If 2019 was the year of the “techlash,” 2020 could bring a bit more clarity to how Big Tech will be regulated going forward.
This year brought a ramp-up in antitrust investigations, the first full year of Europe’s GDPR (General Data Protection Regulation) on the books, and record fines for privacy violations in both the U.S. and Europe. As for what lies ahead in 2020, regulators will dig in further on the tech sector’s handling of data, among other issues, with Facebook (FB) – Get Report, Alphabet (GOOGL) – Get Report, Amazon (AMZN) – Get Report, and others in the crosshairs.
As was the case with GDPR, the EU will lead the way in more aggressive oversight of privacy. And there are a few key debates to watch, according to Gabriela Zanfir-Fortuna, senior policy counsel at the Future of Privacy Forum.
One is an effort to update the ePrivacy Directive, a 2002 law that serves as the other major pillar of European digital privacy law. GDPR and the ePrivacy Directive, which requires user consent for cookies and other tracking devices, “have a very complex relationship,” said Gabriela Zanfir–Fortuna, a Senior Policy Counsel at the Future of Privacy Forum. Although updating the law has been discussed since at least 2017, EU regulators have not yet approved a framework for how the ePrivacy law should be updated to bring it into line with GDPR standards.
“It’s very difficult to strike the right balance,” she noted.
The most recent draft, which member states will debate next year for possible adoption, would expand the ePrivacy law’s scope to include IoT and machine-to-machine communication. If negotiations aren’t successful, tech firms eager for more clarity on what to expect from the updated ePrivacy directive may have to wait. If it is adopted, it will also ratchet up fines for violations, a la GDPR, which can apply fines of up to 4% of a company’s annual worldwide revenue.
Antitrust Meets Data
Competition and data privacy may seem like separate spheres, but regulators increasingly see an overlap where the biggest companies are concerned. And there are signs that European regulators could more explicitly tie the use of consumer data to antitrust enforcement.
Margrethe Vestager, head of the European Commission’s antitrust division, recently signed on for a second term in that role, and also assumed expanded oversight powers over digital policy, not strictly limited to competition. That’s a sign of things to come, noted Zanfir-Fortuna.
“It gives her more power to be more strategic, and influence more of the policies of the EU,” Zanfir-Fortuna said.
Vestager recently outlined an agenda that includes updating EU antitrust law in a way that will “take into account the value of data whenever EU antitrust regulator looks at market power and other competitive factors,” Zanfir-Fortuna added. “We’ll see a lot of action in this space.”
In the U.S., regulators are also taking a harder look at how data may be used to unfairly stifle competition or evade government oversight. Earlier this week, the WSJ reported that the FTC may seek an injunction against Facebook as soon as January to stop the company from further integrating apps that regulators might seek to separate as part of a future breakup of the company. Facebook has sought to consolidate its data and advertising business on its core social network with Instagram and WhatsApp.
U.S. Privacy Laws
Although big tech firms have been pushing for a U.S. federal privacy law, with impeachment and a presidential campaign in the air, that looks unlikely to materialize in 2020. There are a few state laws on the books, namely California’s Consumer Privacy Act, which goes into effect in January. And dealing with a patchwork of state laws comes with its own set of problems, according to Robert Cattanach, a partner at Dorsey & Whitney and former trial attorney for the DOJ.
Contrary to popular assumptions that U.S. privacy rules will amount to watered-down versions of GDPR, Cattanach said that we may see some progressive U.S. jurisdictions propose even more aggressive regulatory schemes — particularly in the digital advertising space. Expect more scrutiny of “real-time bidding” — the ubiquitous, yet opaque, mechanism by which programmatic ads are bought and sold online.
“There is a lot of personal information that’s subject to real-time bidding, but no one really understands it other than the mysteries ad tech agencies,” Cattanach said. “Particularly in the EU, the regulators thought that GDPR would make some of that industry more transparent, and it hasn’t it hasn’t changed a thing.”
Owing in part to those frustrations, some U.S. jurisdictions may seek to rewrite the rules of real-time bidding by “making disclosure requirements more proscriptive, or use the concept of monetizing personal information to require compensating consumers” in the bidding process, Cattanach added.
In the absence of a federal privacy law, California’s privacy law is the de facto standard in the U.S. And while major tech firms with ample resources can more easily fall into compliance in 2020, one of the unintended consequences of CCPA that it places “a disproportionate burden on smaller and mid-size companies who don’t have the resources,” Cattanach said.
Alphabet, Facebook and Amazon are holdings in Jim Cramer’s Action Alerts PLUS member club.