

5.2.2 App-Level Analyses

We conduct app-level analyses to study the impact of the GDPR on the performance of individual apps in

different importer countries. The model specification is presented in Equation (2) below:

𝑌𝑝𝑗𝑡 = 𝛽0 + 𝛽1𝐺𝐷𝑃𝑅𝑖𝑝𝑗𝑡 + 𝛽2𝐺𝐷𝑃𝑅−𝑖𝑝𝑗𝑡 + 𝐴𝑝𝑝_𝐴𝑔𝑒𝑝𝑡+ 𝜌𝑝𝑡 + 𝜋𝑖𝑝𝑡 + 𝜃𝑗𝑡 + 𝛾𝑝𝑗 + 𝜕𝑡+ 𝜀𝑝𝑗𝑡. (2)

We use 𝑝 to denote an app and 𝑖𝑝 to indicate the publisher country of app 𝑝. 𝑗 and 𝑡 denote the importer

country and month respectively, as in the main model. For robustness, we use two different dependent

variables to measure the performance of a focal app 𝑝 in an importer country 𝑗:

(1) 𝑇𝑜𝑝_𝑐ℎ𝑎𝑟𝑡_𝑑𝑢𝑚𝑚𝑦𝑝𝑗𝑡: A binary outcome indicating whether app 𝑝 ever appeared on the top chart of

country 𝑗 during month 𝑡.

(2) 𝑇𝑜𝑝_𝑐ℎ𝑎𝑟𝑡_𝑐𝑜𝑢𝑛𝑡𝑝𝑗𝑡 : The number of days app 𝑝 appeared on the top chart of country 𝑗 during the

month 𝑡.

The two main explanatory variables are 𝐺𝐷𝑃𝑅𝑖𝑝𝑗𝑡 and 𝐺𝐷𝑃𝑅−𝑖𝑝𝑗𝑡, analogous to 𝐺𝐷𝑃𝑅𝑖𝑗𝑡 and

𝐺𝐷𝑃𝑅−𝑖𝑗𝑡 in the main model. 𝐺𝐷𝑃𝑅𝑖𝑝𝑗𝑡 (𝐺𝐷𝑃𝑅−𝑖𝑝𝑗𝑡) captures the impact of the GDPR on the

performance of app 𝑝 in importer (EU) country 𝑗 if app 𝑝’s publisher country 𝑖 is within (outside) the

GDPR region. We control for the age of app 𝑝 in month 𝑡 as the number of months since its release. In

addition, we incorporate the standard two-way fixed effects: app-importer fixed effects 𝛾𝑝𝑗 and time fixed

effects 𝜕𝑡. Note that 𝛾𝑝𝑗 absorbs any time-invariant app fixed effects, exporter fixed effects (as 𝑖 is

determined by 𝑝), importer fixed effects, and exporter-importer-pair fixed effects (such as distance and

shared language). For consistency with the main model, we also control for importer-year, exporter-year,

and app-year fixed effects.

We estimate Equation (2) using two different samples of apps. In the first sample, we use all the

apps from our main sample and examine their performance in the 155 importer countries. The results are

summarized in Columns (1-2) of Table 7. The coefficients of both 𝐺𝐷𝑃𝑅𝑖𝑝𝑗𝑡 and 𝐺𝐷𝑃𝑅−𝑖𝑝𝑗𝑡 are

estimated to be significant, and their signs are consistent with those in the main analysis at the country-

pair level. The results indicate that, both in terms of the likelihood of reaching the top charts and the

number of times reaching the top charts, the performance of non-EU apps improved and that of EU apps

decreased in the EU countries post-GDPR.

Note that the results above might be driven by the composition effect: The improved performance of

non-EU apps could be explained by a less competitive environment due to the shift in entry and exit

dynamics, and the decline in the performance of EU apps might be due to the inclusion of apps that

actually exited the EU market post-GDPR. To verify whether the results are primarily driven by this

mechanism, we re-estimate Equation (2) using a subsample of 2,242 apps that appeared on the top charts

of EU countries at least once both before and after the enactment of the GDPR. We impose this restriction

to ensure that only apps that were active in the EU market post-GDPR are included in the sample for

estimation. The results are presented in Columns (3-4) of Table 7.

Table 7. App-Level Analysis on the GDPR Impact on App Performance in the EU Market

Dependent Variable

(1)

(2)

(3)

(4)

𝐷𝑢𝑚𝑚𝑦𝑝𝑗𝑡

ln(𝐶𝑜𝑢𝑛𝑡𝑝𝑗𝑡 )

𝐷𝑢𝑚𝑚𝑦𝑝𝑗𝑡

ln(𝐶𝑜𝑢𝑛𝑡𝑝𝑗𝑡 )

𝐺𝐷𝑃𝑅𝑖𝑝𝑗𝑡

-0.0035***

-0.0011***

-0.0046***

-0.0018***

(0.000)

𝐺𝐷𝑃𝑅−𝑖𝑝𝑗𝑡

0.0015***

0.0004***

0.0043***

0.0010***

(0.000)

ln𝑅𝑒𝑙𝑒𝑎𝑠𝑒_𝑀𝑜𝑛𝑡ℎ𝑝𝑡

-0.0034***

-0.0008***

-0.0082***

-0.0027***

(0.000)

