Revisiting what’s going on in antitrust
A fresh look at different global regulatory efforts and what's next
Programming note: When we first wrote about antitrust at the beginning of 2021, it seemed like while a lot was happening, none of it would be moving particularly fast. Eleven months later, enough has changed to warrant a revisiting of the state of antitrust in what will be the final issue of Sparrow One this year. We will return in late January. We wish you a happy, healthy, and restful holiday season and a great start to the new year!
The current US antitrust regulatory framework dates back to the late 19th century: Congress passed the Sherman Antitrust Act of 1890 to make it illegal to form a monopoly or limit trade. Twenty-four years later, the Clayton Antitrust Act of 1914 prohibited mergers and acquisitions that would stifle competition. The Federal Trade Commission Act of 1914 also established an agency with authority to police unfair competition and deceptive practices. Some 131 (!) years later, antitrust has taken on two main forms: privacy (“Data collection is intrusive and needs to be regulated.”) and addressing Big Tech monopolies (“The largest technology companies are too powerful and must be broken up or regulated to level the playing field for new and smaller, independent entrants.”). While they may appear different at first glance, these are two sides of the same coin: Applying old monopoly regulation to modern tech companies isn't going to cut it, but solving for data usage rights and — more importantly — opening up the data layer to competition has a chance. To date, there’s certainly been more activity on the latter front.
In a nutshell
Different countries and regulatory bodies have taken different approaches. If you were to consider global privacy and antitrust laws on a spectrum, the minimal, sector-specific approach of the United States would sit on one end, with the EU’s comprehensive General Data Protection Regulation (GDPR), implemented in 2018, sitting on the opposite. The United States has a patchwork of regulations, such as the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), which only apply to the personal data of California residents, the Children’s Online Privacy Protection Act (COPPA), a law that restricts data access and collection for children, the Virginia Consumer Data Protection Act, which we wrote about in more detail here, along with a mishmash of other vertical-specific laws that often have too narrow of an interpretation to affect Big Tech platforms. China, another enormous market, had initially pursued a similar approach as the United States, but it revised its path and has moved toward a much more comprehensive regulatory framework that more closely resembles — or exceeds — GDPR. And behind China and Europe would sit Australia, which is amending its Privacy Act of 1988 to better accommodate the digital economy that has evolved in the 33 years since its inception.
The rise in new global data protection and antitrust laws reflect the reality that most governments recognize that they need to regulate the internet economy, but they face doing so with severely outdated tools. In many cases, governments were asleep at the wheel as tech companies grew into the massive tech giants we have today. There is a now-familiar battle cry that Big Tech is bad or too big and must be broken up at all costs, but that stance is rooted in the monopoly structures of a bygone era, which are much different than the concentration of power we see in today’s digital economy. And while many recognize the need for some sort of regulatory activity to make the large digital platforms less dominant, no one has fully figured out what that should look like.
But that hasn’t stopped governments from experimenting with new approaches. Here is a look at how the United States, European Union, Australia, and China are approaching data protection and antitrust laws, which collectively cover nearly 2.2 billion people, or roughly 28% of the world’s population. What are regulators in each country/territory focusing on?
United States: no rules are good rules
Federal initiatives
In early October 2020, Congress issued a report about anticompetitive behavior by Facebook, Alphabet (Google’s parent company), Apple, and Amazon. The report from Democrats on the House Antitrust Subcommittee found plenty of potential offenses: Amazon allegedly has a monopoly over its site’s third-party sellers; Apple exerts monopoly power through its App store; Facebook achieved its monopoly power by acquiring, copying, or killing competitors; and Google holds a monopoly in search and search advertising.
