On May 25, the European Union’s General Data Protection Regulations become effective. Implementation of the substantive regulations is significant because it represents the first comprehensive attempt to reign in the tech giants’ ability to manipulate users’ private data without their knowledge or consent.
The overarching goal of the GDPR is to stop tech behemoths and related third parties from pressuring users to relinquish control over their private data as consideration for using the free social media services.
How and in what manner the original intent of the law will be realized and what impact the regulations will have on Facebook (FB, Financial) and Alphabet's Google (GOOGL, Financial) depends on a number of critical factors that security analysts ought to monitor closely.
First, how familiar are the regulators with the industry they will be regulating?
EU officials charged with implementing the new regulations have had extensive contact with Google and Facebook officials since last fall in order to understand how privacy issues are interwoven into the social media and internet search business models. However, the ad-tech business is complex with many moving parts. To some extent, rigorous enforcement is predicated upon the regulators understanding thoroughly the underlying business of the social media industry. In this regard, it is a fair assumption that some of the regulators are not terribly well-versed in the mechanics of the underlying ecosystem and how they can be used to abuse user privacy.
The regulatory history in the U.S. is replete with examples of the regulated staying one step ahead of the regulators. After the Glass-Steagall Act was repealed, would any politician have had the foresight to predict the catastrophic consequences of securitizing home mortgages? This same pattern or phenomenon may play out as the numerous provisions of the GDPR are implemented and unintended consequences ensue as a result of the vagueness or irrelevance of certain provisions.
One of the most important facets of the new regulations will be the manner in which the social media companies obtain a user's consent. Will the disclosures to consumers be meaningful, sufficient with which to allow them to make an informed choice? Or will the tech companies fail to adequately disclose the ramifications of the opt-out/opt-in choices and continue to use surreptitious means to obtain consent?
What language will be used on customers’ screens as notice of their privacy rights? Here, an important issue is the nature of the disclosure and the prominence with which it is displayed to users. In this regard, due to the fact these companies have had the benefit of operating in an environment of total laissez-faire, Facebook and Google, to date, have made disclosures as they see fit.
The linchpin of the entire GDPR is how and in what manner will Google and Facebook obtain a customer's consent for using their private data. These issues will be the subject of much contention. The effectiveness of the entire GDPR scheme, however, depends on how these questions are answered.
Carolyn Everson, Facebook vice president of global marketing solutions, recently said at a Wall Street Journal Conference in London that, “We are not anticipating major changes to our overall revenue and business model.”
Everson’s statement is, at best, fanciful and, at worst, highly misleading.
Everson’s comments were made in the immediate aftermath of the Cambridge Analytica scandal. It is too early to determine the extent of user dissatisfaction with Facebook’s misuse of private data because the extent of the collection activities to many users remains unknown.
When the full panoply of processes and data harvesting utilized by both Google and Facebook become known, it may create a consumer backlash that far surpasses the public furor over the earlier data breach incidents. This is largely due to the fact many customers believed the only privacy issues were in relation to some users’ personal data being used by a political campaign without their consent.
Regardless, this hardly scratches the surface in terms of how the tech giants collect private information and then sell it to third parties.
Those who find Google’s targeted advertising unobjectionable and an acceptable tradeoff for the services Google provides may be wholly ignorant of the extent and scope of its reach in tracking their privacy data.
It is not generally known that Google still tracks private information for those who have expressly opted out of its targeted advertising practices. This process is characterized as “shadow profiles,” because users who have chosen to opt out or not use the full array of its features are unaware that Google still collects their personal data. Does the GDPR address these deceitful practices and subterfuge?
Additionally, the process Google employs to obtain its users' permission borders on artifice or chicanery. For example, Android users of Gmail are asked repeatedly to enable access to the phone’s microphone and camera until they acquiesce, in most cases inadvertently. In other cases, the opt-out button is almost imperceptible.
Despite the potential for the tech giants running rings around technically uninformed and disengaged EU officials, there is one element in the law that should give tech companies pause. Depending on the nature of the infraction, the penalties imposed for noncompliance can be substantial. Under the GDPR, officials can assess fines of up to 4% of a company’s global revenue. Based on Facebook’s 2017 earnings, such a penalty could exceed $1.6 billion.
Although the short-term effects on the corporations, given the uncertainties noted above, may be de minims, it is almost certain the impact on earnings will worsen over time. Any discounted present value analysis should factor in the reality that, long term, the privacy regulations will become more comprehensive and stringent.
Two facts are certain: First, the GDPR will affect the companies' bottom lines. Second, any attempts to predict the impact with specificity, at this time, would be a fool’s errand.
Disclosure: I have no positions in any of the securities referenced in this article.
