Platforms, not regulators, are driving data privacy enforcement

For starters, there’s more of them. They’re also — if you include Google’s plans for the third-party cookie and Apple’s ongoing anti-tracking restrictions — commercial enterprises, rather than government bodies. 

It’s not an exact like-for-like: Platforms don’t make or change policy on how publishers collect or use data directly from their users. Google’s decision to not build alternate identifiers to track individuals relates to its own products. But Google and Apple’s dominant market positions do mean when they make changes, they cause tidal waves across the rest of the digital advertising supply chain. 

And so unlike GDPR or CCPA, which involve compliance with legal, rather than just technical frameworks, the moves Google and Apple are about to make will cause immediate shockwaves the day they are implemented.  

There isn’t much choice but to fall in line.  

“We’re barnacles on the whale,” said Bob Regular, CEO of Infolinks. “If you measure us all relative to Google or Apple — sometimes they aren’t even aware we’re there. They may be happy to let us feed from them, but if they make a move and then we fall off, they’re indifferent.”

In the U.S. the lack of federal privacy law has left the door wide open for Google and Apple to call the shots, according to Regular. “Currently we’re moving toward states-rights-level privacy. It’s untenable — you can’t build plumbing at a state level, we need a federal version. And at the moment the first [federal attempt] is Apple and Google. They’ve taken the lead on what they say is the right solution — for right or wrong,” he said. 

Traditional regulators’ methods aren’t perfect either. When regulatory change is announced businesses are left to interpret the new legal requirements and adapt their business models as they see fit. The result can be messy, confusing, and lead to numerous attempts to flout or circumvent the rules — as seen with the response to the European Union’s General Data Protection Regulation which went into effect in 2018 after a two-year grace period.

What’s more, the intent of GDPR — to give users back more control over their personal data and ensure it’s not misused by hidden players in the digital advertising ecosystem — has resulted in a horribly confusing, annoying user experience in Europe, with every website featuring their own pop-up messages requesting consent for collecting data. Privacy activists believe regulators have failed to properly enforce the law at scale. “One of the issues around regulations is the incredible lack of active and at-scale enforcement,” said Ruben Schruers, group chief product officer at media investment analysis firm Ebiquity. “Essentially so far, the regulations are all bark and no bite.”

The privacy-led changes driven by platforms Apple and Google are all bite. Plus, they are binary — not open to interpretation. Naturally, that results in people questioning whether this biting behavior is fair and the underlying reasons are honest or have a double agenda, added Schruers. 

Preparing for GDPR was a legal nightmare. Publishers, agencies and ad tech vendors in particular squandered time procrastinating, spent months rewriting legal contracts to shift liability for fines to other partners in the digital ad supply chain, and argued over who was a data controller (and therefore on the hook for eye-watering fines) and who was a processor (not on the hook for fines). But in hindsight, at least there was wiggle room.

The platforms allow no wiggle room. And the changes required are all technical rather than legal. “The grace period was far longer with regulators — businesses were told by local authorities to try their best to respect GDPR and they, in turn, wouldn’t fine them for a given period of time,” said Remi Cackel, chief data officer, Teads. “But with Google, there will be a hard unplug once [third-party] cookies are pulled. Technically speaking you have no choice; it will happen overnight.”

And yet, for some, the changes are a long time coming and — for tech platforms pushing the privacy agenda — are welcome. “The spirit of GDPR and CCPA [California Consumer Privacy Act] is at the heart of what the browsers are doing,” said Amit Kotecha, global marketing director, Permutive. “The ad industry has prioritized this hyper-targeting over data ethics for a long time.”

Yet when it comes to global enforcement, even the platforms may hit roadblocks. Case in point: Apple’s anti-tracking drive is currently being challenged in China, where the state-backed trade group The China Advertising Association has reportedly begun its own ID workaround, which lets apps track users for advertising purposes even if the users haven’t opted in. China is a crucial market for Apple, so the tech player’s response will be the ultimate stress test of how seriously Apple plans to prioritize privacy over its commercial road map. Meanwhile, Google has also hit a snag with the planned rollout of Federated Learning of Cohorts (FLoC) in Europe, thanks to GDPR.

It may be that countries can’t curb the dominance of the tech platforms, but they can at least slow them down.