A few weeks later, the Department of Justice filed a lawsuit against Google that focuses on its search monopoly, including services, search advertising, and search text advertising. The DOJ accused Google of striking deals with device makers to improperly protect its search monopoly, including paying Apple a small fortune to make its search engine the default on iPhones and forcing smartphone manufacturers that use its Android operating system to also set its search engine as the default. Eleven states were listed as plaintiffs in the original lawsuit, and others have since joined. What’s next: In December 2021, the judge in the case ordered the antitrust trials to be bifurcated: The two suits — one from the DOJ and the other from the states — would each first have an initial trial on Google’s liability under the Sherman Act and then a second trial on potential remedies if needed. The trials are set to begin Sept. 12, 2023, and they could last up to 12 weeks or more. Antitrust cases generally move at a glacial pace.
In September 2021, Bloomberg reported that the Justice Department is speeding up an investigation of Google’s digital advertising business and preparing a second antitrust complaint that could be filed by the end of 2021. It appears that many of Google’s ad-tech transgressions being alleged by a group of states led by Texas (see below) are also under DoJ scrutiny.
The Federal Trade Commission (FTC) filed a lawsuit against Facebook on Dec. 9, 2020 alleging that it destroyed competition by acquiring or crushing companies in a predatory manner, including one-time rivals Instagram and WhatsApp. The FTC seeks a permanent injunction that could include forcing Facebook to divest Instagram and WhatsApp and refrain from harming future competition, such as restricting third-party software developers that provide a competing service or tool. The lawsuit follows an investigation in cooperation with a group of 48 state and territory attorneys general, which filed its own similar but separate lawsuit on the same day as the FTC’s. (See below.) A federal judge threw out both lawsuits in June 2021. The FTC’s complaint was tossed for lack of proof that Facebook had a social-networking monopoly, but since it was dismissed without prejudice, the agency was able to file an amended complaint in August 2021 with more details to back up its allegations. What’s next: On Dec. 1, Meta Platforms, Facebook’s newly named parent company, asked the court to dismiss the FTC’s amended lawsuit and not allow the FTC to refile. Meta also asked for Lina Khan, a longtime Facebook critic and current head of the FTC, to recuse herself from the case.
While these lawsuits originated in the Trump administration, President Biden has signaled that he would pursue an aggressive stance toward Big Tech. In March 2021, President Biden appointed Columbia Law professor Tim Wu, a vocal Big Tech critic, to the National Economic Council as a special assistant to the president for technology and competition. Not long after, he chose Khan, another Columbia Law Professor and tech critic, to join the FTC, and in June 2021, he elevated her to lead the agency. Biden also tapped Google foe Jonathan Kanter to become assistant attorney general of the DoJ’s antitrust division, where he’ll oversee the DOJ’s antitrust lawsuit against Google.
State initiatives
New York led a group of 46 states and two territories to also sue Facebook on Dec. 9, 2020. Many of the arguments and resolutions alleged and sought by the states mirror the FTC’s since the agency and states cooperated during a 20-month investigation of Facebook’s business. A federal judge dismissed the states’ complaint in June 2021 because the Instagram and WhatsApp deals took place more than five years ago. What’s next: The states have appealed the decision.
Colorado led a group of 38 states and territories in a search-focused lawsuit against Google on Dec. 17, 2020 that is similar to the DOJ’s but goes a bit further, including allegations that Google is trying to dominate new distribution channels such as smart speakers and lock out vertical search providers like Yelp and TripAdvisor. As previously mentioned, the judge hearing this and the DOJ's case against Google ordered that the trials be bifurcated: The two suits — one from the DOJ and the other from the states — would each first have an initial trial on Google’s liability under the Sherman Act and then a second trial on potential remedies if needed. What’s next: The trials are scheduled to begin in September 2023.