App - Importer FE

Yes

Month FE

Yes

Importer -Year FE

Yes

Exporter -Year FE

Yes

App -Year FE

Yes

Observations

48,378,755

8,569,795

R-squared

0.421

0.662

0.503

0.737

Dependent variables: 𝐷𝑢𝑚𝑚𝑦𝑝𝑗𝑡 - 𝑻𝒐𝒑_𝒄𝒉𝒂𝒓𝒕_𝒅𝒖𝒎𝒎𝒚𝒑𝒋𝒕 ; 𝐶𝑜𝑢𝑛𝑡𝑝𝑗𝑡 - 𝑻𝒐𝒑_𝒄𝒉𝒂𝒓𝒕_𝒄𝒐𝒖𝒏𝒕𝒑𝒋𝒕

Robust standard errors clustered by app - use country in parentheses. ***𝑝 < 0.01, **𝑝 < 0.05, *𝑝 < 0.1

We again observe a significant positive effect on the performance of non-EU apps and a

corresponding negative effect on the EU apps, aligning strongly with our main findings. If the

composition effect were the main driving force underlying the improved performance of non-EU apps in

the EU market, it should have also benefited the EU apps that were still active in the market. However,

our results contradict this prediction, indicating that the main explanation for the observed changes is

unlikely to stem from the entry and exit dynamics.

5.3 Reassurance Effect

The analyses above do not yield strong positive evidence to support that the quality effect or composition

effect from the supply side was driving the changes documented in Section 4. We now turn to the

reassurance effect from the demand side. Some previous analyses have already partially supported the

demand-side mechanism. For example, the rate of turnover for top apps also reflects consumers’

inclination to explore and download new apps. The increased turnover rate in the EU post-GDPR, as

documented in Section 5.2.1, is indicative of a heightened readiness among EU consumers to try out new

apps. In this subsection, we perform further analyses to probe this reassurance effect. While we do not

observe consumer preference and thus cannot directly measure the (or lack of) change in consumer

privacy concerns, we can derive implications if the change did play an important role in driving the

observed outcomes and test these implications using our data.

5.3.1 Paid Apps

First, we test how the observed GDPR effects differ for paid apps. Since paid apps typically involve fewer

privacy concerns compared to free apps (Kummer and Schulte 2019), we expect the GDPR would cause a

smaller change to the performance of paid apps if the reassurance effect of reducing privacy concerns is

an important driver of the change. Utilizing our secondary sample, we re-estimate Equation (1) for the top

30 paid charts in the 50 countries selected based on their smartphone penetration rates. As shown in Table

8, we find statistically significant effects with the same signs as observed for free apps. Notably, the

estimated effect size for paid apps is relatively smaller, consistent with the prediction that since paid apps

have fewer privacy issues, the GDPR’s reassurance effect is correspondingly smaller.

Table 8. Estimation Results of the Main Model – Top 30 Paid

Dependent Variable

𝑙𝑛(𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑡)

𝐺𝐷𝑃𝑅𝑖𝑗𝑡

-0.0014***

(0.000)

𝐺𝐷𝑃𝑅−𝑖𝑗𝑡

0.0004*

(0.000)

Country Pair FE

Yes

Month FE

Yes

Importer -Year FE

Yes

Exporter -Year FE

Yes

Estimator

OLS

Top Chart

Top 30 Paid

Observations

138,424

R-squared

0.969

Robust standard errors clustered by country pair in parentheses. *** 𝑝 < 0.01, ** 𝑝 < 0.05, * 𝑝 < 0.1. The number

of observations is smaller because the dataset contains a slightly larger number of exporter countries for free apps

compared to paid apps.

5.3.2 The Moderating Effect of Category Privacy Sensitivity

If the GDPR indeed increases consumer confidence and lowers perceived privacy risks, privacy concerns

should play a significant moderating role. To investigate this mechanism, we exploit information on app

categories, as different app categories tend to have different data requirements (e.g., E-commerce apps

generally request more data than utility apps). Hence, users’ perceived privacy risks should differ across

categories. We can then test whether the differential impacts of the GDPR on different app categories are

systematically related to their levels of data requirements.

We measure the data requirements for each category by leveraging the “privacy labels” published

by the App Store. These labels disclose the types of data collected by an app, covering 14 data types:

contact information, health and fitness, financial information, location, sensitive information, contacts,

user content, browsing history, search history, identifiers, purchases, usage data, diagnostics, and other

data.¹⁷ To measure privacy sensitivity, we calculate the ratio of data types collected by an app to the total

17 The App Store mandates publishers to disclose information regarding data collection when submitting new apps

or updating existing ones. The disclosures are then published as privacy labels to assist users in better understanding

an app’s privacy practices before purchasing or downloading it. For more information, please refer to

https://developer.apple.com/app-store/app-privacy-details/. We note that although the privacy labels were introduced

in December 2020, users were already able to assess app privacy prior to the introduction. Since iOS 6 in 2012, iOS

apps have been required to request access to data and functionalities such as photos, camera, and health data through

number of types available. The privacy sensitivity score of each app category is then defined as the

average of the privacy sensitivity scores of the top 100 apps in that category. The list of app categories

and the corresponding privacy sensitivity scores are presented in Appendix N. We then extended the main

model of Equation (1) by adding the app category dimension and using the category privacy sensitivity

score as a moderator. We calculate 𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑘𝑡 as the percentage of top chart apps in country 𝑗

within category 𝑘, published by country 𝑖. We include the interaction terms 𝐺𝐷𝑃𝑅𝑖𝑗𝑡 *

𝑆𝑒𝑛𝑠𝑖𝑡𝑖𝑣𝑖𝑡𝑦_𝑆𝑐𝑜𝑟𝑒𝑘 and 𝐺𝐷𝑃𝑅−𝑖𝑗𝑡 * 𝑆𝑒𝑛𝑠𝑖𝑡𝑖𝑣𝑖𝑡𝑦_𝑆𝑐𝑜𝑟𝑒𝑘 in the model to capture any moderating

effects.¹⁸ The results are presented in Table 9.

