The California Consumer Privacy Act, drawn up hastily to avert a threatened ballot initiative, purports to create six new categories of data-related consumer rights, “including the right to know; the right of data portability; the right to deletion; the right to opt-out of data sales; the right to not be discriminated against as a user; and a private right of action for data breaches.” Although sometimes compared to the European GDPR, the two laws are different and compliance with the one enactment (which has been immensely expensive already) does not accomplish compliance with the other. Expect uncertainty, fines, the California specialty of entrepreneurial class-action litigation, and more tilting of compliance cost structures to the benefit of tech companies and advertising intermediaries big enough to afford to spread the high expense over large revenue streams [Alec Stapp, Truth on the Market; more: Al Saikali, Washington Legal Foundation; Petrina McDaniel, Elliot Golding and Keshia Lipscomb, Squire Patton Boggs]
I join Cato colleagues Ryan Bourne and Caleb Brown to discuss the rise and fall of tech monopolies over the years. Related here.
The European Union’s General Data Protection Regulation (GDPR), which went into effect just over a year ago, has resulted in a broad array of consequences that are expensive, unintended, or both. Alec Stapp reports at Truth on the Market, with more discussion at Marginal Revolution:
GDPR can be thought of as a privacy “bill of rights.” Many of these new rights have come with unintended consequences. If your account gets hacked, the hacker can use the right of access to get all of your data. The right to be forgotten is in conflict with the public’s right to know a bad actor’s history (and many of them are using the right to memory hole their misdeeds). The right to data portability creates another attack vector for hackers to exploit.
Meanwhile, Stapp writes, compliance costs for larger U.S.-based firms alone are headed toward an estimated $150 billion, “Microsoft had 1,600 engineers working on GDPR compliance,” and an estimated 500,000 European organizations have seen fit to register data officers, while the largest advertising intermediaries, such as Google, appear to have improved their relative competitive position compared with smaller outfits. Venture capital investment in Euro start-ups has sagged, some large firms in sectors like gaming and retailing have pulled out of the European market, and as of March more than 1,000 U.S.-based news sites were inaccessible to European readers.
The plain language of the GDPR is so plainly at odds with the business model of surveillance advertising that contorting the real-time ad brokerages into something resembling compliance has required acrobatics that have left essentially everybody unhappy.
The leading ad networks in the European Union have chosen to respond to the GDPR by stitching together a sort of Frankenstein’s monster of consent,a mechanism whereby a user wishing to visit, say, a weather forecast is first prompted to agree to share data with a consortium of 119 entities, including the aptly named “A Million Ads” network. The user can scroll through this list of intermediaries one by one, or give or withhold consent en bloc, but either way she must wait a further two minutes for the consent collection process to terminate before she is allowed to find out whether or it is going to rain.
This majestically baroque consent mechanism also hinders Europeans from using the privacy preserving features built into their web browsers, or from turning off invasive tracking technologies like third-party cookies,since the mechanism depends on their being present.
For the average EU citizen, therefore, the immediate effect of the GDPR has been to add friction to their internet browsing experience along the lines of the infamous 2011 EU Privacy Directive (“EU cookie law”) that added consent dialogs to nearly every site on the internet.
Mar 2000: Palm Pilot IPO’s at $53 billion
Sep 2006: “Everyone’s always asking me when Apple will come out with a cellphone. My answer is, ‘Probably never.’” – David Pogue (NYT)…
Jun 2007: iPhone released
Nov 2007: “Nokia: One Billion Customers—Can Anyone Catch the Cell Phone King?” (Forbes)
A brief history of impregnable tech monopolies that were pregnable after all, from personal computers to music distribution to social media, by Geoffrey Manne and Alec Stapp [Truth on the Market][adapted and condensed from Cato at Liberty]
- “Arkansas Passes Bill to Prevent Sale of ‘Cauliflower Rice'” [Bettina Makalintal, Vice via Anthony M. Kreis (“Carolene Products of our time”, and more on that celebrated filled-milk case]
- Ted Frank has another case raising the cy pres issues the Supreme Court just sidestepped in Frank v. Gaos [Marcia Coyle on rewards-program class action settlement in Perryman v. Romero]
- Feds recommend 12 year sentence for copyright and ADA troll Paul Hansmeier [Tim Cushing, TechDirt]
- Didn’t realize New York City still had such a substantial fur industry – much of it in the district of an elected official who’s keen to ban it [Carl Campanile, New York Post]
- “Who’s Afraid of Big Tech?” Cato conference with Matthew Feeney, Alec Stapp, Jonathan Rauch, Julian Sanchez, Peter Van Doren, and John Samples, among many others [panels one (“Big Brother in Big Tech”), two (“Is Big Tech Too Big?”), three (“Free Speech in an Age of Social Media”)]
- Looking forward to this one, due out from New York lawyer James Zirin in September: Plaintiff in Chief: A Portrait of Donald Trump in 3,500 Lawsuits [St. Martin’s Press]
The EU’s General Data Protection Regulation (GDPR), along with similarly heavy-handed regimes such as California’s Consumer Privacy Act, entrenches established platforms that have the resources to meet their onerous compliance requirements. Since the GDPR’s implementation in May, the rank and market share of small- and medium-sized ad tech companies has declined by 18 to 32 percent in the EU, while these measures have increased for Google, Facebook, and Amazon.
