Why Not Both? Or: Privacy Laws Won’t Fix Everything and That’s Okay
There’s a silly dismissal of privacy laws that goes something like this: because these laws require that data processors get opt-in consent from users, they empower Facebook and Google, which means these laws are failures on a grand scale. I thought this argument was absurd when it first appeared last year in relation to Europe’s GDPR, but California’s new CCPA has made it ripe and juicy again.
We warned folks that these big attempts to “regulate” the internet as a way to “punish” Google and Facebook would only help those companies. Last fall, about six months into the GDPR, we noted that there appeared to be one big winner from the law: Google. And now, the Wall Street Journal notes that it’s increasingly looking like Facebook and Google have grown thanks to the GDPR, while the competition has been wiped out.
“GDPR has tended to hand power to the big platforms because they have the ability to collect and process the data,” says Mark Read, CEO of advertising giant WPP PLC. It has “entrenched the interests of the incumbent, and made it harder for smaller ad-tech companies, who ironically tend to be European.”
So, great work, EU. In your hatred for the big US internet companies, you handed them the market, while destroying the local European companies.
The result is that not only is there a privacy/convenience tradeoff that users must navigate, there’s a privacy/competition one that regulators must navigate as well.
You want users to have transparent, wide-ranging choice in how their data is used, with companies they know?
Then you’ve got to limit data use to first-party companies with a big public brand and lots of public scrutiny, rather than a complex ecosystem of many data producers and vendors.
There is absolutely nothing wrong with making it harder for any company — large or small, American or European — from abusing users’ privacy. Besides, it isn’t as though most big websites carry only one tracker. The fewer companies that are able to build highly personalized profiles, the better.
More relevant, though, is that you probably can’t name many of these smaller ad tech companies, but you can name the three biggest ones: Google, Facebook, and Amazon. That’s probably because you have a profile with at least one of them, if not all three, so of course it’s easier for them to get consent from you. If you have a user account, they already have your consent.
I doubt that compliance costs — in the sense of documentation or technical support — prevent smaller firms from competing with the big three. It’s the first-party relationship that these companies have with their users. Remember: Google is not a software and services company, it is an advertising company with several interactive and useful features. Facebook is not a family of social networks and chat apps, but a personalized advertising company that entices you to give them as much data as you can. Amazon — well, they’re everything, but they’re also a big fan of advertising to you Amazon listings for the things you just bought off Amazon.
Complying with GDPR really is much harder for a company nobody has ever heard of that asks permission to keep a copy of your name, phone number, email address, and anything else you submit to an unrelated service. But why shouldn’t it be?
These privacy laws are not perfect, yet they’ve had an immediate impact. In the year-and-a-half since GDPR has been in effect, hundreds of millions of Euros worth of fines have been issued. Plenty of companies have had to tighten their privacy and security measures as a result. But, yes, Google, Facebook, and Amazon have become stronger as a result of their ease of compliance.
And that’s probably why the E.U. also has antitrust concerns about all three of these companies. There are currently open investigations into Amazon and Facebook. Google was fined a billion-and-a-half Euros for abusing its dominance in online advertising, which is particularly important since they have controlled the most widely-used ad exchanges even before GDPR went into effect.
GDPR and CCPA are largely good — if imperfect — first steps towards regulating the unhinged worlds of advertising technology firms and data brokerages. We should encourage our public representatives to set broad expectations about how our data may be collected and used. We also ought to fight for more people-friendly interpretations of antitrust law. It isn’t a failure that privacy laws fail to address antitrust concerns any more than it is a failure that restaurant sanitation requirements don’t rein in corn subsidies.
It’s possible to do both, and it isn’t indicative of poor policy that we should do both. Well, it isn’t indicative of poor privacy regulations, anyhow; it absolutely does point to missed opportunities for decades. Now is as good a time as any to fix those shortcomings.