Table 9. Estimation Results on the Moderating Effect of App Category Privacy Sensitivity

Dependent Variable

(1)

(2)

𝑙𝑛(𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑘𝑡)

𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑘𝑡

𝐺𝐷𝑃𝑅𝑖𝑗𝑡

-0.0001***

-0.2815***

(0.000)

(0.028)

𝐺𝐷𝑃𝑅𝑖𝑗𝑡 ∗ 𝑆𝑒𝑛𝑠𝑖𝑡𝑖𝑣𝑖𝑡𝑦_𝑆𝑐𝑜𝑟𝑒𝑘

0.0007***

1.2738**

(0.000)

(0.502)

𝐺𝐷𝑃𝑅−𝑖𝑗𝑡

0.00002***

0.1746***

(0.000)

(0.029)

𝐺𝐷𝑃𝑅−𝑖𝑗𝑡 ∗ 𝑆𝑒𝑛𝑠𝑖𝑡𝑖𝑣𝑖𝑡𝑦_𝑆𝑐𝑜𝑟𝑒𝑘

0.0002***

1.6709***

(0.000)

(0.295)

𝑆𝑒𝑛𝑠𝑖𝑡𝑖𝑣𝑖𝑡𝑦_𝑆𝑐𝑜𝑟𝑒𝑘

0.0002***

0.9747***

(0.000)

(0.190)

Country Pair FE

Yes

Importer -Year FE

Yes

Exporter -Year FE

Yes

Month FE

Yes

Estimator

OLS

PPML

Number of Country Pairs

27,745

Observations

16,591,510

R-squared

0.142

0.4708

De-meaned 𝑆𝑒𝑛𝑠𝑖𝑡𝑖𝑣𝑖𝑡𝑦_𝑆𝑐𝑜𝑟𝑒𝑘 is used in the regression. Since there are 23 categories, the total number of

observations equals 721,370 × 23. Robust standard errors clustered by country pair in parentheses.

*** 𝑝 < 0.01, ** 𝑝 < 0.05, * 𝑝 < 0.1.

“just-in-time” notifications, prompting users for permission when needed. Furthermore, more refined data and

privacy controls haven been continually introduced since then.

18 We standardize the variable 𝑆𝑒𝑛𝑠𝑖𝑡𝑖𝑣𝑖𝑡𝑦_𝑆𝑐𝑜𝑟𝑒𝑘 by de-meaning it, resulting in a range of values between -0.14

and 0.213.

As shown in the table, both interaction terms are estimated to be significant, using either OLS or

PPML. For ease of interpretation, we estimate the marginal effects of the GDPR as a function of the (de-

meaned) privacy sensitivity score using the Delta method and plot the results in Figure 2. For EU apps,

the GDPR effect is larger (more negative) for privacy-insensitive categories, while for non-EU apps, the

GDPR effect is larger (more positive) for privacy-sensitive categories. This suggests that post-GDPR, EU

consumers are more willing to download and use foreign apps, especially in categories requiring higher

user data requirements. Interestingly, the decrease of native top apps is primarily observed in less privacy-

sensitive categories. Together, these findings indicate that consumers in GDPR countries started to

download and use more privacy-sensitive apps after the enactment of the GDPR.¹⁹

Plot (a) Marginal Effects of 𝐺𝐷𝑃𝑅𝑖𝑗𝑡 Plot (b) Marginal Effects of 𝐺𝐷𝑃𝑅−𝑖𝑗𝑡

Figure 2. The Moderating Effect of App Category Privacy Sensitivity

These results are corroborated by a country-level analysis (refer to Appendix P). However, a

possible supply-side explanation of the country-pair-level and country-level results is that, after the

enactment of the GDPR, EU publishers might have opted to withdraw from high-sensitivity app

categories. Their retreat could have opened opportunities for non-EU apps that might face fewer

consequences in case of non-compliance. To delve deeper into this possibility, we conduct a similar

19 To alleviate the concern that the category-level privacy scores may not be salient to users, we also conduct a

similar analysis, classifying apps into high and low privacy-sensitive categories, assuming that users have only a

very general awareness of an app category’s privacy sensitivity. The results (Appendix O) are consistent with those

reported in Table 9.

analysis at the app level, utilizing the sample of 2,242 apps used in Sections 5.2.2 that we know were

active in the EU market both before and after the GDPR. We find that the moderating effect of category-

level privacy sensitivity is also evident in this app-level analysis (detailed in Appendix Q and the results

are shown in Table Q1). As observed earlier, these app-level findings cannot be attributed to the

composition effect, thereby lending support for the proposed reassurance effect.