Via Alex Stamos thread on Twitter (“Anybody wonder why the big tech companies didn’t really fight that hard against GDPR? It isn’t due to a newfound love of regulation”) by way of James Pethokoukis; more, Antonio García Martínez.
- “Illinois Supreme Court Allows No-Injury Biometric Information Privacy Act Claims in Complete Victory for Plaintiffs’ Bar” [Locke Lord] Google’s “which museum portrait is your selfie like?” an early local casualty [Illinois Policy and generally on the law]
- “Class action reform isn’t dead. It’s just not coming from Congress” [Alison Frankel, Reuters]
- To get around Daimler v. Bauman line of cases, state statutes now provide that by registering to do business in the state an out-of-state business consents to general personal jurisdiction. Is that consistent with due process? [Anand Agneshwar and Paige Sharpe, WLF, and on Mallory v. Norfolk Southern Railway case in Pennsylvania; Beck with survey of state statutes]
- “As Pelvic Mesh Settlements Near $8 Billion, Women Question Lawyers’ Fees” [Matthew Goldstein, New York Times, earlier and more]
- More on Department of Justice crackdown on fraud and mismanagement in asbestos bankruptcy trusts [ABA Journal, AP, Alison Frankel/Reuters, Sen. Chuck Grassley statement, earlier]
- Judge: Port Authority not liable over George Washington Bridge jumpers [Julia Marsh, New York Post]
- The two new heads of the judiciary committees in the Pennsylvania legislature are nonlawyers, and the legal community appears to be fine with that [Max Mitchell, Legal Intelligencer]
- Long after his downfall in one of the worst U.S. legal scandals in years, Stan Chesley was still listed as holding an honored position at a major charity until a reporter started calling [Josh Nathan-Kazis, Forward, I’m quoted; update (Chesley’s name removed)]
- National security restrictions form an important part of regulatory practice these days for international business, discussed at a Federalist Society National Lawyers Convention panel with William J. Haynes II, Timothy Keeler, Randal Milch, Donald Rosenberg, and moderator Eric J. Kadel, Jr.;
- How seeking government intervention backfired on Silicon Valley [Drew Clark, Cato Policy Report]
- Are Baltimore schools underfunded? tales of the gun buyback, local adoption of Daubert, and more in my latest Maryland policy roundup [Free State Notes; plus redistricting updates]
- “Despite Losing Its Copyright Case, The State Of Georgia Still Trying To Stop Carl Malamud From Posting Its Laws” [Mike Masnick, TechDirt, earlier]
Eric Goldman, “A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet”:
By tomorrow, the California legislature likely will pass a sweeping, lengthy, overly-complicated, and poorly-constructed privacy law that will have ripple effects throughout the world. While not quite as comprehensive as the GDPR, it copies some aspects of the GDPR and will squarely impact every Internet service in California (some of whom may be not currently be complying GDPR due to their US-only operations). The GDPR took 4 years to develop; in contrast, the California legislature will spend a grand total of 7 days working on this major bill. It’s such a short turnaround that most stakeholders won’t have a chance to participate in the legislative proceedings. So the Internet is likely to change radically tomorrow, and most people have no clue what’s coming or any voice in the process.
As bad as this sounds, the legislature’s passage of the bill is likely the GOOD outcome in this scenario. What could be worse?
Read on in the post for a discussion of the peculiar dangers of the contemporary California initiative process. And as predicted, the bill did pass, unanimously [Issie Lapowsky, Wired]
Data portability mandates on tech companies like Facebook are sometimes conceived as a way to bring about more competitive market structures pleasing to antitrust enforcers by engineering a less “sticky” consumer experience. But is it really much of a solution to anything? [Alex Tabarrok citing Will Rinehart, American Action Forum; more, Tyler Cowen]