• by Ray Schultz , Columnist, August 9, 2021

GDPR has been terrible for European startups. And we’re not just talking about compliance costs: It’s about access to money. 

Investment in startups has fallen by 36% within the EU since the regulation took effect in 2018, according to an “The Short-Run Effects of the General Data Protection Regulation on Technology Venture Investment,” an article offered by Marketing Science, as reported by AdExchanger.  

In contrast, the U.S. and the rest of the world saw at least small increases in the number of deals per month. Of course, in general, the EU was flat while U.S. and companies from other locales saw gains of 50% from 2017 to 2018, the article continues.

EU investment fell by half in late 2019 and 2020 after COVID-19 lockdowns began to take hold. Investment also fell sharply in the U.S., but quickly recovered over 2020, while in the EU did not. 

EU venture capital was “stuck in neutral,” the article notes. 

If there’s any good news, it’s that this isn’t stopping entrepreneurs — privacy and security startups have increased by 50%, more than in the U.S. 

It’s just that people don’t want to put money into them. Mature startups seeking more capital fared more poorly than companies at the seed state. And healthcare firms also suffered a significant drop-off in capitalization. 

Co-author Liad Wagman had studied the impact of the Gramm-Leach-Bliley Act in the U.S., which included data-protection replies for financial institutions. He found there was a decline in investment after the Act became law, which switched from default customer consent to an opt-in consented model. 

And what impact is GDPR having otherwise? A recent webinar by Cooley LLP revealed that EU authorities are making "more mature and sophisticated enforcement decisions."

Cooley also reports that data transfers have been become a key challenge for global organizations, and that Brexit has added a level of complexity.

And while it seems that GDPR effects Europe more than the U.S., that is no longer true, given Alabama's new data breach notification law and bills in Washington, Virginia and New York.

We shall see if these laws will have the same dampening effect on investments as the GDPR does in Europe.