I began working on privacy as a public policy issue in 2010 when Senator Al Franken started up the Privacy, Technology, and the Law Subcommittee on the Judiciary Committee. It was very difficult, because back in 2010, not many people cared about digital privacy. The questions back then focused heavily on “What is the harm?” of privacy violations. In the last decade, the conversation has progressed immensely as more and more scandals have demonstrated the harms that can come from the use of our data. The positive result is that policymakers are having a much more nuanced and informed conversation about how to fix it.
Historically, privacy was about protecting aspects of your life from being shared with people in your life you didn’t want to know that information. Telling secrets in school, behaving differently at home and at work, or keeping personal information away from your gossipy neighbor or nosy aunt. But today, the harms from digital privacy violations are often different. Much of our regular life depends on sharing data with corporations. If I call my husband to let him know I’ll be home late tonight, AT&T knows when I made the call, to whom, and approximately where I was when I made the call. Google knows exactly where I was, since I made the call from my Android phone. If I send a WhatsApp message instead of calling, Facebook also gets some information about the communication. Thanks to my smartphone, a variety of apps can join me on my journey home. I don’t have to worry that my mother-in-law will find out we are eating takeout again because I’m working too hard, but it’s arguably more harmful if Facebook uses this information to finally convince me to subscribe to those $8-a-day meal smoothies from Daily Harvest that it’s been advertising to me so incessantly.
The use of this data to manipulate me into purchasing something I don’t need is a very different kind of harm than the old privacy concerns about unwanted disclosure. In the context of corporate data collection, a continued focus on unwanted disclosure is only a small piece of the puzzle. The real concerns from corporate data collection are manipulation and discrimination.
Today’s Data Harms
Our data may be exploited to harm us without the data ever being shared outside the place that originally collected it. In many privacy discussions, we talk about first-party companies, which originally collected the data, and third-party companies, which obtain access to the data from another company. Even if a first-party company never shares your data with a third party, that data can still be fully exploited to manipulate or discriminate against you — but since they’re not sharing, they may claim they’re protecting your privacy while they do it.
Today’s online advertising ecosystem runs on data. Companies are tracking you across the web and gathering information that helps them determine which ads are most likely to get you to purchase a product if shown at the right time. It’s not just which products you might be interested in, but which particular ads are most effective at getting you to buy. If the data indicates you are a valuable target for them, advertisers will pay more to reach you, so this data about you is very valuable. The most powerful companies that have that data often don’t want to share it, and they don’t want anyone else to be able to collect it, either.
You may have heard the saying in the marketing business that, “Half of my advertising is useless, I just don’t know which half.” This is the theory underlying targeted advertising. It allows advertisers to get a little closer to identifying and only purchasing the most useful ads. Advertisers — that’s Ford, Procter & Gamble, Wells Fargo, or Allbirds — that believe targeted advertising is more effective at getting people to buy their products must go through these data gatekeepers. And publishers — that’s the Wall Street Journal, the Seattle Times, Teen Vogue, or Pioneer Woman — that want to make the most of their limited ad space must go through these data gatekeepers, too. They are expected to follow the surveillance advertising model that has come to dominate most of the internet. Advertisers today generally won’t pay as much for contextual ads, targeted only based on the content the user is viewing at that moment, despite studies that argue they can also be effective.
How You Might Be Manipulated or Discriminated Against
Perhaps you’ve told Facebook you’re a huge Lakers fan and you logged into Uber with Facebook to save time instead of typing in your email address. You use Uber and Uber Eats a lot, leading the algorithm to associate you with high earners. The advertiser selling season tickets to your local basketball team has indicated it will bid higher for high earners, but a discount ticket service like StubHub will pay more for people who will spend more time to find a deal. This means you’re more likely to receive the ad for season tickets instead of the ad for discount tickets. Maybe that’s what you want, or maybe you would have been happy to know that the same tickets are available for cheaper and without a season-long commitment.
Or perhaps your Android phone (Android is owned by Google) has noticed you spend a lot of time in a neighborhood where the algorithm knows other people have poor credit scores. SoFi and other low-interest lenders may have told Google they want their ads targeted on wealthy individuals, or young families that went to well-known private universities but don’t yet have a lot of wealth. Their bids won’t be entered into the auction to advertise to you, but predatory payday lenders may be targeting your neighborhood with their ads. If you see a lot of ads for payday lenders and you never see ads for normal interest rates, that could influence your decision for where to look when you need a loan.
