Apple, Amazon and Google Also Are Bracing for Privacy Regulations
Apple, Amazon and Google Also Are Bracing for Privacy Regulations
U.S. technology companies have stayed largely exempt from significant government regulation and self-policing of privacy, but that is about to change
By Christopher Mims April 8, 2018 8:00 a.m. ET
We are finally waking up to the fact that we aren’t merely “the product” of companies like Facebook Inc. and Alphabet Inc.’s Google. As one Silicon Valley investor put it, we are their fuel.
At least our personal data is: Every week, it seems, we are treated to fresh revelations of hacks, leaks and exploitation of our information, along with ever louder cries for regulation and consumer protection, in the U.S. and Europe.
What is less appreciated is the degree to which Apple Inc. and Amazon.com Inc. —which must maintain a direct relationship with their paying customers—could also be affected, both for good and for ill. (Another tech giant, Microsoft Corp., hasn’t played as big a role in the smartphone revolution and hasn’t seen similar growth, but it too must comply with forthcoming regulation.)
The past decade saw an explosion in revenue and value for these four companies sufficient to put them atop the global economy. But the laissez-faire environment in which they have operated is for the first time plausibly coming to an end.
Going public during a decade largely devoid of regulation, the data-hungry Facebook has seen revenues explode.
Google Also Rises
Google’s fortune was aided by the Android mobile OS, which enabled better ad tracking and location services.
Unlike other giants, Amazon doesn’t need to buy your shopping history to track your spending. That data fuels its recent boom.
And Let’s Not Forget Apple
The iPhone’s mobile OS may be designed with privacy in mind, but its App Store has been a data collector’s dream.
Facebook is the lightning rod: Across the political spectrum, statements by public figures and recent surveys reveal Americans are suddenly more concerned about the power of Facebook. Possibilities that seemed remote just six months ago, such as action by state attorneys general, are now reality. Missouri’s AG is demanding Facebook say which political campaigns paid for users’ personal data and whether users were notified.
In Europe, strict privacy regulations known as the General Data Protection Regulation come into force on May 25.
GDPR is designed to include penalties that are “effective and dissuasive.” Depending on the offense—including mishandling of personal data, failure to exclude children from age-inappropriate services or content and many others—fines can be as high as 4% of a company’s global revenue. Based on 2017 revenue, for Facebook that could be $1.6 billion.
And as GDPR rules could cover EU citizens no matter where they live or travel, multinational companies may not be able to simply fence off their services geographically. Facebook Chief Executive Mark Zuckerberg recently said his company is working on extending GDPR protections to every user.
Mr. Zuckerberg also recently said that regulation of companies like Facebook is inevitable, and that he supports mandating that internet companies label political advertising, something the company has already pledged to do.
This is on top of the EU’s parallel effort to force U.S. tech giants to change how their services work on antitrust grounds, which is inspiring lawmakers in the U.S.
The recent bipartisan passage of the Stop Enabling Sex Traffickers Act, which potentially opens up all online services to liability for facilitating human trafficking, was a blow to tech’s decades of legal immunity. Calls for more industrywide regulation are coming from many quarters, and rumblings of legislative action are now coming from Big Tech’s former allies.
“Almost uniquely in the U.S. economy, internet giants have had essentially no regulatory burdens,” said Roger McNamee, an early investor in Facebook and now frequent critic of it and others like it. “That’s not normal for businesses that have as much impact as these have.”
Brianna Wu, a game developer now running for Congress in Massachusetts, said if elected she will propose an “omnibus bill of rights” governing how tech companies will have to handle our data. Like GDPR, this would affect every company gathering our data, from Big Tech to the many companies that recently had breaches, including Equifax and Saks and Lord & Taylor.
Google has an advertising model that is just as data-hungry as Facebook’s. It doesn’t just gather our search history and location; its YouTube platform tracks our taste in media. Since 2012, the company has pooled data on us across all its properties.
Arguably, Google has more experience than Facebook with regulators: In 2013, Google settled with the Federal Trade Commission over competition issues, and for months it has been promoting its efforts to comply with GDPR. Yet unlike Facebook, Google isn’t planning to roll out GDPR-type privacy protections everywhere it operates, so it could be less prepared should similar rules come to the U.S.
Amazon already runs a $2.8-billion-a-year advertising business that targets ads using harvested data. But Amazon doesn’t have to buy our purchase history from data brokers—information even Facebook says it will eliminate from its advertising system. Since Amazon’s retail-and-advertising ecosystem is mostly self-contained, it won’t have to change as many practices as its competitors will. Still, the full burden of GDPR won’t become clear until customers and their lawyers begin to test its sometimes-vague protections.
“Amazon has a longstanding commitment to privacy and data security, and we are committed to complying with GDPR requirements when they come into effect,” an Amazon spokesman said.
GDPR is likely to strengthen Apple’s position in the short term. “Apple will find GDPR to be very much consistent with its value system,” Mr. McNamee said. Apple advocates differential privacy, an approach to data collection that is meant to prevent our data from being personally identifiable. It has already rolled out changes to the iOS mobile operating system in anticipation of the regulations.
Apple CEO Tim Cook likes to say his company would never make the same kind of mistakes that Facebook has. But Mr. Cook’s confidence belies the fact that Facebook—now overwhelmingly accessed via mobile devices—would scarcely exist without the iPhone and its Android-powered imitators.
Apple also makes it possible for developers to obtain lucrative personal information. For example, in at least one instance, vague permissions on the iPhone and Android phones mean we are a tap away from letting strangers sell our location data.
While Apple does enforce rules in its App Store and requires developers to justify requests for unusually rich information, the company doesn’t require every developer to protect privacy to its same rigorous standards.
Facebook may be making most of the headlines right now, but in the long run Apple, Google and Amazon also are likely to face emboldened regulators who make rules not just for what companies do with our data, but for the devices that gather the data in the first place.