How to build a regulated monopoly...
Regards
Craig
https://www.wsj.com/articles/how-europes-new-privacy-rules-favor-google-and-facebook-1524536324
Google and Facebook Likely to Benefit From Europe’s Privacy Crackdown
Big tech companies gain while smaller online ad firms are squeezed under the
European Union’s GDPR, which takes effect in May.
By Sam Schechner and Nick Kostov
April 23, 2018
When the European Union’s justice commissioner traveled to California to meet
with Google and Facebook last fall, she was expecting to get an earful from
executives worried about the Continent’s sweeping new privacy law.
Instead, she realized they already had the situation under control. “They were
more relaxed, and I became more nervous,” said the EU official, Věra Jourová.
“They have the money, an army of lawyers, an army of technicians and so on.”
Brussels wants its new General Data Protection Regulation, or GDPR, to stop
tech giants and their partners from pressuring consumers to relinquish control
of their data in exchange for services. The EU would like to set an example for
legislation around the world. But some of the restrictions are having an
unintended consequence: reinforcing the duopoly of Facebook Inc. and Alphabet
Inc.’s Google.
On May 25, the EU will begin enforcing the new rules, which in many cases
require companies to obtain affirmative consent to use European residents’
personal information. The change has sent shudders through the
digital-advertising sector, from online publishers to the analytics firms, data
brokers and buying platforms that use personal data to aim ads at individuals
in real time.
Google and Facebook, however, are leveraging their vast scale and
sophistication as they seek consent from the hundreds of millions of European
users who visit their services each day. They are applying a relatively strict
interpretation of the new law, competitors say—setting an industry standard
that is hard for smaller firms to meet.
Google told website owners and app publishers last month they would have to get
consent for targeted ads on behalf of each of their digital-ad vendors or risk
being cut off from Google’s ad network.
At the same time, Google told digital-ad vendors using its products they would
be blocked from targeting any user who hadn’t given specific consent to the
vendors and to each of their partners, according to a letter reviewed by The
Wall Street Journal.
Facebook has started showing its 277 million daily users in Europe detailed
prompts urging them to approve Facebook’s use of their personal information,
including sensitive items such as religion. One pop-up asks permission for
Facebook to use data from other sites and advertisers to target ads at people
on all of its apps, as well as on other websites where it sells ads.
Digital advertising companies, known as ad tech firms, say Google and
Facebook’s strict interpretation of GDPR squeezes their business. The ad tech
firms embed their own technology in publishers’ websites and apps, putting them
in competition with the tech giants.
Unlike the giants, the ad tech firms have no direct relationship with
consumers. They say Google’s and Facebook’s response pressures publishers to
seek consent on behalf of dozens of ad tech firms that people have never heard
of.
Irked internet users are apt to click “no,” the ad tech firms say. Or,
publishers may decide it’s simpler to just stop using smaller ad-tech companies.
A digital-advertising firm called AdUX recently closed a service that harvested
location data from people’s smartphone apps to show them targeted ads, said CEO
Cyril Zimmermann, because his firm had little hope of asking for—much less
getting—consent from users. Instead, AdUX will aggregate data from bigger
companies. He said the shift has cut into revenue.
“For them, it’s easy,” he said. “The problem is, who knows AdUX?”
Some advertisers are planning to shift money away from smaller providers and
toward Google and Facebook, the smaller firms say. “They are moving their money
where there is clear, obvious consent. The huge platforms are really
profiting,” said Joachim Schneidmadl, chief operating officer for Virtual Minds
AG, which owns ad tech firms in Germany.
“We’re aware that our customers and partners...have significant obligations
under these new laws,“ Google said in a blog post published when it informed
partners of its policy changes.
Asked by the Journal about its policy, Google said, “Under existing EU law,
Google already requires publishers and advertisers to get consent from their
end users for the use of our advertising services on their websites. We’re
asking our partners to refine the way they get consent for the use of Google’s
services on their sites, in line with GDPR guidance.”
