TMW #122 | The limits of regulation

Welcome to The Martech Weekly, where every week I review some of the most interesting ideas, research, and latest news. I look to where the industry is going and what you should be paying attention to.

👋 Get TMW every Sunday

TMW is the fastest and easiest way to stay ahead of the Martech industry.  Sign up to get the full version delivered every Sunday for this and every TMW, along with an invite to the TMW community. Learn more here.

Regulation is not what people prefer to read on The Martech Weekly. Whenever I do an essay about the topic, it’s the least read. But I don’t really care. Regulation is incredibly important to the future of the internet and how marketers use it. That’s why from time to time, I bang on about it. Like I say to my kids every night: no sweets until you eat your greens.

So this week, it’s time for some broccoli.

Every week I review about 6 to 10 articles talking about some new government action to reign in Big Tech. If it’s from Europe, The United States, Asia, or elsewhere, there’s a massive machine that’s slowly working to limit the powers of companies like Apple, Meta, Google, Amazon, Microsoft, and TikTok.

Yet after billions in fines, and countless hearings over anti-trust, privacy, or misinformation violations, the marketing industry has barely been impacted, and it seems like the powers of our regulatory bodies to protect consumers, reign in monopolies, and provide ethical guidance to a generation of marketers, engineers, and executives is failing.

This week, the Irish Council for Civil Liberties wrote a letter to the Australian Government to provide an overview of how Europe’s Global Data Protection Regulation failed as Aussies gear up for their own form of data protection regulation. This is what they had to say about the 5 years of living under the GDPR:

“Failure to enforce the GDPR against the primary offenders leaves small and medium enterprises in terror of GDPR enforcement. Rather than an instrument that protects people, the law is viewed as a nuisance.”

I’m not going to say out the gate that regulation is not important. Of course, it is. Regulatory oversight should protect consumers, companies and the environment from serious harm. It’s the reason it takes forever for a plane to get ready for takeoff, or why healthcare, finance, petroleum, insurance, electricity and other society-critical industries are regulated and closely scrutinized by governments. It keeps planes from falling from the sky, stops harmful medicines from gaining a market, and keeps predatory financial organizations away from our most vulnerable.

The main idea with regulation is that democratically elected leaders should represent the rights, values and needs of their voters. And when powerful technology comes along, society should respond to it. It’s one of the miracles of the modern world that for millennia, people did not get together to decide what is good or bad for each other at such a massive scale. It’s a social contract enshrined in law. And when it works, it really works.

The internet is our generation’s society-changing technology. As massive tech companies like Meta, Google, Amazon and Apple built and acquired their way to monopoly status, controlling the vast majority of human attention, capital and advertising dollars, there now needs to be some kind of organization to hold these companies to account. But so far, this hasn’t worked out the way you’d want to see it work out – with some kind of accountability for the companies that control the web. For example, the vast majority of online ad spending sits with a tightly controlled group of companies.

Does this look fair? Of course, it doesn’t. Is it good for consumers that a small group of companies control the majority of their online experiences? You could argue that it is a good thing. Is it good for smaller companies wanting to monetize with advertising? Nope. Is it good for marketers that want to grow a brand online? Probably not.

This is why regulation is so complex. The internet is a monopoly machine by its nature, which brings its own benefits. But it can also lead to disaster. Regulation should help us avoid that, but can world governments keep the internet safe, open, and competitive?

No stopping now

Part of the reason why regulation has yet to do anything significant is that I don’t think there’s a way we can regulate the Internet fully. It has no boundaries, is expanding with new content, services, and websites every second, and by its nature, is a globalized phenomenon. I can trade with other countries, I can meet and discuss things with people around the world, and I don’t need a passport to do that. And this is the problem: national governments can only regulate what’s within their borders and the company offices that are located within those borders.

The GDPR review by the ICCL explicitly calls out the challenges around enforcement, as most internet-based companies headquarter themselves in strategic locations to evade regulatory challenges.

“The GDPR’s “country of origin” principle makes the country where a company bases its European headquarters the lead supervisory authority for that company. No other supervisory authorities can intervene if the lead authority asserts this role. Four of the world’s five biggest digital platforms (by market cap) are based in Ireland. The other, Amazon, is in Luxembourg. Inaction by Irish and Luxembourgish supervisory authorities has paralysed enforcement across the entire EU.”