5.3.3 Heterogeneity Effects among GDPR Countries

In addition to the heterogeneous GDPR effects on different app categories, we examine heterogeneity

across EU countries, using two external measures: the Internet privacy index by BestVPN.org, scoring the

level of privacy protection in a country,²⁰ and an official EU survey by Eurobarometer, which is

essentially the percentage of surveyed individuals who expressed that they were “fairly (or very) worried

about the misuse of personal data” in each country.²¹ The former measure focuses on existing

government-level efforts on privacy protection, whereas the latter focuses on citizens’ attitudes towards

data misuse risks.

We divide GDPR countries (importer country, 𝑗) into two groups: those with high privacy scores

(indicated by subscript ℎ𝑖𝑔ℎ𝑗) and those with low privacy scores (indicated by subscript 𝑙𝑜𝑤𝑗).²² We

include separate indicators for the two groups in our main country-pair-level regressions. The results in

Table 10 show that the patterns of the GDPR effects are consistent with those from the main analysis.

Moreover, we conduct one-sided 𝑡-tests to compare the coefficients of ℎ𝑖𝑔ℎ𝑗 and 𝑙𝑜𝑤𝑗, and find that

their differences are statistically significant. This indicates that the GDPR effects are more pronounced in

20 This organization calculates an internet privacy index based on press freedom, data privacy laws, democracy

statistics, freedom of opinion, and expression cybercrime legislation worldwide. Norway achieved the highest score

of 90.1. The reasons given include taking a strong stance on data protection, requiring any government to gain

permission from court to gain access to private information and having the highest number of secure servers

available to citizens. For further details, refer to https://bestvpn.org/privacy-index.

21 Source: Eurobarometer 72.5 (Oct-Nov 2009). https://www.gesis.org/en/eurobarometer-data-service/survey-

series/standard-special-eb/study-overview/eurobarometer-725-za-4999-nov-dec-2009

22 We choose the 75th percentile as our cutoff point, considering the distribution of the variable’s values. This

decision is aimed at maximizing the level of separation. The estimation results are directionally consistent even if

we use the median as the cutoff point.

countries with higher privacy scores compared to those with lower privacy scores. This finding supports

the pivotal role of strict privacy regulations in alleviating potential privacy concerns about foreign digital

products. Consequently, EU consumers became more receptive to trying out apps published outside the

EU, and this effect is even larger in countries with higher sensitive to privacy.²³

Table 10. Estimation Results on Heterogeneous Effects on EU Countries

Dependent Variable

(1)

(2)

𝑙𝑛(𝑇𝑜𝑝𝐶ℎ𝑎𝑟𝑡%𝑖𝑗𝑡)

𝐺𝐷𝑃𝑅𝑖𝐻𝑖𝑔ℎ𝑗𝑡

-0.0030***(0.000)

-0.0026***(0.000)

𝐺𝐷𝑃𝑅𝑖𝐿𝑜𝑤𝑗𝑡

-0.0020***(0.000)

-0.0021***(0.000)

𝐺𝐷𝑃𝑅−𝑖𝐻𝑖𝑔ℎ𝑗𝑡

0.0006***(0.000)

0.0005***(0.000)

𝐺𝐷𝑃𝑅−𝑖𝐿𝑜𝑤𝑗𝑡

0.0004***(0.000)

Country Pair FE

Yes

Importer -Year FE

Yes

Exporter -Year FE

Yes

Month FE

Yes

Privacy Value Used

Best VPN.org

Eurobarometer Value

Estimator

OLS

Observations

684,138

702,754

R-squared

0.968

This analysis uses two external measures. The number of observations depends on the availability of data from their

sources. Specifically, we obtain privacy values from BestVPN.org for 22 out of the 30 EU countries and privacy

values from the Eurobarometer survey for 26 out of the 30 EU countries. Consequently, the analysis utilizing the

BestVPN.org data includes 8 fewer countries compared to the main analysis, while the analysis based on the

Eurobarometer survey also involves 4 fewer countries. Robust standard errors clustered by country pair in parentheses.

*** 𝑝 < 0.01, ** 𝑝 < 0.05, * 𝑝 < 0.1.

For robustness, we perform an app-level country heterogeneity analysis using the same sample of

2,242 apps as in Sections 5.2.2. The results, detailed in Appendix Table Q2, consistently show that the

impact of the GDPR tends to be more pronounced in countries that are more sensitive to privacy issues,

thereby strengthening the evidence for the reassurance effect.

23 There might be the possibility that the enactment of the GDPR in privacy-sensitive EU countries is in general

stricter, leading to a greater disadvantage for EU apps. However, the enforcement data published by the CMS. Law

GDPR Enforcement Tracker (https://www.enforcementtracker.com/) do not indicate a strong correlation between

the total number or amount of fines imposed by each country and their privacy sensitive score. In addition, we also

examine at the country level whether app version update frequency around the GDPR’s enactment, as an indicator of

compliance burdens, is significantly correlated with the sensitivity score. We present the analysis and results in

Appendix R. The findings indicate that update frequency within our sample (apps in the top 30 charts of EU

countries) does not show a significant correlation with the privacy sensitivity score.