At Facebook, Emily Sharpe, a privacy and public-policy manager, said the firm
has created a website and is holding workshops to help small and medium-sized
businesses comply. CEO Mark Zuckerberg recently told the U.S. Congress: “A lot
of times regulation by definition puts in place rules that a company that is
larger, that has resources like ours, can easily comply with but that might be
more difficult for a smaller startup.”
The EU’s Ms. Jourová said she believes European national regulators charged
with enforcing the law “will focus on those who can potentially do the biggest
harm to the privacy of people, and here I do not speak about small companies.”
“On the big guys increasing market share? I don’t believe [the law] will have
such a consequence,” said Ms. Jourová.
It’s not as though Facebook and Google ever could hope to face no headaches
from the law. Activists have vowed to file complaints against them.
Scrutiny will be high following revelations in March that Facebook let
political-data firm Cambridge Analytica siphon personal information of as many
as 87 million users without their consent. The new law authorizes fines of up
to 4% of a violator’s global annual revenue, or €20 million, whichever is
larger.
Court battles over whether companies are meeting GDPR’s requirement that
consent be “freely given” are likely to drag on for years, said Eduardo
Ustaran, a privacy lawyer at Hogan Lovells.
In the meantime, Google and Facebook are building on their powerful positions
in the digital ad market. They have reams of information on hundred of millions
of people who use their websites and apps in Europe. They also use “share”
buttons and ad tools on millions of websites to collect data on how people use
the internet. That is important information for determining consumers’
interests before showing them ads.
In one study of 850,000 internet users last year, mainly in the U.S. and
Europe, Google tracked 64% of all pages loaded by mobile and web browsers and
Facebook tracked 29%—more than double the next-biggest tracker, according to
Cliqz, which makes anti-tracking tools for consumers. The two giants are
expected to collect a combined 49% of all digital ad spending world-wide in
2018, says eMarketer.
That heft multiplies the advantages they have in requesting consent. Even if a
large number of users opt out of targeted ads from Google and Facebook in
Europe—something Facebook says it hasn’t seen—the two will remain by far the
largest sources of consenting consumers, making the duo must-buys for
advertisers.
“I’m stumped at how this will fundamentally change Facebook’s ad revenue” or
“impact the targeting of Google search,” said Mark Mahaney, an analyst at RBC
Capital Markets.
The idea of requiring consent to use personal information stretches back to the
1970s, when countries began passing data-protection laws. Germany’s 1977 law
helped shape Europe’s future approach: It forbade all but a few narrow uses of
personal information without an individual’s permission—which had to be in
writing.
With the rise of the internet in the 1990s, the EU decided to harmonize privacy
rules. The definition of consent remained somewhat open, referring to any
“specific and informed indication of wishes.” The new law says consent must be
“unambiguous” and communicated “by a statement or by a clear affirmative
action.”
That effectively rules out the widespread practice of pre-checked boxes.
Consent in the EU becomes something that is “opt-in” rather than “opt-out,”
regulators say.
Business-lobby groups howled when the text was made final in 2015. Smaller
companies soon were ringing alarm bells.
“The politicians wanted to teach Google and Facebook a lesson. And yet they
favor them,” a Brussels lobbyist for an media-measurement firm said at the time.
Once the law passed in spring 2016, Google and Facebook threw people at the
problem. Google involved lawyers in the U.S., Ireland, Brussels and elsewhere
to pore over contracts and procedures, said people close to the company.
Facebook mobilized hundreds of people in what it describes as the largest
interdepartmental team it has ever assembled.
Facebook lawyers spent a year scrutinizing the law’s lengthy text. Designers
and engineers then toiled over how to implement changes, according to Stephen
Deadman, Facebook’s global deputy chief privacy officer.
During the process, Facebook got frequent access to regulators across Europe.
It met with Helen Dixon, the data protection commissioner in Ireland, where the
company bases its European operations, and her staff to run through changes
Facebook was planning. Ms. Dixon’s agency provided the firm with feedback on
the wording of its consent requests, Facebook said.