Once a powerful technology hits the web, there’s no going back. Whether it’s third-party cookies, the blockchain, social media, or AI, once people know about it, and can build things with it, it’s almost impossible to stop or regulate.

One of these examples is the US government’s approach to counteracting TikTok’s growing influence. Let’s say a decision is made to ban the app from the country. That will just make a few VPN developers very rich. TikTok has more than 150 million users in the United States and is one of the fastest-growing social apps in the world. People have been exposed to a powerful new social media format, and they will try to access it. And while regulating the app might stem some use, workarounds to access it, or copycats will become the next popular thing.

The internet is not ruled by laws; it’s ruled by the crowd and what they want. The only virtue is growth. And even though TikTok was recently sued by the British government for lacking controls to ensure children under 13 get parental permission, and attempts by journalists to uncover Meta’s own internal research that suggests that Instagram is increasingly becoming more harmful for kids, the wheels turn on, with not much change outside of slap-on-the-wrist fines, the occasional feature update, and PR script reassuring people that things are fine.  

Scott Galloway writing for No Mercy No Malice summarizes this well:

“Technology and our inability to regulate it have again made things worse. Much worse. Recently, Instagram assisted the suicide of a young British girl by serving her images of nooses and razor blades. Facebook fueled a mob riot in Myanmar. The list goes on: Teen depression, viral misinformation, widespread distrust of national institutions, polarization, algorithms optimized for rage and radicalization.”

With a new generation using online media more than ever, and in some cases spending a third of their day consuming media online, the wheel will only continue to spin faster as the crowd votes with their thumbs, good or bad. We are living in an age of ethical ambivalence. To most of us, the negative externalities of the services we use every day have no bearing on how and where we scroll.

No love in the jungle

Ok, so if the internet is a boundaryless domain, with technologies that can easily be replicated, this makes it hard for governments to catch and punish violators. But there’s something deeper at work here, and this is how technology companies and their executives don’t have the same ethical values held by government officials.

The average age of a US senator is 64 years old. The average age of a tech executive across the largest tech companies is 38 years old. Regulation is just as much a generational issue as a technology or policy issue. The people that didn’t come of age with the internet are attempting to understand it from a difference in ethical values. But they have a wide difference in values and outlooks. Whenever I talk about regulation change, it’s mostly from a generational perspective.

But the biggest difference here with a generation of technology leaders controlling the world’s largest companies is a growth-at-all-costs mindset that is eating the internet alive.

This is what we’re seeing playing out in real-time with the DOJ action against Google that they will be investigating the company’s long-standing AdTech monopoly. Google’s growth-at-all-costs plan took fifteen years to evolve into an industry-stifling monster. And even Google’s attempts to move marketers to its privacy sandbox as a solution to replace third-party cookies, all this is doing is following in the footsteps of the company’s tradition of owning the vast market share of ad dollars. Google has shareholders, not citizens. And that means Google has a very different set of guiding principles. Google is after growth. Regulators want to keep society from falling off the brink.

In a Gizmodo interview with Google’s senior director of product management for the Privacy Sandbox, Victor Wong, Google’s thinly veiled monopolistic worldview comes to life:

"TG: This speaks to a line that stuck out to me in your blog post, which is that part of the goal is to “enable publishers and developers to keep online content free,” which seems like part of a broader argument to get publishers on board with Privacy Sandbox when there’s been some pushback. But how is it supposed to help publishers to keep their customers’ information from them?

VW: When I really step back and think about what we’re trying to accomplish, the goal is trying to make it possible to show relevant ads without showing who the user is, and ultimately to allow advertisers to know well their ads worked without knowing who saw them. If the outcome is that users are getting relevant experiences and advertisers know that their ads are working, then publishers are benefiting, consumers are benefiting, and ad tech is benefiting. We’re aiming for a win-win for the whole ecosystem. I don’t think collecting infinite amounts of data is necessary for publishers to succeed. Certainly, you know, it doesn’t hurt them either. But, you know, we’re trying to find a way to be more efficient.

TG: It seems to me that Google and Apple are trying to redefine the word “privacy” to mean that no one gets to track you but us. Isn’t tracking still a problem, no matter how it’s being done?