Furthermore, we also examine changes in apps with an unknown publisher country in EU’s top

chart post-GDPR, assuming such apps involve higher uncertainty regarding privacy risks. Our findings,

presented in Appendix S using a country-level panel, reveal a significant increase in the number of apps

with an unknown publisher country. This finding provides further evidence that supports the notion that

EU consumers have reduced privacy concerns after the enactment of the GDPR. Lastly, to ensure our

results do not hinge on the consumers’ ability to perfectly distinguish foreign apps from local ones, we

focus our analysis exclusively on apps that are distinctly either native or outside the EU. The findings,

presented in Appendix T, align closely with our main model, confirming the reliability of our results.

Therefore, synthesizing the results from the preceding subsections, we must conclude that the

demand-side reassurance effect is the more probable driver of the observed changes in the top-performing

apps in the EU. Our main model estimates that 7% of the positions in the top 30 free charts in the EU

shifted from native to foreign apps as a consequence of the GDPR. The analysis in this section indicates

that this change is more likely to be attributable to users’ decreased preference for local apps, stemming

from reduced privacy concerns.

6. Discussion and Conclusion

A key objection to regional privacy regulations is that localized data protection may restrict the ability of

foreign companies to compete and thus impede international digital trade. The actual impacts and

implications of data and privacy regulations on digital trade, however, are still being examined and

understood. In this context, our study empirically explores the digital trade implications of the GDPR in

the global mobile app market. We find that the proportion of top-performing foreign apps increased in the

EU countries relative to that of native apps as a result of the regulation. In contrast to the largely negative

effects attributed to the GDPR in the extant literature, our analyses provide evidence on its unintended

benefits to foreign-published apps. Moreover, our investigating into the underlying mechanisms does not

find strong evidence supporting supply-side effects through quality or composition dynamics. Instead, we

find empirical support for the reassurance effect on the demand side. After the GDPR’s enactment, EU

consumers’ demand for foreign apps increased relative to that for native apps. In sum, the net effect is that

data and privacy regulations can encourage and promote cross-border digital trade.

Our research adds to the growing literature on the impacts of the GDPR (e.g., Johnson 2022) by

investigating its implications for digital trade. As cross-border data flows become important channels of

international trade, the growth of global trade increasingly relies on digital connectivity. While being an

important tool for safeguarding citizen privacy and national security, data and privacy regulations, if not

designed appropriately, can interfere data flows and hinder global digital trade (e.g., Azmeh et al. 2020).

Our study enriches this ongoing policy discussion by revealing that, contrary to conventional assertions,

data and privacy regulations can also benefit cross-border digital trade through fostering consumer

confidence. It highlights the critical need to strike a balance between capturing the benefits of digital

connectivity while mitigating the risks associated with data privacy and security (Ahmed 2019, Cory

2020).

In examining the underlying mechanisms that drove the effects on the trade of apps, we discuss and

empirically validate the diverse effects of the GDPR on both publishers and consumers. These supply-

and demand-side mechanisms should serve as the foundation for assessing the digital trade implications

of similar privacy and data protection regulations enacted in other global regions. For instance, on the

supply side, researchers should explore how the territorial coverage and enforcement of such regulations

would influence producers, considering both the quality and composition dynamics. On the demand side,

it is necessary to consider whether substantial disparities in data protection practices existed between

native and foreign digital products before the regulation’s implementation, and whether users exhibited

preferences for native products due to these disparities. Ultimately, the net effects on digital trade result

from the intricate interplay of these multifaceted supply- and demand-side factors.

Privacy regulations may serve as an assertion of sovereign rights over the historically borderless

internet infrastructure, potentially leading to the emergence of “Digital Nationalism.” While technicians

and engineers have successfully established infrastructure and protocols to ensure global compatibility,

regulators and policymakers need to determine how to devise institutional responses to ensure maximal

growth and value. Our study provides insights for policymakers as they tackle data and privacy

regulations because understanding their potential impacts and consequences is the first step towards

international policy collaborations for balancing economic growth with safeguarding fundamental privacy

and security concerns (Ahmed 2019). Our results suggest that data and privacy regulations could

effectively address legitimate data concerns without severely damaging digital trade. Moreover, our

findings reveal a business opportunity for multinational companies. Specifically, while there are higher

compliance costs, transparent regional privacy regulations can potentially reduce consumer home bias and

facilitate entry into new international markets. Thus, assessing the impact of privacy regulations on global

markets requires considering both the demand-side benefits and supply-side costs.

This study has several limitations that should be acknowledged. First, the analysis in this study

relies on available data sources, which may have inherent limitations in terms of coverage and accuracy.

The data used for measuring app performance, i.e., the publicly available App Store top charts data, may

not capture the complete picture of cross-border trade, as the top chart ranking is a composite metric that

incorporates app downloads, usage, and engagement. Future research, with access to more granular-level

app performance data, could study the GDPR’s effects on these dimensions individually. Similarly, the

use of aggregate-level observational data from the App Store limits the scope of our analysis. There are

important questions yet to be explored comprehensively to better understand the GDPR’s effects on the

diverse aspects of digital trade. For example, our study finds a decreased tendency of favoring local apps

post-GDPR. It will be useful for comparison with the trade literature if the absolute level of home bias

can be quantified. However, data limitations pose a challenge. Estimating the absolute level of home bias

would necessitate a counterfactual environment presenting consumers with an alternative portfolio of app

choices based on different countries of origin, while holding quality and preference match constant. This

could be explored as a future research topic, possibly using experimental methods. It will also be

interesting to study the GDPR’s impact on the distribution of trade, e.g., how the effects on non-top apps

are different from top apps. One could also study whether and how the GDPR affects user choices

between free and paid apps. Since prior studies such as Kummer and Schulte (2019) suggest a potential

tradeoff between monetary costs and privacy gains, it will be interesting to empirically examine how the

GDPR re-balances this tradeoff.

