Digital firms attract consumers and collect their data by offering service enhancements and data security. These require separate types of investment. In light of the GDPR, data collection now requires explicit consumer consent, i.e. opt-in. This changes the consumer default option and the data provision decision when consumers are loss averse. We examine the consequences for investment. We set out the conditions under which opt-in increases both types of investment and when security comes at the expense of service quality. We further find that most consumer types gain, even when service quality falls.