UK, Ireland score regulatory wins against Google, WhatsApp - will US follow with privacy action?

Can Big Tech be tamed by legislators? It’s a question that’s done the rounds for several years now with some comparing the challenge to that of bringing the tobacco industry into line. Scarcely a month goes by without Mark Zuckerberg, he of The Company Formerly Known As Facebook, pleading with government to regulate him!

There’s certainly public appetite in the US for action to be taken around data privacy regulation at Federal level, according to a new study from the Privacy for America coalition. Polling 1,524 Americans, the results found that there’s cross party support among voters, with Democrats ( 95.4%), Independents (92.0%) and Republicans ( 89.3%), all declaring that its’s “very or somewhat important” for Congress to get underway on making Federal privacy legislation happen.

And voters are taking a mature stance on all this, seeking protection for themselves rather than any desire to punish Big Tech. Whether US politicos will tap into this sentiment remains to be seen, but outside of the US, regulators across the Atlantic in the UK and Ireland have shown that it is possible to back such firms into concession.

Google win

In the UK, the Competition and Markets Authority (CMA) says it has won a number of commitments from Google over its Privacy Sandbox after concerns were raised that the firm might use plans to hide data under the guise of privacy, but would in fact impede competition in digital advertising.

Google has now pledged greater transparency and engagement as well as not removing certain functionality before third-party cookies. Specifically  it will:

• ensure that the CMA’s role and the ongoing CMA process are mentioned in Google’s key public announcements;
• instruct its staff not to make claims to customers which contradict the commitments;
• report regularly to the CMA on how Google has taken account of third party views;
• address concerns about Google removing functionality or information before the full Privacy Sandbox changes, including by delaying enforcement of its Privacy Budget proposal, and offering commitments around the introduction of measures to reduce access to IP addresses;
• clarify the internal limits on the data that Google can use;
• provide greater certainty to third parties developing alternative technologies;
• improve the provisions on reporting and compliance, including by appointing a CMA-approved monitoring trustee; and
• provide for a longer duration of 6 years from the date of any decision to accept Google’s modified commitments.

The CMA will now consult on these new commitments until 5pm on 17 December 2021. CMA Chief Executive Andrea Coscelli says:

We have always been clear that Google’s efforts to protect users privacy cannot come at the cost of reduced competition. That’s why we have worked with the Information Commissioner’s Office, the CMA’s international counterparts and parties across this sector throughout this process to secure an outcome that works for everyone.

We welcome Google’s co-operation and are grateful to all the interested parties who engaged with us during the consultation. If accepted, the commitments we have obtained from Google become legally binding, promoting competition in digital markets, helping to protect the ability of online publishers to raise money through advertising and safeguarding users’ privacy.

Meanwhile in Ireland, WhatsApp has updated its privacy policy for European users after being slapped with a record €225 million fine by the Irish Data Protection Commision (DPC) for transparency breaches under European Union law. WhatsApp will now provide users with more information on how the messaging service collects and uses data, why it stores data and when it deletes it, as well as why data is shared across borders and how this is protected. There will be in-app banner notification at the top of a user’s WhatsApp chat list to allow people to click and learn more about the changes in a 12,000-word, 35-page policy message.  The changes come despite the fact that WhatsApp intends to appeal the DPC ruling and fine.

More to come 

And there’s more to come. The Information Commissioner’s Office in the UK has just laid out its Opinion on data protection expectations for the adtech sector. The Commission expects companies to offer individuals the ability to receive ads without tracking, profiling or targeting based on excessive collection of personal information. If individuals elect to share their data, all parties across the adtech supply chain must ensure there is meaningful accountability and provide control over the data and the ability for people to exercise their information rights. Organizations would also be required to be able to justify the use of personal data for online advertising as fair, necessary and proportionate, as well as be clear with users about how and why personal information is being used.

Information Commissioner Elizabeth Denham says:

Digital advertising is a complex ecosystem that grew quickly with the e-commerce boom and without people’s privacy in mind. What we found during our ongoing adtech work is that companies are collecting and sharing a person’s information with hundreds, if not thousands of companies, about what that person is doing and looking at online in order to show targeted ads or content. Most of the time, individuals are not aware that this is happening or have not given their explicit consent. This must change. That is why we want to influence current and future commercial proposals on methods for online advertising early on, so that the changes made are not just window dressing, but actually give people meaningful control over their personal data.”

My take

More power to the UK and Ireland giving Mr Zuckerberg what he’s asked for! US Federal officials would do well to look to emulate.