VW: Privacy means a lot of different things to a lot of different people. We think what they really want when they think about a private Internet is being able to access great content without necessarily having to pay for privacy, or having to give up personal information like, let’s say, a persistent identifier like your email address in order to access that content. That is a win for privacy.

I think safety is also important, so they feel that their data is not going to be misused, that it’s not going to end up harming them. We’re trying to transition the Internet off of using these data points that serve as user identifiers. That’s the big paradigm change that we’re introducing. We’re not only minimizing the data used by advertisers to show the relevant ads but also protecting users against profiling by data brokers who may sell that individual data for other purposes. They rely on shared user identifiers like cookies and personally identifiable information, so they can all single out members of a group and read and write profiles for them. But by removing these user identifiers from how ads work, we are protecting users against that risk.”

One of the explicit goals of the GDPR is that “rapacious data collection would no longer be the default digital business model.” And clearly, Google doesn’t think that’s how the internet should work. In fact (and not surprisingly), the company thinks that keeping its grasp over the world’s information and data should be good for everyone. In other words: Google wants us to believe that making the internet in its image and likeness is good for everyone.

But when it comes to online privacy and monopolies, Google, like its other Big Tech contemporaries, is like a massive, overgrown weed we’ve left untended for far too long. It’s grown over the trellises and fences, and its roots are choking out all the other trees and plants. Government regulators let it become the very fabric of the garden.

Now we’re in a predicament where everyone knows that we need to cut back the weed, dig up the roots and replace it with some new plants because the weed is killing everything else. But to do so would destroy a non-trivial amount of the garden that everyone relies on. In other words; the garden has turned into a jungle.

This is what the DOJ case against Google looks like – allowing Google to commercialize so much of what should be a free and open ad network is ten years too late. The failure of GDPR, the DOJ, and the FCC to reign in super powerful internet companies didn’t start with Cambridge Analytica, or with the mountains of antitrust and regulation litigations since 2020. It was when Google hit a billion users and world governments did nothing.

In the end, it doesn’t even matter what Google’s intentions are; the fact that the company wants to remain in the garden forever is the problem. Moving the goalposts from “how do we keep Google accountable” to “how do we reduce the size, scope, and authority Google has over the web” should be the regulators’ only goal. Breaking up Google will make much of the AdTech ecosystem implode and make consumers’ lives harder for a short while, but a new generation of products to stand in Google’s footprints will then have a chance to create a safer, fairer and more private version of the web.

Ed Zitron’s recent screed on the problems with Big Tech underscores the pervasive and damaging worldview gripping Silicon Valley tech companies.

“And the net result of all of this is that it kills innovation. If capital is not invested in providing a good service via a profitable business, it will never sustain things that are societally useful. Companies are not incentivized to provide better services or improve lives outside of ways in which they can drain more blood from consumers. And the street doesn’t care either - just look at Facebook and Instagram, two products that have grown endlessly profitable and utterly useless in the process.”

It's frustrating to see regulators stand by, not get educated, and not work hard for their constituents when the internet is being strangled by massive tech conglomerates that wreck any chances of consumer choice in their endless pursuit of growth and profits. This leads me to incompetence, the main reason why regulation isn’t working.

The age of policy incompetence

Technology is rapidly changing all the time. And because of this, experts are rapidly changing too. For example, the EU has announced that they are now looking to regulate the metaverse, which came out in the same week that Meta announced a pivot away from the idea of the metaverse to a “single largest investment is advancing AI and building it into every one of [their] products.” Things change fast, and regulators don’t work on hour-to-hour or day-to-day timetables as tech companies do.

Remember, it wasn’t so long ago that content piracy was an illegal thing, until Spotify and Netflix showed up with a monthly fee for effectively the same thing, but with approval from publishers and licensors. Laws change, and definitions of what should be legal are always changing with culture.

And it’s laughable that cases like Meta’s Cambridge Analytica privacy violation from 2018 are only now just being settled, paying the affected millions of users a minuscule amount from a $725 million fine. Regulators move very slowly and deliberately.

This is why most of the decisions about how the web should operate are controlled by the companies that built the platforms we use and the devices we access them with. For example, collectively, Big Tech companies have spent hundreds of millions on lobbying efforts to influence regulations in the United States over the past five years. It doesn’t make them the biggest spenders in the world of lobbying, but it does make companies like Meta and Amazon very powerful forces in Washington.