One limitation of our empirical design pertains to the potential spillover effects to the control

group, which consists of app trade into non-GDPR countries. Non-EU publishers offering apps in the EU

had to comply with the GDPR, and those not serving EU markets might also aim for compliance in

anticipation of similar future regulations. Furthermore, consumers were also exposed to the knowledge of

the GDPR coming into effect. The absence of a clean control group is a common challenge in empirical

studies related to the GDPR, as noted by Johnson (2022). Although the spillover effects could have

influenced publishers and users outside the GDPR region, we note that the effects should work against

finding significant differences between the EU and non-EU markets; the observed significant GDPR

effects in the EU market and the absence of similar effects in other markets suggest that the supply-side

spillover was likely not significant enough to induce changes in the outcomes we examined. Therefore,

our findings align with the notion that the demand-side mechanism was more likely to be the driving

force behind the results observed in the EU market. Nonetheless, future research could further explore the

Brussels effect pertaining to the GDPR and its implications for non-EU users for a more comprehensive

understanding.

The analysis in our study covers a one-year period following the enactment of GDPR, which may

limit our ability to capture longer-term changes in app trade dynamics. Over time, the effects of the

GDPR on app trade may evolve, potentially altering the significance of factors like the quality effect we

have examined. More empirical evidence on both the apps’ actual compliance level and user awareness of

apps’ data requirements could help depict a more complete picture of the impact on consumer welfare.

Finally, the findings of this study may be specific to the mobile app market and may not be directly

applicable to other software product sectors or industries. Future studies could provide more insights into

how the impact on digital trade was influenced by unique characteristics and regulatory environments of

different industries.

REFERNCES

Acquisti A, Taylor C, Wagman L (2016) The economics of privacy. J. Econ. Lit. 54(2):442-92.

Adjerid I, Acquisti A, Telang R, Padman R, Adler-Milstein J (2016) The impact of privacy regulation and

technology incentives: The case of health information exchanges. Manag. Sci. 62(4):1042-1063.

Ahmed U (2019) The Importance of cross-border regulatory cooperation in an era of digital trade. World

Trade Rev. 18(S1):S99-S120.

Al-Natour S, Cavusoglu H, Benbasat I, Aleem U (2020) An empirical investigation of the antecedents and

consequences of privacy uncertainty in the context of mobile apps. Inf. Syst. Res. 31(4):1037-1063.

Anderson JE (2011) The gravity model. Annu. Rev. Econ. 3(1):133-160.

Aridor G, Che YK, Salz T (2022) The effect of privacy regulation on the data industry: empirical

evidence from GDPR. Rand. J. Econ. 54(4):695-730.

Arkhangelsky D, Athey S, Hirshberg DA, Imbens GW, Wager S (2021) Synthetic difference-in-

differences. Am. Econ Rev. 111(12):4088-118.

Awad NF, Krishnan MS (2006) The personalization privacy paradox: an empirical evaluation of

information transparency and the willingness to be profiled online for personalization. Manag. Inf.

Syst. Q. 30(1):13-28.

Azmeh S, Foster C, Echavarri J (2020) The international trade regime and the quest for free digital trade.

Int. Stud. Rev. 22(3):671-692.

Baier SL, Bergstrand JH (2007) Do free trade agreements actually increase members' international

trade? J. Int. Econ. 71(1):72-95.

Barbier J, Dixit A, Moriarty R, Namboodri C, O’Connell K, Riegel M (2015) Where to begin your

journey to digital value in the private sector. Economic Analysis 2015-2024. San Jose, CA.

Bertschek I, Kesler R (2022) Let the user speak: Is feedback on Facebook a source of firms’ innovation?

Inf. Econ. Policy. 60:100991.

Bian B, Ma X, Tang H (2021) The supply and demand for data privacy: Evidence from mobile apps.

Available at SSRN: 3987541.

Blacker A (2022) App store rank explained: what is an app’s Apple & Google store ranking and what

impacts it? Aapptopia (February 1), https://blog.apptopia.com/app-store-rank-explained-what-is-an-

apps-apple-google-store-ranking-and-what-impacts-it.

Blum B, Goldfarb A (2006) Does the internet defy the law of gravity? J. Int. Econ. 70(2):384-405.

Campanile L, Iacono M, Mastroianni M (2022) Towards privacy-aware software design in small and

medium enterprises. 2022 IEEE International Conference on Dependable, Autonomic and Secure

Computing, International Conference on Pervasive Intelligence and Computing, International

Conference on Cloud and Big Data Computing, International Conference on Cyber Science and

Technology Congress. IEEE. p. 1–8.

Castelluccia C, Guerses S, Hansen M, Hoepman JH, van Hoboken J, Vieira B (2017) Privacy and data

protection in mobile applications: A study on the app development ecosystem and the technical

implementation of GDPR. Report, ENISA, Athens, Greece.

Castro D, Atkinson RD (2014) Beyond internet universalism: A framework for addressing cross-border

internet policy. Report, Information Technology and Innovation Foundation, Washington, DC.

