Will online privacy make a comeback in 2020?

Last year was a landmark for online privacy in many ways, with something of a consensus emerging that consumers deserve protection from the companies that sell their attention and behavior for profit.

The debate now is largely around how to regulate platforms, not whether it needs to happen.

The consensus among key legislators acknowledges that privacy is not just of benefit to individuals but can be likened to public health; a level of protection afforded to each of us helps inoculate democratic societies from manipulation by vested and vicious interests.

The fact that human rights are being systematically abused at population-scale because of the pervasive profiling of Internet users — a surveillance business that’s dominated in the West by tech giants Facebook and Google, and the adtech and data broker industry which works to feed them — was the subject of an Amnesty International report in November 2019 that urges legislators to take a human rights-based approach to setting rules for Internet companies.

“It is now evident that the era of self-regulation in the tech sector is coming to an end,” the charity predicted.

Democracy disrupted

The dystopian outgrowth of surveillance capitalism was certainly in awful evidence in 2019, with elections around the world attacked at cheap scale by malicious propaganda that relies on adtech platforms’ targeting tools to hijack and skew public debate, while the chaos agents themselves are shielded from democratic view.

Platform algorithms are also still encouraging Internet eyeballs towards polarized and extremist views by feeding a radicalized, data-driven diet that panders to prejudices in the name of maintaining engagement — despite plenty of raised voices calling out the programmed antisocial behavior. So what tweaks there have been still look like fiddling round the edges of an existential problem.

Worse still, vulnerable groups remain at the mercy of online hate speech which platforms not only can’t (or won’t) weed out, but whose algorithms often seem to deliberately choose to amplify — the technology itself being complicit in whipping up violence against minorities. It’s social division as a profit-turning service.

The outrage-loving tilt of these attention-hogging adtech giants has also continued directly influencing political campaigning in the West this year — with cynical attempts to steal votes by shamelessly platforming and amplifying misinformation.

From the Trump tweet-bomb we now see full-blown digital disops underpinning entire election campaigns, such as the UK Conservative Party’s strategy in the 2019 winter General Election, which featured doctored videos seeded to social media and keyword targeted attack ads pointing to outright online fakes in a bid to hack voters’ opinions.

Political microtargeting divides the electorate as a strategy to conquer the poll. The problem is it’s inherently anti-democratic.

No wonder, then, that repeat calls to beef up digital campaigning rules and properly protect voters’ data have so far fallen on deaf ears. The political parties all have their hands in the voter data cookie-jar. Yet it’s elected politicians whom we rely upon to update the law. This remains a grave problem for democracies going into 2020 — and a looming U.S. presidential election.

So it’s been a year when, even with rising awareness of the societal cost of letting platforms suck up everyone’s data and repurpose it to sell population-scale manipulation, not much has actually changed. Certainly not enough.

Yet looking ahead there are signs the writing is on the wall for the ‘data industrial complex’ — or at least that change is coming. Privacy can make a comeback.

Adtech under attack

Developments in late 2019 such as Twitter banning all political ads and Google shrinking how political advertisers can microtarget Internet users are notable steps — even as they don’t go far enough.

But it’s also a relatively short hop from banning microtargeting sometimes to banning profiling for ad targeting entirely.

Alternative online ad models (contextual targeting) are proven and profitable — just ask search engine DuckDuckGo. While the ad industry gospel that only behavioral targeting will do now has academic critics who suggest it offer far less uplift than claimed, even as — in Europe — scores of data protection complaints underline the high individual cost of maintaining the status quo.

Startups are also innovating in the pro-privacy adtech space (see, for example, the Brave browser).

Changing the system — turning the adtech tanker — will take huge effort, but there is a growing opportunity for just such systemic change.

This year, it might be too much to hope for regulators get their act together enough to outlaw consent-less profiling of Internet users entirely. But it may be that those who have sought to proclaim ‘privacy is dead’ will find their unchecked data gathering facing death by a thousand regulatory cuts.

Or, tech giants like Facebook and Google may simple outrun the regulators by reengineering their platforms to cloak vast personal data empires with end-to-end encryption, making it harder for outsiders to regulate them, even as they retain enough of a fix on the metadata to stay in the surveillance business. Fixing that would likely require much more radical regulatory intervention.

European regulators are, whether they like it or not, in this race and under major pressure to enforce the bloc’s existing data protection framework. It seems likely to ding some current-gen digital tracking and targeting practices. And depending on how key decisions on a number of strategic GDPR complaints go, 2020 could see an unpicking — great or otherwise — of components of adtech’s dysfunctional ‘norm’.

Among the technologies under investigation in the region is real-time bidding; a system that powers a large chunk of programmatic digital advertising.

