How Antitrust Regulators Threaten Consumer Privacy Innovations
Large tech companies face increasing scrutiny from antitrust regulators around the world over how they manage consumer data. The argument put forth by the anti-tech crowd is that these large firms use their market power to treat consumers unfairly—effectively charging consumers more than they would otherwise be willing to pay by reducing privacy protections and offering them an inferior product. For example, the U.S. House Antitrust Subcommittee’s big tech antitrust report argued that these firms “degrade Americans’ privacy.” A casual observer would likely assume that increased antitrust scrutiny should yield more privacy for consumers. But perhaps counterintuitively, the opposite appears to be the case—suggesting that antitrust regulators might be exacerbating the very problem they claim they want to fix.
While most large tech companies have faced privacy complaints at one time or another (even though they often invest more in protecting consumer privacy than smaller and non-tech businesses and don’t share personally identifiable information), virtually all of them have taken numerous steps to improve consumer privacy over time, including to comply with the numerous new laws and regulations around data protection, such as the General Data Protection Regulation (GDPR). For example, Google has developed a suite of controls to allow users to manage their personal data, both on the web and on its devices, and Facebook has repeatedly upgraded its Privacy Checkup tool to allow users to review their privacy settings. And these companies leverage advanced data analytics to detect and respond to threats. For example, Apple stopped nearly $1.5 billion in fraudulent transactions last year, including by blocking apps that violate its privacy features or mislead users. Moreover, these large tech companies have invested in and brought to market a number of significant privacy innovations, from end-to-end encryption to differential privacy.
Yet many of these companies now find themselves in a precarious “damned if they do, damned if they don’t” position on privacy issues. If they ignore opportunities to improve consumer privacy, then antitrust regulators can claim that they are refusing to do so because they are abusing their market power. Yet if they continue to take steps to improve consumer privacy, antitrust regulators may start suggesting that these actions are unfair to their competitors. Antitrust regulators thus have created a privacy dilemma—in both cases, regulators may allege antitrust law violations. And this lack of legal certainty deters innovation.
This Catch-22 isn’t just a no-win scenario for businesses, it’s also bad for consumers. For example, after Apple announced that it would change its operating system and privacy policy to require users to opt in before apps can access the unique identifier for advertisers (IDFA) that Apple assigns to each device, the state-backed Chinese Advertising Association announced the creation of the China Advertising ID (CAID) to circumvent the change. The CAID would create a workaround that would fingerprint each Apple device, thereby allowing apps to track users again. Apple could respond to the CAID by blocking any app that implements it in violation of its App Store policies, but the Chinese and others know tech companies like Apple must tread carefully lest they face the wrath of the regulators. If regulators force Apple to allow apps that use CAID to be installed on its devices, it would mean consumers would have even less control of their data than before.
Or consider some of the other critiques made about the privacy innovations from these companies over the past few months.
For example, Google has announced that it is phasing out third-party cookies in its Chrome browser and is instead replacing them with the “Privacy Sandbox” (also known in tech circles as federated learning of cohorts, or FLOC). The idea is that instead of associating individuals with unique identifiers, users will instead be grouped based on common interests that advertisers can target. But in March, a group of state attorneys general filed an antitrust complaint arguing that Google’s Privacy Sandbox unfairly hurts other advertisers—never mind the fact that other major browsers likewise have blocked third-party cookies. The European Commission and the UK’s Competition and Markets Authority have similarly announced that they are investigating these actions as potential anti-competitive acts.
Or consider how Apple made changes to how apps can access user location data from mobile devices, at least partially in response to the many policymakers who have repeatedly argued that tech companies should do more to protect consumers’ sensitive location data on mobile devices. After making that change, of course some apps that use location data were impacted, and so Apple has been hit with accusations that its changes are designed, as U.S. Sen. Amy Klobuchar (D-MN) recently argued, to “exclude or suppress apps that compete with their own products.”
While some antitrust regulators have given the green light to such changes, most appear to be taking the countervailing antitrust arguments seriously. There is a fundamental tension between antitrust regulators prohibiting privacy innovations and antitrust regulators requiring them. And if regulators take a narrow view of foreclosure effects—viewing privacy innovations by large tech companies as unfairly restricting access to a market—they will frustrate global efforts to improve data protection and undermine privacy innovations. For example, the United States should pass legislation to create a national privacy framework that streamlines regulation, preempts state laws, and establishes basic consumer data rights while minimizing the impact on innovation. But unless antitrust regulators resolve this issue, large tech companies will still struggle to implement the spirit of a new privacy framework. Unfortunately, antitrust regulators have already created this privacy dilemma, and the resulting legal uncertainty will slow the deployment of many advances in consumer privacy, thereby hurting the very people regulators say they are trying to protect.
