How the European Union Is Ahead on Privacy

Issue 126, September 14, 2023

It has been over a year since we summarized privacy policy actions (or inactions) that will impact you as well as your organization. Why haven’t we written more on the topic? To be honest, there has been little if any action here in the US at the Federal level despite continued news about incidents that result in negative consequences across our society. While inaction continues at the highest levels in the US, many states caught up in the vacuum of no country-wide policy have enacted their own policies and regulations to protect their residents.

State Activity

Californians are benefitting from strict policies and regulations to protect their privacy online, limit the retargeting of advertisements (those that follow you nearly everywhere), communicate notifications of where and how data collected about you is used, and an ability to opt-out of the barrage of emails, ads, notifications and even pop-ups.

A new initiative moving through the California State Senate called “The Delete Act,” partially modeled after the National Do Not Call Registry, is structured to help enforce data broker accountability and transparency and also give consumers simple and easy ways to direct brokers to delete the personal data they have collected. Interestingly the advertising industry is raising an alarm that the act has unforeseen consequences for businesses. Read advertising without using data leads to the inability to follow, target and serve ads to likely customers, which of course then limits advertisers’ spend.

According to the Electronic Frontiers Foundation (EFF), a strong advocate and supporter of privacy, “When it comes to the reckless trade of our personal information, data brokers are the problem. These entities collect and then sell personal information they’ve amassed on individuals with very little oversight. This includes very sensitive information such as buying habits, financial records, social media activity, or precise geolocation information.

“Scams, identity theft, and financial exploitation result from the collection and misuse of personal information. Potential misuse of health data could lead to real harm in harassment, discrimination, and legal consequences for those seeking health services in California, including reproductive and gender-affirming healthcare data. And if information is sold to local, state, or federal agencies, that puts our Fourth Amendment rights at risk.”

Other states are on their own path to privacy or are closely watching California to model their potential regulations. The challenge with state-level policy and regulation is that it is restricted to the state’s borders. That said, interstate commerce regulations can offer a way to blur the lines of jurisdictional limitations. The upside is that most, if not all of today’s businesses offer interstate electronic commerce which makes them subject to the laws.

The EU Forges Ahead

While the US Federal Government continues to flounder, the European Union is blazing trails for its citizens, and the US is directly and indirectly benefitting from their advances.

Let’s start with something seemingly simple but surely consequential to most owners of an iPhone. Last year Malta, a member of the EU, advocated to its peers that a law was needed to standardize charging ports for all citizens of the EU. Beyond the frustration of ensuring someone had the right charger, so many devices required unique charging connections that resulted in waste — every time someone changes or upgrades a device, the prior charger becomes waste. Traveling? Forgot to pack the myriad of chargers for all your devices? A store visit upon arrival was a necessity, adding potentially more to the waste stream.

In response to Malta’s advocacy, the EU followed up with a new law impacting all companies that make their devices available for purchase in the EU. Apple of course was the major target given its reluctance to standardize its “lightning charging port and cable,” despite its change to USB-C on its laptop and iPad lines. With the launch of the new iPhone next month, Apple will comply with the new EU law, removing the lighting charging port and replacing it with a USB-C port. Why did Apple make the shift? A considerable number of Apple’s iPhones are sold in the EU.

We here in the US, stuck in the wild, wild west of inaction are benefitting from actions taken by the small country of Malta and the EU writ large. Thinking about getting a new iPhone 15?  It will now come with a USB-C charging port. That’s progress.

Even Bigger Benefits

According to The Guardian, the EU’s Digital Services Act (DSA) applies to any digital operation serving the EU, forcing them to be legally accountable for everything from fake news to manipulation of users, propaganda, and criminal activity including child abuse.

All the major platform companies including Facebook, Amazon, Google, and Bing are subject to the new DSA. Over the past year, these companies and others collaborated on a voluntary code of conduct in response to the DSA. Interesting X, formerly known as Twitter, did not participate and until recently communicated that it wasn’t planning to comply with the new law. That may be shortsighted because if any company is found in violation of the DSA, not only will it incur fines amounting to 6% of its revenue (X’s revenue is already in the tank; can it really handle a 6% fine?) but it will also have its platform/services banned in the EU. Most platform companies are dependent on maintaining and growing their user base to stay in business by selling ads and collecting data. So, it seems a no-brainer that the only choice is to comply with the law or lose millions if not billions of addicted users.