Cavusoglu H, Phan TQ, Cavusoglu H, Airoldi EM (2016) Assessing the impact of granular privacy

controls on content sharing and disclosure on Facebook. Inf. Syst. Res. 27(4):848-879.

Chen, C, Frey, CB, Presidente, G (2022) Privacy regulation and firm performance: Estimating the GDPR

effect globally. The Oxford Martin Working Paper Series on Technological and Economic Change.

No. 2022-1.

Ciuriak D, Ptashkina M (2020) Towards a robust architecture for the regulation of data and digital Trade.

CIGI Paper Series no. 240, Waterloo, ON.

Cory N, Dascoli L (2021) How barriers to cross-border data flows are spreading globally, what they cost,

and how to address them. Report, Information Technology and Innovation Foundation, Washington,

DC.

Cory N (2020) Surveying the damage: why we must accurately measure cross-border data flows and

digital trade barriers. Report, Information Technology and Innovation Foundation, Washington, DC.

Cowgill B, Dorobantu CL, Martens B (2013) Does Online Trade Live Up to the Promise of a Borderless

World? Evidence from the EU Digital Single Market. Available at SSRN: 2374292.

Daigle L (2015) On the nature of the internet. Global commission on internet governance. Report, CIGI

Paper Series no. 7, Waterloo, ON.

Dinev T, Hart P (2006) An extended privacy calculus model for e-commerce transactions. Inf. Syst. Res.

17(1):61-68.

Ferracane MF, Lee-Makiyama H, Van Der Marel E (2018) Digital trade restrictiveness index. Report,

European Center for International Political Economy, Brussels, Belgium.

Garg R, Telang R (2013) Inferring app demand from publicly available data. Manag. Inf. Syst. Q.

37(4):1253-1264.

Gerber N, Gerber P, Volkamer M (2018) Explaining the privacy paradox: A systematic review of

literature investigating privacy attitude and behavior. Comput. Secur. 77:226-261.

Goddard M (2017) The EU General Data Protection Regulation (GDPR): European regulation that has a

global impact. Int. J. Res. Mark. 59(6):703-705.

Godinho de Matos M, Adjerid I (2022) Consumer consent and firm targeting after GDPR: The case of a

large telecom provider. Manag. Sci. 68(5):3330-78.

Goldberg S, Johnson G, Shriver S (2023) Regulating Privacy Online: An Economic Evaluation of the

GDPR, Am. Econ. J. Forthcoming.

Goldfarb A, Trefler D (2019) How Artificial Intelligence Impacts International Trade. The World Trade

Report 2018: The Future of World Trade: How Digital Technologies are Transforming Global

Commerce. Geneva: WTO, p.140.

Goldfarb A, Tucker CE (2011) Privacy regulation and online advertising. Manag. Sci. 57(1):57-71.

Gomez-Herrera E, Martens B, Turlea G (2014) The drivers and impediments for cross-border e-

commerce in the EU. Inf. Econ. Policy. 28:83-96.

Hoel M, Iversen T (2002) Genetic testing when there is a mix of compulsory and voluntary health

insurance. J. Health Econ. 21(2):253-270.

Hui KL, Teo HH, Lee SYT (2007) The value of privacy assurance: An exploratory field

experiment. Manag. Inf. Syst. Q. 31(1):19-33.

Hu X, Sastry N (2019). Characterising third party cookie usage in the EU after GDPR. Proc. 10th ACM

Conf. on Web Sci (ACM, New York), 137–141.

International Monetary Fund (IMF) (2023) Handbook on Measuring Digital Trade. available at

https://doi.org/10.1787/ac99e6d3-en (accessed December 8, 2023).

Jia J, Jin GZ, Wagman L (2021) The short-run effects of the general data protection regulation on

technology venture investment. Mark. Sci. 40(4):661-684.

Janssen R, Kesler R, Kummer ME, Waldfogel J (2022). GDPR and the lost generation of innovative apps.

Working paper 30028, NBER, Cambridge, MA.

Johnson GA (2022). Economic research on privacy regulation: lessons from the GDPR and beyond.

Available at SSRN: 4293618.

Johnson GA, Shriver SK, Goldberg SG (2023) Privacy and market concentration: Intended and

unintended consequences of the GDPR. Manag. Sci. Forthcoming.

Johnson GA, Shriver SK, Du S (2020) Consumer privacy choice in online advertising: Who opts out and

at what cost to industry? Mark. Sci. 39(1):33-51.

Ke TT, Sudhir K (2022) Privacy rights and data security: GDPR and personal data markets. Manag. Sci.

69(8):4363-4971.

Kesler R (2023) The Impact of Apple’s App Tracking Transparency on App Monetization. Working

paper. Available at SSRN: https://ssrn.com/abstract=4090786 or

http://dx.doi.org/10.2139/ssrn.4090786

Kesler R, Kummer M, Schulte P (2020) Competition and privacy in online markets: Evidence from the

mobile app industry. Acad. Of Manag. Proceedings. 2020(1): 20978.

Kim JH, Wagman L (2015) Screening incentives and privacy protection in financial markets: A

theoretical and empirical analysis. RAND J. Econ. 46(1):1-22.

Kummer M, Schulte P (2019) When private information settles the bill: Money and privacy in Google’s

market for smartphone applications. Manag. Sci. 65(8):3470-3494.

