May 25th is the day the European Union’s General Data Protection Regulation (GDPR) goes into effect. It’s more likely than not that any reader of mine already knows all about GDPR, but for those who don’t, it’s the most significant new framework for data regulation in recent history. Not only does every company that does business with an EU citizen have to comply with GDPR, but most major Internet companies (like Google, Facebook, etc) have already announced they intend to export the “spirit” of GDPR to all of their customers, regardless of their physical location. Given that most governments still don’t know how to think about data as a social or legal asset, GDPR is likely the most important new social contract between consumers, business, and government in the Internet’s history. And to not bury the lead here, I think it stinks for nearly all Internet companies, save the biggest ones.
That’s a pretty sweeping statement, and I’m not prepared to entirely defend it today, but I do want to explain why I’ve come to this conclusion. Before I do, however, it’s worth laying out the fundamental principles driving GDPR.
First and foremost, the legislation is a response to what many call “surveillance capitalism,” a business model driven in large part (but not entirely) by the rise of digital marketing. The grievance is familiar: Corporations and governments are collecting too much data about consumers and citizens, often without our express consent. Our privacy and our “right to be left alone” are in peril. While we’ve collectively wrung our hands about this for years (I started thinking about “the Database of Intentions” back in 2001, and I offered a “Data Bill of Rights” back in 2007), it was Europe, with its particular history and sensitivities, which finally took significant and definitive action.
While surveillance capitalism is best understood as a living system — an ecosystem made up of many different actors — there are essentially three main players when it comes to collecting and leveraging personal data. First are the Internet giants — companies like Amazon, Google, Netflix and Facebook. These companies are beloved by most consumers, and are driven almost entirely by their ability to turn the actions of their customers into data that they leverage at scale to feed their business models. These companies are best understood as “At Scale First Parties” — they have a direct relationship with their customers, and because we depend on their services, they can easily acquire consent from us to exploit our data. Ben Thompson calls these players “aggregators” — they’ve aggregated powerful first-party relationships with hundreds of millions or even billions of consumers.
The second group are the thousands of adtech players, most notably visualized in the various Lumascapes. These are companies that have grown up in the tangled, mostly open mess of the World Wide Web, mainly in the service of the digital advertising business. They collect data on consumers’ behaviors across the Internet and sell that data to marketers in an astonishingly varied and complex ways. Most of these companies have no “first party” relationship to consumers, instead they are “third parties” — they collect their data by securing relationships with sub-scale first parties like publishers and app makers. This entire ecosystem lives in an uneasy and increasingly weak position relative to the At Scale First Parties like Google and Facebook, who have inarguably consolidated power over the digital advertising marketplace.
Now, some say that companies such as Netflix, Amazon and Apple are not driven by an advertising model, and therefore are free of the negative externalities incumbent to players like Facebook and Google. To this argument I gently remind the reader: All at scale “first party” companies leverage personal data to drive their business, regardless of whether they have “advertising” as their core revenue stream. And there are plenty of externalities, whether positive or negative, that arise when companies use data, processing power, and algorithms to determine what you might and might not experience through their services.
The third major player in all of this, of course, are governments. Governments collect a shit ton of data about their citizens, but despite our fantasies about the US intelligence apparatus, they’re not nearly as good at exploiting that data as are the first and third party corporate players. In fact, most governments rely heavily on corporate players to make sense of the data they control. That interplay is a story into itself, and I’m sure I’ll get into it at a later date. Suffice to say that governments, particularly democratic governments, operate in a highly regulated environment when it comes to how they can use their citizens’ data.
But until recently, first and third party corporate entities have had pretty much free reign to do whatever they want with our data. Driven in large part by the United States’ philosophy of “hands off the Internet” — a philosophy I wholeheartedly agreed with prior to the consolidation of the Internet by massive oligarchs — corporations have been regulated mainly by Terms of Services and End User License Agreements, rarely read legal contracts which give corporations sweeping control over how customer data is used.
This all changed with GDPR, which went into effect today. There are seven principlesas laid out by the regulatory body responsible for enforcement, covering fairness, usage, storage, accuracy, accountability, and so on. All of these are important, but I’m not going to get into the details in this post (it’s already getting long, after all). What really matters is this: The intent of GDPR is to protect the privacy and rights of consumers against Surveillance Capitalism. But the reality of GDPR, as with nearly all sweeping regulation, is that it favors the At Scale First Parties, who can easily gain “consent” from the billions of consumers who use their services, and it significantly threatens the sub-scale first and third party ecosystem, who have tenuous or fleeting relationships with the consumers they indirectly serve.
Put another way: You’re quite likely to click “I Consent” or “Yes” when a GDPR form is put in between you and your next hit of Facebook dopamine. You’re utterly unlikely to do the same when a small publisher asks for your consent via what feels like a spammy email.
An excellent example of this power imbalance in action: Facebook kicking third-party data providers off its platform in the wake of the Cambridge Analytica scandal, conveniently using GDPR as an excuse to consolidate its power as an At Scale First Party (I wrote about this at length here). In short: because they have the scale, resources, and first party relationships in place, At Scale First Party companies can leverage GDPR to increase their power and further protect their businesses from smaller competitors. The innovation ecosystem loses, and the tech oligarchy is strengthened.
I’ve long held that closed, walled-garden aggregators are terrible for innovation. They starve the open web of the currencies most crucial to growth: data, attention, and revenue. In fact, nearly all “innovators” on the open web are in thrall to Amazon, Facebook, Apple, and/or Google in some way or another — they depend on them for advertising services, for ecommerce, for data processing, for distribution, and/or for actual revenue.
In another series of posts I intend to dig into what we might do about it. But now that the early returns are in, it’s clear that GDPR, while well intentioned, has already delivered a massive and unexpected externality: Instead of limiting the reach of the most powerful players operating in the world of data, it has in fact achieved the opposite effect.
Click here to share your content on the worlds most elite network