EU Halo Effect for the US

The Guardian reports an audit of 399 online shops by the commission and national consumer authorities in the EU this year found that 40% relied on “manipulative practices to exploit consumers’ vulnerabilities or trick them.”

The practices include fake countdown timers with fake deadlines for purchasing and burying important information (making it really hard to find) such as delivery costs or the availability of cheaper options. The EU’s audit found that sites using such practices aimed to “manipulate consumers into entering a subscription.”

Since our unconscious mind is often in the driver’s seat, a false sense of urgency often leads us to rush, feel anxiety that we will miss out on something we want or need, and as a result, we quickly hit the purchase button. The lack of information or nondisclosure of information ensures we are limited in decision-making. On top of that, we don’t like reading long, complex legal agreements. But once we hit that yes button, we have entered a legally binding relationship, most of which we know nothing about.

Thankfully, the DSA is making such practices illegal. Fines scale depending on the size of the company or organization but are structured to ensure that no matter the size, all EU citizens will be protected from such practices. When tactics and strategies are put in place to remove manipulative actors, US citizens will benefit as well.

Another result of DSA is that companies will no longer be permitted to rank their products and services first. Think about Amazon’s top ten list of products, and the fact that the first few are “Amazon’s” or “Amazon’s Choice.” Typically, shoppers don’t like too many choices, including lists of products that come up in search. We subconsciously focus on the first few products or links for likely purchase. All available data about behavior show we routinely click on the first three results.

Another benefit is the active removal of illegal products. Have you ever been a victim of clickbait? You browse sites to find something you need and wind up on a random website that is offering a price you can’t refuse. Or you find something questionable on Facebook Marketplace or on Amazon. Platform companies will be required to combat the sale of illegal products and services.

Your social media feed may benefit as well since companies will not be able to use sensitive personal data including race, gender, and religion to target users with ads. Tired of ads following you everywhere? Maybe move to the EU where that won’t happen anymore. Or wait it out until the platforms follow suit here in the US.

Misinformation/Fake News/Children

The DSA includes protections and requirements designed to actively manage and remove illegal content. That content includes propaganda, interference with elections, hate crimes and harmful online actions including harassment, child abuse and misinformation. Companies serving EU citizens must take responsibility for what is posted and available on their platforms and set up active programs to remove misleading and harmful content. Here in the US, no action has yet to be taken to make companies liable for the content posted on their platforms. It’s a volunteer program and an inconsistent effort at best.

The DSA has significantly improved regulations to protect children including eliminating retargeting of advertising and expanding parental settings for management of available content. After years and years of talk and little action, the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) and the Kids Online Safety Act (KOSA) were unanimously approved and moved out of committee in the US Senate. This has happened before in the previous Congress and the bills were never passed. Let’s cross our fingers that with the return to session this Fall, Congress can turn its attention to these two very important bills.

Social Du Jour

The US government seems to be focused on banning TikTok with the premise that the Chinese are monitoring our behaviors and analyzing our data. This seems a diversion; one channel among hundreds? One platform among 10? That makes no sense.

That energy could be applied in better ways to protect our behavior; what we like and don’t like, who we like to talk to, what purchases we make, and what we are interested in. Those protections safeguard us from clickbait, those timers and urgent messages to take action, or other malicious intent via misinformation to take advantage of us and influence our minds. We are more influenced by what we are exposed to than we like to admit. If we can’t protect ourselves, surely our government can throw us a bone.

Benefitting from Others

When a system seems inherently broken, we tend to look elsewhere for solutions and for others to help us. We may feel powerless, caught up in the day-to-day, or overlook what is right in front of us based on the fear or anxiety it may cause. But let’s face it, when a system seems broken, it requires a fix. In terms of privacy and protecting our most vulnerable citizens, we are lagging behind, and are less adaptive and responsive.

Organizations should take it upon themselves to consider how this inaction can make them less competitive. If other organizations take the lead, it can decimate market share when their customers choose them over you. This is a sure path to irrelevance. Time is on no one’s side, and you need to be proactive to protect your business and your customers.