Lee DJ, Ahn JH, Bang Y (2011) Managing consumer privacy concerns in personalization: a strategic

analysis of privacy protection. Manag. Inf. Syst. Q. 35(2):423-444.

Lee G, Raghu TS (2014) Determinants of mobile apps’ success: Evidence from the app store market. J.

Manag. Inf. Syst. 31(2):133-170.

Lefrere V, Warberg L, Cheyre C, Marotta V, Acquisti A (2022). The impact of the GDPR on content

provider: a longitudinal analysis. Institut Mines-Telecom, Business School, LITEM.

Liang C, Shi Z, Raghu TS (2019) The spillover of spotlight: Platform recommendation in the mobile app

market. Inf. Syst. Res. 30(4):1296-1318.

Mayya R, Viswanathan S (2022) Delaying Informed Consent: An Empirical Investigation of Mobile

Apps’ Upgrade Decisions. Available at SSRN:3457018.

McKinsey & Company (2020) The consumer-data opportunity and the privacy imperative. Report,

McKinsey & Company, Worldwide.

Meltzer JP (2019) Governing Digital Trade. World Trade Rev. 18(1):23-48.

Miller AR, Tucker C (2009) Privacy protection and technology diffusion: The case of electronic medical

records. Manag. Sci. 55(7):1077-1093.

Mueller M (2017) Will the Internet Fragment? Sovereignty, Globalization and Cyberspace. (John Wiley

& Sons, New York).

Nicola FG, Pollicino O (2020) The balkanization of data privacy regulation. W. Va. Law Rev. 123:61.

OECD (2022) Artificial Intelligence and international trade https://www.oecd.org/publications/artificial-

intelligence-and-international-trade-13212d3e-en.htm

Pew Research Center (2015) Apps permission in the Google Play Store. Report, Pew Research Center,

Washington, DC.

Pepper R, Garrity J, LaSalle C (2016) Cross-border data flows, digital innovation, and economic growth.

Global Inf. Technol. Rep. 39-47.

Peukert C, Bechtold S, Batikas M, Kretschmer T (2022) Regulatory spillovers and data governance:

Evidence from the GDPR. Mkt. Sci. 41(4): 746-768.

Posner RA (1981) The economics of privacy. Am. Econ. Rev. 71(2):405-409.

Potluri SR, Sridhar V, Rao S (2020) Effects of data localization on digital trade: An agent-based

modeling approach. Telecommun. Policy. 44(9): 102022.

Schmitt, J and Miller, K and Skiera, B (2022) The Impact of Privacy Laws on Online User Behavior.

HEC Paris Research Paper No MKG-2021-1437. Available at SSRN: 3774110.

Shaine (2022). Understanding the iOS App Charts, Thunder Media (March 1)

https://thunderm.com/understanding-the-ios-app-charts/

Silva JS, Tenreyro S (2006) The log of gravity. Rev. Econ. Stat. 88(4):641-658.

Stigler GJ (1980) An introduction to privacy in economics and politics. J. Leg. Stud. 9(4):623-644.

Stutzman FD, Gross R, Acquisti A (2013) Silent listeners: The evolution of privacy and disclosure on

Facebook. J. Priv. Confid. 4(2):2.

Tambe P, Hitt LM, Brynjolfsson E (2012) The extroverted firm: How external information practices

affect innovation and productivity. Manag. Sci. 58(5):843-859.

Tang Z, Hu YU, Smith MD (2008) Gaining trust through online privacy protection: Self-regulation,

mandatory standards, or caveat emptor. J. Manag. Inf. Syst. 24(4):153-173.

The World Economic Forum (2020) Data free flow with trust (DFFT): Paths towards free and trusted data

flows. Report, The World Economic Forum, Geneva.

United Nations Conference on Trade and Development (UNCTAD) (2023), Measuring the value of e-

commerce. available at https:// unctad.org/publication/measuring-value-e-commerce (accessed

December 8, 2023).

United States International Trade Commission (USITC) (2017) Global digital trade 1: Market

opportunities and key foreign trade restrictions. Report, Washington, DC.

United States Bureau of Economic Analysis (BEA) (2023) U.S. Trade in ICT and potentially ICT-

enabled service. available at

https://apps.bea.gov/iTable/?reqid=62&step=9&isuri=1&product=4#eyJhcHBpZCI6NjIsInN0ZXBzI

jpbMSw5LDZdLCJkYXRhIjpbWyJwcm9kdWN0IiwiNCJdLFsiVGFibGVMaXN0IiwiMzU5Il1dfQ

== (accessed December 8, 2023).

World Bank (2016) World Development Report 2016: Digital Dividends. Report, World Bank,

Washington, DC.

Wottrich VM, van Reijmersdal EA, Smit EG (2018) The privacy trade-off for mobile app downloads: The

roles of app value, intrusiveness, and privacy concerns. Decis. Support Syst. 106:44-52.

Xu H, Teo HH, Tan BC, Agarwal R (2012) Research note—effects of individual self-protection, industry

self-regulation, and government regulation on privacy concerns: a study of location-based services.

Inf. Syst. Res. 23(4):1342-1363.

Yakovleva S, Irion K (2020). Pitching trade against privacy: reconciling EU governance of personal data

flows with external trade. International Data Privacy Law, 10(3):201-221.

Zhao Y, Yildirim P, Chintagunta PK (2021) Privacy regulations and online search friction: Evidence from

GDPR. Available at SSRN 3903599.