Or maybe the advertiser is a political campaign or issue advocacy group, and they are looking for people in key Congressional districts or Electoral College states who aren’t very informed about the news, or whose polling place is kind of far away from their house and who tend to use public transit which indicates that they probably don’t have a car. These people might be particularly susceptible to certain political messages or easily discouraged from voting. The Trump campaign acknowledged using similar tactics in 2016.
This sort of manipulation and discrimination doesn’t require Google or Facebook to sell, transfer, or disclose your data at all. Without the data they collect about you ever changing hands, they can sell the right to access your attention to whichever advertiser is willing to bid more for you, based on the advertisers’ and the algorithms’ inferences as to what types of ads you’ll be susceptible to.
Data Privacy Rules Should Focus on Data Exploitation, Not Just Sharing
We need rules that prevent harmful types of collection and harmful types of uses of data about us, regardless of which company is doing it. We need rules that protect users regardless of whether the data was collected “directly” or shared. Only this will really protect users from manipulation and discrimination. It will also level the competitive field. Today, some of the most powerful digital platforms hold the most data about us, as well as access to the most (and most valuable) continuing streams of data about us. Instead of relying on these powerful companies to simply block others from collecting that same data again, we need to set consumer-focused rules of the road that apply to all. We should not rely on Google and Facebook to protect our privacy. We need privacy laws to protect consumers from *any* company collecting data we’re concerned about, or using it in ways we’re concerned about.
I want to be clear to distinguish my concerns from a frequent refrain heard in Washington, that any type of regulation is bad for competition. Actually, there are a lot of regulations that are great for competition. Properly-crafted privacy protections could be one of them. And most importantly, there are a lot of other priorities that are more important than keeping every company in business. Privacy protections may put some bad actors out of business because their business model is predicated on irresponsible data practices. No one should feel sorry for those businesses. But when new rules will specifically preference a business model that relies on huge scope and scale, we should consider the impact on smaller, competitive companies that may compete with the dominant platform and whether that’s the best way to achieve our goals.
The California Consumer Privacy Act (CCPA) — enacted in 2018 — has such a loophole in it. Some of its key limitations apply only to data sharing. Facebook and Google are big enough to build comprehensive profiles of users without purchasing data and own their own advertising platforms. Since they are able to fully monetize your data without ever sharing it, they are free and unencumbered to fully exploit your data without being subject to those additional requirements. The European General Data Protection Regulation (GDPR) similarly creates a distinction between data Controllers and data Processors. Data Controllers have more rights over how to use your data than data Processors, on the theory that the Controller is the original collector of the data and that they share the data with the Processor. Yet if a publisher is sourcing its advertising from Google, Google often considers itself the Controller, which means it’s Google that has the greater rights to my data, rather than the website I chose to visit.
According to the UK government’s recent interim report on competition in digital advertising, “Concentration is particularly high at the publisher ad server level, where, based on submissions from industry stakeholders, we believe Google is likely to have a share of supply above 90%.” Because of Google’s broad data streams from across the internet, it is able to derive advertising analytics that are much better than any competitor. This increases the value of its advertising and makes it even harder for smaller companies to compete. Similarly, the UK found in the interim report that Facebook has control of unique data, the data that advertisers find most valuable for certain ad campaigns.
There are two ways we need to protect ourselves from the power of big tech platforms. One is to limit the data they can collect about us and how they can use it. But the other is to limit their power in the marketplace — their power over us and over other companies. If Google is the only company that can provide high-value ads for desperate publishers, the publishers have to follow its model, and that model won’t change. I believe there are other viable business models. Competition combined with sound privacy regulation is the best way to encourage disruptive innovation, the innovation of big changes. And big change is what this industry needs.
As we consider new privacy laws and new privacy moves by large companies, we should be careful to consider the competitive impacts, and make sure we are actually targeting the problems we’re concerned about — not discouraging or prohibiting pro-competitive behavior and competition by mistake.