European Consumer Privacy Regulation: A Cautionary Tale for the U.S.

Share this post

By Arnaud Creput, Smart CEO 

In France, we have an expression to describe institutional overreach: “To be more Royalist than the King.” That is an apt way to describe how CNIL–National Commission on Informatics and Liberty–has over-interpreted General Data Protection Regulation (GDPR) enforcement in a way that has led to unintended consequences. The U.S. digital advertising community would be well advised to guard against a similar scenario.

One of the central intentions of GDPR was to rein in the often rapacious behavior of GAFA (Google, Apple, Facebook & Amazon) in Europe, but instead, CNIL, the independent French regulatory body, whose mission is to ensure consumer data privacy, has done the opposite by hampering smaller players. CNIL’s recent decision to outlaw cookie walls is the most recent example of perpetuating an uneven dynamic that all too often works to the benefit of GAFA.  That was followed by the most recent decision to force publishers to wait six months to ask again for consent from consumers, who have not explicitly opted-in for tracking. By repeatedly handing down these decrees in a vacuum, CNIL essentially is giving GAFA the run of the land in the name of prioritizing consumer privacy.  Instead, economic fairness should be prioritized as well, which CNIL’s moves emphatically do not.

Thank goodness for the French “State Council,” which stepped in and overrode CNIL in the first instance.  The overruling in effect reverses CNIL’s decision to outlaw cookie walls.  The State Council in its ruling maintained the publisher’s right to refuse access to its content if the consumer refuses to allow cookie tracking for ad targeting. This is a first major victory against the rigid dogma of CNIL. This turn of events, for the time being, will help stave off another blow to publisher revenue as they are still adjusting from the reeling impact of diminished spending during Covid-19.

This situation could have been avoided if the ePrivacy Initiative, GDPR’s enforcement mechanism, had been quicker in carrying out its responsibility.  It was into this enforcement void that CNIL stepped into to deliver its misguided form of justice.  Furthermore,  if more companies operating in Europe had made an early commitment to building their practices and data technology infrastructure with consumer privacy as a top priority, regulatory misfires like this could have been avoided.  

Where Do We Go From Here?

If CNIL were to have its way, publishers would be severely limited in fully optimizing audience assets to compete against GAFA and each other. CNIL tends to throw its weight behind a scenario that could lead to real existential peril for many digital media companies. GAFA would of course be the beneficiaries by dint of their massive footprints of logged-in, identified audiences, which give them unparalleled ability to match data from a multitude of tracking sources.

Here are a couple of broad recommendations to rebalance the currently lopsided power structure:

  • Push for more consequential regulation and sanctions against anti-competitive practices and tax evasion.
  • Make a concerted, coordinated effort to push for a Digital Services Act with a real regulatory bite to create a more favorable competitive dynamic that will champion digital sovereignty for a broader swath of companies.

Unless a major shift occurs in brand investment, we can expect to see more and more publishers wind up as roadkill.  Since the Covid-19 lockdowns were instituted in March, hardly a day goes by without some kind of restructuring or merger between European media concerns. Prominent brands like L’Express and Presstalis have been severely impacted. Presstalis has even declared bankruptcy. If we can pull together, it’s possible that this list will not grow.

So If I have any advice for my U.S. colleagues, I would fiercely advocate for a thoughtful and serious privacy framework at an overarching federal level with a vigorous enforcement mechanism.  If we leave this to state-by-state regulation, starting with the California Consumer Privacy Act (CCPA), we are leaving the door wide open for disparate regulatory outcomes that will be chaotic and unfair in the way that CNIL’s action was not conducive to matching consumer privacy with economic fairness in Europe.

I was encouraged by recent reports that the U.S. may indeed be fast-tracking a federal privacy framework that would make CCPA and other similar state initiatives obsolete.  According to one source, momentum for a federal law is expected to grow after the U.S. election in November, regardless of the results.

I hope this momentum does indeed increase.  What is needed on a global level, is enlightened, organized and equitable federal privacy initiatives at scale.  I hope my American colleagues can set an important example to that end.

Share this post
No Comments Yet

Leave a Reply

Your email address will not be published.