The complaint here is it breaches the bloc’s General Data Protection Regulation (GDPR) because it’s inherently insecure to broadcast granular personal data to scores of entities involved in the bidding chain.

A recent event held by the UK’s data watchdog confirmed plenty of troubling findings. Google responded by removing some information from bid requests — though critics say it does not go far enough. Nothing short of removing personal data entirely will do in their view, which sums to ads that are contextually (not micro)targeted.

Powers that EU data protection watchdogs have at their disposal to deal with violations include not just big fines but data processing orders — which means corrective relief could be coming to take chunks out of data-dependent business models.

As noted above, the adtech industry has already been put on watch this year over current practices, even as it was given a generous half-year grace period to adapt.

In the event it seems likely that turning the ship will take longer. But the message is clear: change is coming. The UK watchdog is due to publish another report in 2020, based on its review of the sector. Expect that to further dial up the pressure on adtech.

Web browsers have also been doing their bit by baking in more tracker blocking by default. And this summer Marketing Land proclaimed the third party cookie dead — asking what’s next?

Alternatives and workarounds will and are springing up (such as stuffing more in via first party cookies). But the notion of tracking by background default is under attack if not quite yet coming unstuck.

Ireland’s DPC is also progressing on a formal investigation of Google’s online Ad Exchange. Further real-time bidding complaints have been lodged across the EU too. This is an issue that won’t be going away soon, however much the adtech industry might wish it.

Year of the GDPR banhammer?

2020 is the year that privacy advocates are really hoping that Europe will bring down the hammer of regulatory enforcement. Thousands of complaints have been filed since the GDPR came into force but precious few decisions have been handed down. Next year looks set to be decisive — even potentially make or break for the data protection regime.

Ireland’s Data Protection Commission — the lead regulator for most of big tech in the region — has trailed that it will start rolling out its first enforcement decisions early in the year, starting with complaints related to WhatsApp and Twitter.

On Facebook-owned WhatsApp, the regulator has been investigating the lawful basis for its processing of personal data under GDPR. It has also been scrutinizing whether the platform meets transparency obligations under the law.

While, with Twitter, the DPC has been looking into security issues and complaints around the right of access.

It has 21 “large scale” investigations into tech giants’ processes at this stage. Ireland’s information commissioner, Helen Dixon, has said her hope is to have concluded all of them in 2020. So much could change.

Speaking to the International Grand Committee on Disinformation this fall, she overtly linked the use of personal data for microtargeting by ad platforms with risks posed to democracies by the amplification of propaganda and misinformation, telling delegates: “The profile a platform has created of a user and the categorisation of that user as being of a certain lifestyle, passion or habit may allow an undecided voter in an election context to be pushed in one direction or the other.

“All of this may happen without the user being aware their own data is being deployed to reinforce that individual’s existing viewpoint rather than the individual being in a position to take an objectively informed stance based on an understanding of both sides of an issue. Given the rates of online users who consume their news exclusively via social media platforms, this is a concern.”

Despite clearly articulating the potential societal harm attached to user profiling, Dixon also suggested GDPR alone will not be able to reform business models based on the collection and exploitation of personal data to target behavioral ads.

But if enough of these companies’ data processing operations are found by her office to fall foul of the regulation’s principles there will be clear momentum for privacy-preserving reform.

Reining in big tech

Europe’s incoming Commission president, Ursula von der Leyen, has also signaled an intent to take a strong stance on Internet companies — to shape them, rather than acquiesce to Europe being shaped by US tech giants and their data-mining technologies.

Her reappointment of competition chief, Margrethe Vestager for another five-year term on the beat where she’s gained a reputation for taking on big tech — and an expanded role shaping Europe’s digital policy — is another strong signal in favor of reforming a skewed norm.

Vestager has pledged to deliver a Digital Services Act this year which will upgrade liability and safety rules for digital platforms, services and products. She has also signaled a willingness to regulate data collection, telling the European parliament in October that: “We may also need to regulate the way that companies collect and use and share data — so it benefits the whole of our society.”

While on AI, European legislators are prioritizing “ethical guidelines” — with the Commission president making it clear she wants to regulate sooner, not later. Proposals at least will be coming in 2020.

There are major developments looming in the U.S. in 2020, too, as California’s Consumer Privacy Act (CCPA) comes into force on January 1 — despite tech and telco giants’ best efforts to thwart regulation of how personal data can be collected and shared. A weaker federal framework may yet come to pass, down the line, but heading into next year, CCPA will see the country charting a new course as California applies a set of obligations on its backyard and thus the world’s most powerful Internet companies.

The law introduces disclosure requirements for companies large enough (and whose businesses involve processing personal data) to provide users with information on what personal data they collect; the purposes they use the data for; any third parties it will be shared with; and also provide a discrimination-free opt-out to personal data being sold or shared.