Texas led a group of 10 states to sue Google on Dec. 16, 2020 over an alleged digital advertising monopoly that began with its acquisition of the DoubleClick ad server. The lawsuit claims a slew of ad tech-related offenses, including maintaining monopolies on both the buy and sell sides, making the use of its publisher ad server a requirement for the use of its ad exchange, using privacy as an excuse to further its business interests, and trying to destroy header bidding through a clandestine deal with Facebook. The judge unsealed the lawsuit in October 2021, revealing many juicy details, including allegations that Google extracts a tax of 22%-42% on the ad dollars flowing through its system. It also claims that Google’s Project NERA and Privacy Sandbox, a set of proposals meant to replace third-party cookies, are aimed at limiting "publishers’ ability to identify and track users, and to position itself as the arbiter of identification and targeting on the open web." What’s next: The states filed another amended lawsuit in November 2021 with more evidence of Google's anticompetitive behavior. In July 2021, 36 states and Washington, DC, filed an antitrust lawsuit against Google over its Google Play Store practices. At issue is a requirement that all app developers that use the Google Play Store will pay a 30% commission on the sale of any digital services or goods. Android phones feature the Play Store as the default app store, although users can download apps from elsewhere. What’s next: The trial is scheduled for fall 2022.
In terms of privacy, the US has a very liberal data market but no federal data protection or privacy framework. In the absence of a nationwide law, several states have moved to fill the void with their own rules; for the latest, the International Association of Privacy Professionals (IAPP) maintains a tracker of state-level privacy law activity.
Among several state-level privacy efforts, California’s is currently the most comprehensive. In November 2020, California voters approved the California Privacy Rights Act (CPRA), which extends the newly implemented CCPA. For instance, consumers can opt out of the sale of their personal data under CCPA, but CPRA also allows them to opt out of their personal data being shared. CCPA covered businesses that derive more than half of their revenue from the sale of consumers’ personal information (PI), but CPRA extends that to companies with more than half of their revenue coming from the sharing of consumer PI. CPRA strictly regulates a new class of “sensitive personal information” that includes government identifiers, precise geolocation data, information related to sexual orientation, race, religious or philosophical beliefs, health information, and financial account and login information. What’s next: The law creates an agency dedicated to the protection of consumer personal information and privacy protection and with responsibility for CPRA rulemaking. The final regulations should be adopted by July 1, 2022, with the law going into effect on Jan. 1, 2023. Enforcement will begin on July 1, 2023. However, any data that is collected in 2022 must comply with CPRA requirements by 2023 if it will be used from that point on due to a lookback provision written into the law.
In our view, the sooner the United States has a federal privacy law, similar to the European Union’s GDPR, the better off we will be because the current molasses of uncertainty is unhelpful for everyone — except for walled gardens, which it seems will always come out on top.
European Union: setting the standard on privacy regulation
The European Union aggressively scrutinized Google’s anticompetitive business practices for more than a decade and levied a record $10 billion in fines, but with little impact on Google’s dominant market position. The EU has launched new investigations into Google’s advertising practices, including ad tech and data collection. The UK, which is of course no longer part of the EU, is also examining Google’s plans to deprecate third-party cookies in Chrome and recently ordered Meta, Facebook’s parent company, to divest its 2020 acquisition of Giphy on the grounds that the deal hurts UK social media users and advertisers. Europe and the UK are also formally investigating Facebook for antitrust violations related to its use of customer data. In December 2020, the EU introduced the Digital Markets Act, which will essentially regulate Big Tech platforms to prevent them from abusing their dominant market power and level the playing field for smaller companies. It prohibits tech companies from preferencing their products and services, for example, and precludes them from reusing user data in other products.
The aggressive legislation follows the landmark privacy law GDPR. Since its inception, we have seen some smaller companies receive what we would consider to be exemplary fines for egregious violations of GDPR. However, it appears that we are starting to see some of the first signs of more serious GDPR activity and enforcement, including against larger players. In 2020, European regulators levied 158.5 million euros in fines and more than 121,000 breach notifications, a 19% increase from the year before. And in 2021, we also saw greater fines, including a 225 million euro fine for WhatsApp levied in September 2021 and a record 746 million euro fine for Amazon in July.
