There's a story many organizations tell themselves about privacy: It costs money, slows things down, and limits what you can do with data. Legal teams run compliance checklists. Finance teams revise forecasts downward. Executives prepare for disruption.

That story is incomplete, and stopping at the first chapter is costing organizations real money.

Three bodies of research published over the last several years are now pointing in the same direction. Privacy protection, done well, is a growth driver. 

Privacy As a Growth Driver: The Numbers Don't Lie

Harvard Business Review recently published research from four professors at the University of Kentucky, University of Nebraska-Lincoln, Colorado State, and University of Washington. They examined 280 brands over four years, linking privacy practices (measured by legal analysis of company policies) to customer purchase intent (drawn from YouGov surveys of 30 million consumers).

The finding was that brands with strong privacy practices saw 12.31% higher purchase intent than brands with weak ones.

It gets more specific.

In a controlled experiment, participants rated a fictitious tax services company. With weak privacy practices, people's likelihood to use the company averaged 2.86 out of 7. With average practices, that jumped to 4.35. With strong practices: 5.26. That's not a rounding error; that's a fundamentally different customer relationship.

The same research found that shareholder value for brands that embrace privacy is $869 million higher on average than those that don't. And when those same privacy-forward companies face data breaches, they generate even more shareholder value relative to peers because their prior investment in trust becomes a buffer.

McKinsey's research adds another dimension. Surveying 1,300+ business leaders and 3,000+ consumers, they found that digital trust leaders are 1.6x more likely to see revenue and EBIT growth of at least 10%. Forty percent of consumers have pulled business from a company after learning it wasn't protective of their data. Forty-six percent said they'd consider other brands if a company was unclear about how their data would be used.

These aren't hypothetical. These are purchasing decisions happening right now.

Measuring Privacy Investment Impact Over Time 

A third study — published in HBR in June 2026 by researchers from the University of Nebraska-Lincoln, University of Kentucky, University of Notre Dame, and University of Washington — analyzed 10 major privacy regulations across 24 countries and 2,039 companies. They tracked both immediate market reaction and long-term performance.

Here's what the data actually showed: when a new privacy regulation is announced, stock prices drop. Markets see compliance costs coming, assume disruption, and price in the pain. That part is real and consistent across every country and regulation in the study.

But the researchers didn't stop there. They kept tracking.

What they found is that the initial dip is not the full story, it's just the part that's most visible. In the years following a regulation, many companies not only recovered but outperformed.

The mechanism is straightforward. When a company updates its data practices and those updates become visible to customers and business partners, the company signals trustworthiness. That signal strengthens relationships. What looked like a compliance burden starts functioning as a competitive signal.

Here's what pulling back looks like in practice: a regulation lands, legal gets involved, leadership sees the compliance price tag and decides to do the minimum — update the privacy policy, add a cookie banner, check the box. No investment in data governance systems. No cross-functional coordination. No documentation of what data actually flows where. Just enough to technically comply, as cheaply as possible.

And here's what continued investment looks like: the same regulation lands, and instead of minimum viable compliance, the organization maps its data. It builds processes for how personal information is collected, stored, and shared. It gets marketing, product, legal, and technology in the same room. It creates documentation it can actually hand to a vendor or a regulator.

The first path feels cheaper in quarter one. But when the next regulation arrives — or a partner asks for a data processing agreement, or an ad platform flags a policy violation — the organization that did the minimum has to start over. They're building from scratch, under pressure, on a deadline. Every new compliance requirement costs them as much as the last one.

The organization that invested through the dip already has the foundation. New regulations become updates to existing systems, not full rebuilds. Vendor negotiations move faster because the documentation already exists. The cost paid once keeps paying forward.

The companies that pulled back investment when they saw the early losses locked in those losses. The companies that stayed the course converted the cost into capability.

The most concrete example: companies that built strong compliance infrastructure for GDPR didn't have to start over when AI regulation began to emerge. The data governance systems, the privacy policies, the internal processes — all of it transferred. An investment made once became reusable infrastructure for the next regulation, and the one after that. Meanwhile, organizations that delayed are now paying to build under pressure what their competitors built at their own pace.

The researchers are careful to note that the payoff isn't uniform. It's faster in markets where enforcement is strong and customers care about privacy, slower where those conditions aren't in place. But the direction is consistent. The dip is temporary; the differentiation is durable.