Consumers can also request that their data be deleted — such as browsing history, purchases, location info, biometrics, preferences and inferences used to profile them. So the next #DeleteFacebook or #DeleteUber campaign could have additional commercial bite.

The CCPA will also bring in data collection notices — of the sort that have been visible in Europe for years — which must offer users in California a clear opt out to specify that they don’t want their information sold.

Consumers may start being offered incentives to agree to their data being sold. Which, while it does nothing to further the cause of privacy, will at least make the trade-off that’s inherent in free online services more visible and encourage awareness of the background exchanges that are inherent in so many modern products.

While it’s technically a state law, legal experts expect it will be de facto applied nationwide, rather than companies trying to maintain separate systems. Not least because if they did that they could be accused of offering Californians a better deal than other Americans.

There’s a six-month grace period before any enforcements under CCPA so fines and lawsuits — if they come — will be arriving in the second half of 2020. But the scramble to comply is real.

And if enough consumers start taking up their new rights — telling tech giants they do not want their personal data shared — that will crank up pressure on the tracking and targeting business model ‘norm’ in a way that could incentivize pro-privacy alternatives.

At the same time there are open questions about how effective enforcement of CCPA will be, such as around how viable class action lawsuits will be.

Facebook has also signaled it won’t play nice and go gentle into a data-light goodnight. Per the WSJ, the company has told advertisers it won’t be changing its web tracking services in response to CCPA — arguing that routine data transfers, such as occur via its tracking pixels, do not constitute ‘selling’ consumers’ information under the law. Expect a legal fight over that, though not until the second half of 2020 at the earliest.

An online world without profiling remains the holy grail of privacy reform. Up to now it’s been a distant dream in the U.S., where Americans’ personal data has been — essentially — a free-for-all. That does finally change in 2020. So there could be an interesting window of opportunity for pro-privacy disruption of tracking and targeting business models which savvy startups could home in on.

Equally, adtech giants like Facebook are going to fight tooth and nail to retain the lucrative tracking and targeting infrastructure they’ve built up over 15+ years and embedded into the mainstream web. So unpicking all that will be a huge fight.

Legal lens

Beyond CCPA there are now multiple US antitrust investigations of tech giants, at federal and state level, which could also have major implications for digital privacy — if regulators deem they must step in and break platform giants up.

Ultimately, such antitrust intervention could have greater success at undoing the privacy-hostile consolidation of user data that tech giants like Google have practiced over the years by collapsing policy partitions across their own suites of products in order to further flesh out individual user profiles.

In Facebook’s case the company also infamously reversed a no-data-sharing rule between WhatsApp and its namesake service — torching specific privacy promises made to users by the WhatsApp founders. (As mentioned above, Ireland’s data watchdog looks likely to rule on this next year.)

Although it’s not clear how soon U.S. regulators could act in the event that investigations result in identifying competition violations. So it’s by no means certain the scores of cases now ranged against big tech will land punches in 2020.

At the same time Facebook is facing multiple privacy-related lawsuits that could deliver more blows to its reputation, including a class action related to the Cambridge Analytics data misuse scandal — and another related to its use of biometric facial data.

Lawsuits have already been the source of plenty of awkward revelations for the company with internal documents emerging that have shown Facebook treating user data as a bargaining chip to consolidate its power and control competitors.

Each of these takes a toll in trust, as legislators eye how best to bring the scandal-hit social media sector to heel. And with the link between data and market power becoming clearer, there’s much for antitrust regulators to ponder when it comes to privacy.

One thing is clear: When Facebook and Google are targeted for high level denunciation by a human rights charity — as “surveillance giants” long overdue regulation — there’s been a marked shift in public perception around the risk-benefit analysis attached to harvesting people’s personal data.

The value of privacy becomes increasingly clear the more it’s taken from you.

Leaked reports from China this year, detailing the state’s use of technology tools to surveil and persecute Uighurs and other minorities, have provided the starkest example of how unchecked tracking technologies can be weaponized for scale abuse.

It’s also telling that a no-holds-barred speech by comedian Sacha Baron Cohen — laying into Facebook for amplifying hate speech, conspiracy theories and political lies — went viral late this year.

Attacking Mark Zuckerberg’s “twisted logic” in setting a policy to accept money from politicians to spread hateful lies, Cohen, who is himself Jewish, suggested if Facebook were around in the 1930s “it would have allowed Hitler to post 30-second ads on his solution to the ‘Jewish problem.'”

Facebook’s response? Tone-deaf to a fault, the company claimed it does not allow hate speech on its platform.

The question is how much longer Facebook — and the entire surveillance capitalism category — can get away with trying to pull the wool over everyone’s eyes about what this type of business means for people’s privacy.