Privacy: The State of Play

With May marking the fifth anniversary of GDPR, privacy remains a critical issue for the tech industry. The evolution of privacy legislation has shaken integral elements of the ad tech landscape as we know it; prominently, third-party cookies have been deprecated from several internet browsers, and are set to go for good in 2024. Big Tech has also felt the repercussions of the industry’s refocus on privacy; within the last couple of weeks, EU regulators fined Facebook-parent Meta a record €1.2bn (~£1bn) for transferring European citizens’ data to the US.

Beyond scrutiny from watchdog groups, tech giants must also contend with growing suspicion from consumers and internet users, who are becoming increasingly aware of how their data is being used. In the UK alone, 72% of adults are accessing the internet using methods to mask their personal information. Add to this the fact that consumer trust in Big Tech firms is patchy to say the least, and it’s clear that any hint of scrutiny over how a company handles its customers’ data could have cataclysmic repercussions for both its reputation and its bottom line.

With reputation and revenue at stake, what kind of landscape are tech giants working within? And how are they responding to shifting expectations around privacy?

GDPR: a missed opportunity?

Hailed as a turning point for privacy when it was introduced, GDPR has proven somewhat underwhelming. Despite claims the legislation would “give EU citizens more control over their own personal data, improving their security both online and offline”, user data has continued to be harvested and transferred without consent at a significant scale. Type “GDPR violations” into Google and you’ll find hundreds of reports of tech companies, big and small, in hot water for how they have handled their users’ data (including Google itself, which can add recent accusations that it stored job candidates’ personal data unnecessarily to a long list of data privacy breaches). 

Why data breaches have persisted past GDPR’s implementation is likely down to one factor, perfectly articulated by senior fellow at the Irish Council for Civil Liberties Johnny Ryan: the legislation simply has not been “enforced in any significant way”. Indeed, the most severe penalty for GDPR violations, a fine of up to €20m (~£17.3m) or 4% of a firm’s annual revenue from the preceding year, will hardly scratch the surface for some of the worst offenders. Meta, for example, which has received three fines for violating GDPR so far this year, reported USD$117.346bn (~£94.993bn) in revenue for 2022. Although the latest penalty issued to the company has been tapped as a turning point in penalising tech giants, the combination of fines to the Facebook parent have, so far, not been impactful enough to force tangible change.

What else are regulators doing?

GDPR is not the only tool governing bodies and regulators have to enforce privacy legislation; in July 2020 the Court of Justice of the EU passed “Schrems II”, mandating the due diligence businesses must undertake before transferring personal data outside of the European Economic Area (EEA). This was followed up in October 2022, when the US and EU agreed in principle to a new Data Privacy Framework to safeguard the data of European citizens that has been transferred to the US. While a final vote on the legislation is yet to take place in the European parliament, the framework has already been met with scrutiny. Max Schrems, the primary litigant in Schrems II, stated that he was unconvinced the Data Privacy Framework would be able to pass the “essentially equivalent protections” test set out in Schrems II and indicated he would challenge the new deal if it did not align with EU law. The EU’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) also revealed its scepticism, with committee member Juan López Aguilar stating “We are not convinced that this new framework sufficiently protects the personal data of our citizens, and therefore we doubt it will survive the test of the CJEU (EU Court of Justice)”. 

The UK, meanwhile, is yet to get new privacy legislation off the ground. After leaving the EU in 2020, the UK government promised to reform data protection laws to enhance the protections laid out in the 2018 Data Protection Act. These reforms, however, are yet to come to fruition; a second version of the proposed Data Protection and Digital Information Bill was introduced by the Department for Science, Innovation and Technology in March of this year, 18 months after the government announced plans to reset the rules around privacy. 

Although lengthy, this period pales somewhat in comparison to India’s Digital Personal Data Protection Bill. Announced in 2019, the Bill remains in limbo and faces a multitude of potential challenges that could delay its implementation further, including concerns that state exemptions could actually undermine privacy. This isn’t the case for the entire APAC region however; in 2022, Sri Lanka became the first South Asian country to enforce comprehensive data privacy legislation, The Personal Data Protection Act No. 9. China and Thailand also successfully enacted new privacy legislation last year, with the APAC region experiencing a tightening of privacy regulations on a widespread scale.

Can tech giants help themselves?

In short: yes – and they should.

Although regulatory reform has stalled in numerous regions, the shift to privacy centricity is unstoppable and unavoidable. Outside of pressure from governments and regulatory bodies, individuals are becoming increasingly aware of how tech giants are using their data and it’s impacting how they behave online. Since 2019, user trust in the internet has dropped substantially, with up to 38% reporting feeling stressed or anxious at the prospect of being tracked online. While it’s unlikely that these concerns are enough to stop people from engaging with the internet entirely – it has, undoubtedly, become an integral part of everyday life – it is enough to drive almost 43% of users to ad blockers, meaning companies are losing access to valuable audience insights. With reachable audiences dwindling, placing privacy at the core of their operations is now imperative if tech companies want to survive. There are already examples of this happening, such as Apple’s introduction of the App Tracking Transparency Framework. The framework, which requires apps to explicitly request users’ permission to access the Identifier for Advertisers on their device, recorded an opt-in rate of 29% for Q1 2023, signalling a positive response from iPhone users. Google has also promised that its privacy sandbox, designed with six core APIs allowing advertisers to operate in line with privacy law, will be available as early as July this year. Anthony Chavez, VP of Privacy Sandbox, asserted that developers will be able to “utilise these APIs to conduct scaled, live-traffic testing, as they prepare to operate without third-party cookies.” Developments like these suggest that influential players in the tech industry are taking the shift to privacy seriously, however it’s arguable that there’s more to be done. As ExchangeWire CEO Rachel Smith put it,it would be good to see ad tech take the lead and pre-empt further action by bringing better solutions”, with tech companies viewing the privacy landscape as a space they are responsible for cultivating and shaping correctly.

So, where next for privacy?

Evidently, work is underway to bring privacy to the forefront of ad tech, both from regulators and tech companies. While it’s understandable that regulatory reform is a lengthy process, the numerous setbacks facing privacy legislation in the UK, EU and Asia makes it difficult to envision where the privacy landscape can go next. When we couple this with the scepticism some of these measures have garnered, it would be fair to assume that definitive privacy regulations are still some time away. Nonetheless, tech companies should not wait to take action: as Apple in particular has demonstrated, impactful changes to take privacy to the centre of ad tech are possible, regardless of regulatory upheaval. Tech firms who do the groundwork now can take advantage of a unique opportunity to reshape how the ad tech industry operates in the inevitable cookie-less future.