The problem isn't that privacy investment doesn't pay off. It's that leaders evaluate it on a timeline that's too short to see the return — and then make irreversible decisions based on incomplete information.

What the Research Actually Calls For: Customer Data Privacy Stewardship

The Harvard Business Review research introduces a useful framework of customer data privacy stewardship. It's distinct from compliance.

Stewardship, as we know in fundraising, means caring for something on behalf of others over the long term, not exploiting it for short-term gain.

Three things make privacy stewardship real rather than performative:

1. It's visible. Customers can see that you're doing it. Not through longer privacy policies, but through clear communication, meaningful user controls, and consistent behavior.
2. It reflects genuine responsibility. Not "we comply with applicable law," but a demonstrated assumption that customer data is yours to protect, not yours to monetize.
3. It's embedded, not bolted on. Privacy is part of the product, not layered over it. That requires coordination across marketing, fundraising, product, legal, and technology, not a single department checking a box.

When those conditions are met, something specific happens psychologically. Customers develop what the researchers call perceived privacy benevolence. They infer that you genuinely care about their interests. Their privacy concern decreases. Their willingness to engage, purchase, and stay loyal increases.

Trust is built through repetition, not a single message. Which means the window to start building it is always now.

The Trap We Keep Falling Into

Sometimes, I hear organizations frame privacy as a cost question: how do we spend as little as possible while staying compliant? That framing reliably produces the worst outcomes like late-stage compliance debt, ad account suspensions, delayed partnerships, eroded audience quality, and eventually, the kind of breach that wipes out years of relationship-building.

The reframe isn't complicated, but it requires a different starting point.

Instead of asking how do we minimize the cost of privacy?, ask what becomes possible when privacy is treated as infrastructure?

Faster vendor negotiations. Better email deliverability. More reliable analytics. Audiences that actually want to hear from you. Partnership conversations that don't stall over data handling questions. Platform accounts that stay live when others are getting suspended.

That's not compliance. That's operational capacity. And organizations that are building it now will have a structural advantage over those that wait for a regulation or a breach to force the issue.

Ready to Rethink Your Approach?

If your organization is still framing privacy as a cost question, we should talk. Agility Lab works with organizations to reframe privacy as operational infrastructure and to build the systems that turn that reframe into measurable results.

Let's talk about your needs →

Common Questions: Privacy as a Revenue Driver

Why do so many organizations still treat privacy as a cost center if the research shows otherwise?

A few reasons. The costs of privacy investment are immediate and visible — legal fees, platform implementations, team time. The benefits are slower to materialize and harder to attribute directly to privacy work. The McKinsey and HBR research helps, but most organizations aren't reading academic journals. They're reacting to their Q4 numbers. Changing this requires a deliberate reframe at the leadership level, which is exactly the kind of work worth doing before you're forced to.

Does this research apply to nonprofits and smaller organizations, or just large brands?

The studies skew toward larger brands because that's where the measurable data is, but the underlying dynamics are the same at any scale. If anything, smaller organizations and nonprofits are more dependent on trust as a differentiator — they can't out-spend their competition, but they can out-trust them. The purchase intent findings in particular apply directly: your audience is making the same decision about whether to donate, volunteer, or advocate based on how much they trust you with their data.

We're already GDPR and CCPA compliant. Isn't that enough?

Compliance is the floor, not the ceiling. The research distinguishes between companies that meet regulatory requirements and those that treat privacy as a strategic asset. The 12.31% purchase intent advantage and $869M shareholder value premium don't go to the companies that checked the compliance box — they go to the companies whose customers can see them caring. Visible, consistent, embedded privacy practice is what drives the numbers. Compliance alone doesn't get you there.

What's the first step if we want to start treating privacy as a competitive advantage?

The reframe comes first. If your leadership team views privacy primarily as a legal obligation, the investment decisions that follow will be structured around minimum viable compliance. Starting with the question "how does privacy create value for our customers and for us?" produces entirely different decisions about where to invest, what to communicate, and how to build. From there, a privacy audit — understanding what data you're actually collecting, why, and what you're doing with it — gives you the foundation for everything else.

Sources: "Customer Data Privacy Stewardship," Moffett et al., Journal of Marketing, 2025; "Turn Privacy Regulation into a Competitive Advantage," Chisam et al., HBR, June 2026; McKinsey & Company, "Why Digital Trust Truly Matters," 2022.