On May 25, Europeans will gain a significant amount of control over their own data and privacy, taking it back from technology companies, thanks to a new regulation called General Data Protection Regulation, or GDPR.
It may have a name only a bureaucrat could love, but it’s a big deal for any company that does business in Europe. If they make a mistake, it could cost them 4% of their worldwide revenue (or 20 million euros), and Europe has not been shy about exacting penalties.
With every new regulation comes the possibility of unintended consequences, and companies publicly and privately have expressed concern that the vague nature of these regulations may be disruptive despite the fact that many of the companies agree with the law’s intent.
Generally, the law requires Internet users to be told exactly what their data will be used for, and then have the choice to say yes or no, without being nudged one particular way, as well as allowing people to have their info purged if they wish.
To most consumers and the EU, this sounds great. But it’s also likely to have some unintended consequences. Some experts worry GDPR may inadvertently depress advertising revenue in an already beleaguered media industry.
“The unintended consequence of GDPR could be to put publishers – particularly small publishers – out of business by upending the advertising-based revenue model on which many rely,” Ghita Harris-Newton, Quantcast’s chief privacy officer and deputy general counsel, told Yahoo Finance.
Another hit to ad revenue
Most publishers rely on advertising as their chief source of revenue (a few also have subscription-based models). Advertisers typically pay for ad placement with the goal of targeting specific audiences. If users opt out of being tracked online, publishers (and advertisers) will lose a significant amount of useful data – what they search for, what they read, what they buy – making ad targeting more difficult.
“GDPR risks cutting off access to online ad revenues for publishers, which some estimates say account for around 80% of the money they make,” said Harris-Newton.
According to Lydia de la Torre, a fellow at Santa Clara University School of Law, former privacy counsel for eBay, Paypal, and senior privacy consultant for Intuit, and HP, there’s “a very significant disconnect between the perspective of EU regulators and actual way industries function,” a “fundamental contradiction.”
“From the ad perspective, they have been chasing reaching the right person with the right message at the right time, which requires personalization, and that requires tracking,” said de la Torre. “The perspective of EU regulators is the opposite: They believe by default you shouldn’t be tracked online.”
European regulators are working on another law that will, when finalized, work in tandem with GDPR, the ePrivacy regulations or “Cookie Directive.” According to de la Torre said could impact the industry even more, compounding the challenges of compliance.
With flurries of “consent” dialogues from these rules, many people will opt-out of data collection. Estimates will vary from company to company, but Google’s parent Alphabet estimated that around a third of European users would opt out of tracking.
GDPR could have a further ripple effect beyond revenue for these small publishers, Harris-Newton said. Though some experts Yahoo Finance spoke with said added consent could prove to be a boon for quality — better consent, better data — the quality may not make up for the lower quantity.
“There are many unknowns with GDPR and the impact on data quality is one of them,” said Harris-Newton. “It’s certainly possible that consumers giving more informed consent over how their data is used and for what purposes could raise the bar when it comes to data quality, but it’s far from clear at this stage.”
This double hit could leave publishers with less visibility into analytics, a tool that has proved extremely useful in the contemporary media landscape to learn about their audience for editorial reasons in addition to ad sales.
Only the strong survive
For large tech companies like Facebook (FB), Alphabet (GOOG, GOOGL), and Microsoft (MSFT) and other titans, GDPR compliance, while inconvenient, has been and will be handled with large teams to figure out what needs to be done. But smaller companies and startups don’t have resources to “even comprehend how they are affected by this new law,” de la Torre said.
Since GDPR wasn’t made with a specific industry in mind, experts have pointed to industry standards to solve specific questions of compliance, which could help take some pressure off individual companies to figure out how to comply.
With a heavy cost of compliance and potentially hefty penalties, industry insiders are concerned that GDPR could push a consolidation to the giants, much like Dodd-Frank did for banks. Only instead of fewer banks and credit unions, there could be fewer publications.
“Publishers already struggling to be profitable could be disproportionately hit, potentially reducing consumer access to free news and information,” said Harris-Newton. “We would all suffer as a result of that.”
People in the financial industry see the potential for a parallel. Dan Berger, CEO of the National Association of Federally-Insured Credit Unions, points to unintended consequences from Dodd-Frank as the reason for the shrinking number of nonprofit member-owned credit unions, as the law lumped them together with the bad actors of the financial crisis.
“If not executed well and thoughtfully, GDPR could lead to a similar scenario, causing unintended impacts that not only hurt small companies, but consumers, too,” said Berger. “It would not be out of the question if we end up seeing consolidation, less competition, and an uneven playing field for smaller entities.”
A rock and a hard place
The current situation is made even more complicated by the fact that to most people who hear of the new regulation, it sounds great. What’s wrong with giving consumers and users control of their own data? No one wants to be tracked. No one wants to have their Facebook posts and likes compiled into a dossier that gives someone they’ve never met insight into their life. No one wants their emails scanned and read. No one wants a pair of shoes they searched for to follow them around the internet.
Yet at the same time, unloved as they are, these things are the foundation to the business models of countless tech companies, publishers, and other entities that make online life possible. To get rid of them or challenge them stands to be a zero-sum game.