“We’ve been getting their guidance over many months,” Mr. Deadman says.
Ms. Jourová, the EU’s justice commissioner, said the tech giants seemed scared
when she met with them in Washington a year ago. Google and Facebook then went
from trying to fight GDPR to deciding to use it to their corporate advantage,
said a person familiar with the meetings.
Travelling to Silicon Valley in September, this person said, Ms. Jourová sat
down with Facebook officials to discuss privacy, and met with Facebook Chief
Operating Office Sheryl Sandberg. The next morning, at a meeting at Google
headquarters, employees spent much of a two-hour breakfast meeting taking Ms.
Jourová through Google’s approach to compliance.
In mid-April, just before unveiling new opt-in consent pages, Facebook started
running ads in European newspapers saying the new law “means better protection”
and Facebook will ask users to “review how we can use your data.” Analysts at
Barclays said last week they expect the opt-ins will have a low-single-digit
impact on Facebook revenue, and might end up being immaterial.
“We’ve hit the mark,” Mr. Deadman says. “We’ll be fully compliant.”
Some publishers and ad tech firms, particularly in Germany, were taking a
different approach. Fearing users would consider detailed consent forms
intrusive, they zeroed in on an exception in the GDPR called “legitimate
interest.”
It would let companies use personal information without asking for consent so
long as they took other strict privacy measures. The companies remained
confident in the strategy even after EU privacy regulators raised questions in
February about the validity of using that exception for marketing-related
tracking across multiple devices or websites, as many firms do.
Then in March, Google forced the issue. It published an updated “User Consent
Policy” that will, as of May 25, require publishers and app owners that sell
ads through Google to request consent that specifically mentions every company
that might collect or process their users’ data, or risk being kicked off
Google’s system, according to a copy seen by The Wall Street Journal.
Because Google is involved in so many layers of the ad business, some
publishers say they have no choice but to comply, and others say they’re not
sure what they’ll do yet. “It’s the classic Google approach: Either you take it
or leave it,” said Carsten Schwecke, chief digital officer of Media Impact,
Axel Springer’s media sales division. “It is not a pleasant situation for a
publisher like us.”
Third-party data collectors that rely on websites to reach consumers,
meanwhile, worry that Google’s stance on consent will cut into their businesses.
“If you put the list of 120 companies on your home page, how is a user going to
make an informed decision?” said Alain Levy, chief executive of Weborama, a
Paris-based ad tech company. “We are a B2B company. We have no relationship
with the consumer.”
Some ad-tech companies have decided to pull out of Europe. Verve, which helps
marketers target people with ads using location data, said last week it will
shut its European operations, including offices in London and Munich, because
it feared publishers wouldn’t get consent from enough consumers, said Julie
Bernard, chief marketing officer.
Drawbridge, which helps marketers track users as they switch from one device to
another, also abandoned its ad business in Europe as a result of GDPR, shutting
its London office, said a spokesman for the California-based company.
Publishers worry that without a thriving third-party ecosystem of companies
that can help them sell targeted digital advertising, they will be forced
increasingly to turn to Google and Facebook—which also compete with them to
sell ads on their own websites. That would further increase the big companies’
market share.
In an attempt to cut a path to consent for these smaller tech firms, online-ad
trade group IAB Europe has put together a standardized system for websites and
apps to ask for user permission on behalf of the sometimes dozens of companies
that collect data or place advertising on a given destination. Vendors feed
information into the system about what they do with users’ data, and their
listings are available for the publishers to display in their consent requests.
As of Friday, only 13 vendors were listed as available to gather consent
through the system, according to an IAB Europe website.
“It is paradoxical,” said Bill Simmons, co-founder and chief technology officer
of Dataxu, Boston-based company that helps buy targeted ads. “The GDPR is
actually consolidating the control of consumer data onto these tech giants.”
Write to Sam Schechner at sam.schechner@xxxxxxx and Nick Kostov at
Nick.Kostov@xxxxxxx