This is perhaps the most glaring challenge with regulation: the mechanism of how it’s done just creates slower change for things that will become obsolete over time. One of the major issues with this is the lack of coordination between countries, and states within countries. Back to the ICCL report, one of the reasons that companies were not regulated properly was that the EU Commission failed to enforce GDPR laws in each country. Something new legislation is hoping to fix:

“The European Commission has failed to perform its duty to monitor the application of EU Law by Member States and to sue them when they fail to properly apply EU Law. This may soon be remedied: in January we secured a commitment from the European Commission to begin to monitor the progress of every significant GDPR investigation.”

The other problem is matching the crimes to a penalty that will impact Big Tech in a way that serves as an example. Most fines are tiny compared to annual revenues. Seriously, what’s the point of fining TikTok $10 million dollars over child consent in the UK? The one main exception is the FTC’s $5 billion fine levied against Facebook in 2019, and some states in the US have started to sue the executives personally as another avenue to punish Big Tech companies. But really, these are shots in the dark. For massive social and search platforms, antitrust and privacy fines are just the cost of doing business.

This is the big problem with trying to regulate the internet. The companies are faster, more prepared, and better resourced to change the laws and pay off small fines than the regulators can organize themselves. This leads to enforcement agencies lacking the ability to aggressively investigate these companies, and they instead rely on compliance theater and media tactics to pressure companies into compliance.

In an entertaining example of this, a story came out this week of Taylor Swift walking away from a $100 million deal with now-bankrupt crypto exchange FTX, asking some very simple questions about unregistered securities and the legality of the company. Why can a pop star see through a dangerously fraudulent company when regulators didn’t even see it coming?

Failure is not the future

You might be thinking by now that there’s no hope for an internet that can protect consumers through government intervention. But there has been changed in the past, and there are things that governments are doing now to make the web a safer place for everyone.

Australia recently announced a privacy fine overhaul which is one of the world's most severe fines for breaching consumer privacy. The fine for a data privacy violation could result in paying a $50 million fine, three times the benefit gained through the misuse of data, or 30% of the company’s turnover during the period of a breach. This is perhaps one way to give massive tech companies pause before they go down a path that violates user privacy.  

The legislation against TikTok is another positive step for American national security, which is following in the footsteps of India’s successful block of the app in their country. And while we’re having to wait and see how the US government approaches TikTok from a national security standpoint; there’s a risk here that it might trigger a deglobalization of tech on the internet, which carries both benefits and challenges.

The upcoming EU Digital Services Act to be released in February 2024, is an expansion of the GDPR policies and will be another attempt to reign in Big Tech in the region with even tighter rules for data sharing and consumer controls. Some of the updates require tech companies to do the following:

• A platform refrains from using personal data collected through other companies that use its services;
• Prohibit platforms from automatically combining and cross-using personal data from different "core platform services" in their businesses;
• Prohibits platforms from advantaging themselves by using data provided by businesses that use their services;
• Requires that platforms give users the ability to take their data from its systems in order to use the data elsewhere; and
• Requires that platforms provide access to business customers to the data they process on those businesses' behalf.

And recently, an EU ruling has forced Meta to give users more options for targeted advertising and data handling. It’s a blow to Meta’s business model, but a win for users, who can now choose how they are targeted with ads. Even France’s potential anti-trust case against Apple in the wake of its 2021 changes to the company’s app tracking policies puts seemingly untouchable “privacy-positive” corporations under the microscope. There’s been a long-running joke now that Apple’s view of protecting user privacy is everything that Apple wants to do with your data. This might change that perception.

Regulation has never been easy. Governments face a huge amount of pressure from lobbyists and well-funded policy advocates. And if the past actions against giant internet companies have shown us anything, it's that regulating the web is harder than we all thought.

But if there’s a change, my bet is on it being generational. So much of what we have today – from the dumb cookie popups that the GDPR enforced to Apple’s self-serving ATT policies – are the product of a young internet being legislated against by an aging generation of lawmakers. New rules and regulations show promise for meaningful change. But until then, we will need to live in the jungle.

Stay Curious,

Make sense of marketing technology.

Sign up now to get TMW delivered to your inbox every Sunday evening plus an invite to the slack community.

Want to share something interesting or be featured in The Martech Weekly? Drop me a line at juan@themartechweekly.com.