How tech platforms act as private regulators of privacy

In an insightful article on AdExchanger, Allison Schiff notes that the ad industry is facing two interrelated “existential threats“: government legislation (think of e.g., the GDPR or the CCPA) and policy changes coming from big tech (Google and Apple). But, contrary to what one might initially think, it is the platforms’ changes that are the most challenging for the industry; one may even dare say that the policy changes of private actors carry in practice greater weight than any government legislation.

Legislation needs time to pass, and even then it needs time to be enforced by regulators (e.g., Data Protection Authorities) and clarified by the courts, where affected parties may resort in exercise of their right to judicial protection. Platforms, on the other hand, as Allison Shiff explains, “can and do flip a switch to make a change. Google and Apple can make decisions on the fly, and the millions of companies that rely on their platforms just have to roll with them.” Online advertising is the primary field where Google and Apple have thrown their weight around, achieving a quasi-regulatory status for millions of businesses.

Google has long invoked the GDPR or more general privacy considerations to engage in a variety of controversial moves that -whether intentionally or not- seem to harm others but not itself (for a good overview, see here and here). In its Final Report on its market study on Online platforms and digital advertising, the CMA expressed the concern that alongside Facebook, Google has “a clear incentive to apply a stricter interpretation of the requirements of data protection regulation when it comes to sharing data with third parties than for the use and sharing of data within [its] own ecosystem[s]” (paragraph 5.329).

But Google’s quasi-regulatory role for online advertising is most manifest when one considers Chrome’s expected deprecation of third-party cookies, which according to the CMA are a “fundamental building block” of online advertising. Google and Chrome engineers have apparently taken the view that tracking individuals across sites (currently done through third-party cookies) is not acceptable from a privacy perspective – even if there is user consent per the applicable privacy legislation. To enhance privacy without breaking online advertising, Google has put forward a number of alternative proposals to third-party cookies, named the Privacy Sandbox. Under the Privacy Sandbox proposals, currently being debated at the World Wide Web Consortium (W3C), user tracking will be possible only at a cohort level, so that no user can be identified individually. While this might be a laudable aim in theory, there may be concerns that Google is not holding itself to the same standard (since Google will still be able to identify individual users on its own sites, which are among the most frequently used online – and potentially across sites when the user browses in sign-in mode on Chrome).

At a more fundamental level, and without taking position on whether replacing cookies with the Privacy Sandbox is on balance good or not, it is interesting to observe that this is a decision of a private actor with no accountability, that is about to fundamentally shape online advertising on the open web, but also user experience and privacy online. Chrome has a market share in excess of 66% on a worldwide basis, and Google has an outsized role in shaping web standards (as the House Judiciary Antitrust Report noted at page 229). One may wonder whether such great power should come with some form of responsibility to ensure e.g., that Google cannot use such power to favor itself (e.g., by giving privileged access to browser information to its own activities). Google could easily dispel these concerns by offering some legally binding commitments to regulators.

On its part, Apple markets itself as the privacy champion. Its Safari browser has long cracked down on cross-site tracking, making digital advertising on Safari less efficient for marketers and less profitable for publishers. More recently, Apple announced that moving forward, app developers (and their ad tech partners) will not be able to access the iPhone’s IDFA (Identifier For Advertisers; this is a random number identifying each iPhone, used for advertising purposes much like a cookie is used for advertising on the web) and/or track the user across apps unless they obtain explicit opt-in user permission, allegedly for privacy reasons. Apple’s announcement has left the iOS developer community in a state of unprecedented disarray, since the IDFA is the bedrock of online advertising in the iOS app environment. We shall return to this policy change in a subsequent blog post.

All in all, one cannot help but observe how a handful of companies “can and do flip a switch to make a change” which affects millions of businesses, which they will easily justify as a win for privacy – even though reality may be more nuanced, either because their decision can have negative effects on competition, or may do nothing to curtail their own privacy-intrusive practices. And a whole industry has to dance to the beat of their drum…

To be continued…

2 thoughts on “How tech platforms act as private regulators of privacy

Leave a Reply