Discussion: (0 comments)
There are no comments available.
A public policy blog from AEI
The latest on technology policy from AEI, published daily.
More options: Share,
View related content: Technology and Innovation
If the plummeting NASDAQ index in the last quarter of 2018 was not bad enough news for American tech firms, the latest regulatory headline out of Germany will send a chill down the spines of their shareholders and management. It is rumored that the country’s Federal Cartel Office is about to ban Facebook from collecting user data from third parties, which it is using to refine targeting of advertising. This has significant ramifications for all firms whose websites could be (wittingly or unwittingly) aiding and abetting Facebook in its (alleged) breach of the EU’s now-infamous General Data Privacy Regulation (GDPR).
At the heart of the matter is the apparently innocuous button allowing users to “like” a website on Facebook, and the link to “Share to Facebook.” Any website hosting these functions sends a cookie to the Menlo Park, California-based social media firm. Information in the cookie allows Facebook to build more complete user profiles, thereby improving its ability to target advertising, and increasing its revenue-earning potential.
To be sure, the firms incorporating these features are not currently breaching any privacy rules themselves by including these features. Indeed, they are likely very important components of the firms’ own marketing strategies relying on word of mouth — or more accurately, “word by click” — to share information about a user’s tastes and preferences for the firm’s products, services and other quirks around their social network, thereby increasing patronage. What matters is that Facebook uses the information collected from third parties.
The GDPR has very stringent rules about data privacy, and in particular the use of third-party data. The German regulator has been at the forefront of litigation against Facebook in relation to the use of data it collects directly from users (e.g. location information), who it considers may not be adequately informed of the extent to which this is possible and may not be aware of how to calibrate their settings to limit collection and use. Suffice it to say that the 2016 legal action did not result in a favorable judgement for Facebook! The latest rumored action indicates that the regulator takes the view that when Facebook uses cookie information from third-party websites, it is breaching the obligation that a firm cannot make use of personal user information acquired from third parties without the full knowledge and consent of the individual to whom it relates.
If it is indeed found that Facebook has breached this rule, then it is considered likely that the German regulator will move to prohibit sharing of the offending cookies. Facebook can assist in compliance by reissuing relevant links without the offending cookies attached. But as the decision to place the links (with or without cookies attached) in the website is the prerogative of the third party, it begs the question of whether firms who do not update their websites with the new links could also be found to be in violation of the rules.
A real problem would exist because the use of these cookies would be banned in Europe, but not other, more liberal jurisdictions such as the United States. But a firm cannot anticipate in advance where people viewing its website will be domiciled. While it may be reasonable for the German regulator to require Facebook to behave in different ways with respect to consumers it knows to be in Europe or other locations, the same cannot be expected of the third parties, who come from all over the world and may not even be aware of the fact that the Facebook links they have embedded even contained cookies in the first place.
However, an even worse problem will arise if publicity from the case results in end-users deciding not to take the risk of sharing their personal information in the first place, by avoiding clicking on the offending icons. The very businesses who have built their marketing case around use of social networks now face real disadvantages, as word of their offerings won’t get around users’ friends with anything like the same efficiency as when no such fears had existed. This effect may be more pronounced in Germany in particular and Europe in general than in the rest of the world, but inevitably in a globalizing world, where social networks know no territorial boundaries, there will be effects elsewhere. Popular US firms serving European consumers are likely to feel some effects.
It is to be hoped, therefore, that these are just rumors. But nonetheless, the possibility provides considerable food for thought for US privacy advocates urging adoption of GDPR-type rules on the “other side of the ditch.”
There are no comments available.
1789 Massachusetts Avenue, NW, Washington, DC 20036
© 2019 American Enterprise Institute