Privacy advocates in the (pre-Brexit) UK and Netherlands filed separate class-action lawsuits against Oracle and Salesforce in August 2020 over their use of third-party cookies for tracking and targeting purposes. The companies are considered to be data brokers under GDPR, but the plaintiffs contend that the companies’ practices fail to secure the proper consent as required by the law. The lawsuits were stayed until the resolution of the Lloyd vs Google case at the UK Supreme Court, which had the potential to open the floodgates for future claims; the court ruled in Google’s favor because the plaintiff failed to show proof of material damage from a data breach. It appears that the Oracle and Salesforce cases were still pending as of Nov. 30, 2021. Meanwhile, Norwegian regulators threatened the gay dating app Grindr with a $12 million fine for failing to give users appropriate control over their data. The app allegedly didn’t allow users to opt out of data sharing with third parties and forced users to accept its privacy policy in order to use its free version. Grindr previously ran afoul of the Norwegian Consumer Council for illegally sharing personal data with third parties for marketing purposes. The current fine amount represents about 10% of Grindr’s revenue, which notably exceeds the 4% allowed under GDPR. (Norway isn’t a formal bloc member but follows most of the EU’s rules.) The ruling for Grindr’s $11.7 million fine was finalized in October 2021.
What’s next: The European Parliament is due to vote on the Digital Markets Act in December 2021; once approved, the Parliament will begin negotiations with EU governments. In February 2021, the European Council wrapped up negotiations of its ePrivacy Regulations, which were first introduced in 2017 and are meant to complement GDPR. The group of data privacy laws, which cover consent and third-party cookies, are awaiting approval and would go into effect 24 months later.
Australia: modernizing a solid foundation
In 2019, the Australian Competition and Consumer Commission (ACCC) published its Digital Platforms Inquiry report, which examined how digital platforms affect the state of news and journalistic content and the ramifications on consumers, media content creators, and advertisers. The report recommended that the government review whether the Privacy Act 1988 should be reformed to better reflect today’s digital economy. The government agreed. The review will likely consider several themes, according to Australian consultancy Salinger Privacy. For example, there is an obligation to balance both a consumer’s need to protect their data with a company’s need to engage with consumers online. There is also a desire to align the Privacy Act more closely with GDPR, potentially paving the way for the trading of personal information between Australia and European nations. The government released an issues paper in October 2020 that asks for feedback on areas of potential reform, including the definition of personal information, whether the Privacy Act effectively protects personal information, and if individuals should have direct rights of action to enforce obligations laid out under the Privacy Act. In October 2021, a discussion paper was released focused on 28 topics. The discussion paper suggests revising the threshold definition of “personal information” to include online identifiers and technical data, which is in line with GDPR and would go a long way to modernizing the nation’s privacy laws. The paper also signals a shift to more stringent restrictions on data collection, use, and disclosure, rather than a “notice and consent” model. For a deeper dive into the discussion paper, see this handy rundown from IAPP and Salinger Privacy.
The ACCC’s Digital Platforms Inquiry report also recommended the development of codes of conduct to address a bargaining power imbalance between media companies and digital platforms. The ACCC was ordered to draft a mandatory code of conduct, which, among other actions, may include making Facebook and Google pay Australian media companies for the news that runs on their platforms, similar to how syndication fees once worked. This sparked a major brouhaha in Spring 2021 when Facebook said it would block news sharing in response. Google vowed to pull its search engine from the Australian market. Google accounts for 94% of Australia’s search market, and competitors such as Microsoft were eager to take market share with their own search services. Google then announced that it would revive plans to launch its own news website, which it originally planned to introduce last year. Google’s news site launched in February with seven Australian publishers that Google will pay to host content in its News Showcase. The law was passed and Google backed down from its threat to leave the country. Since then, Google and Facebook have agreed to licensing deals with the majority of Australia’s dominant media companies.
What’s next: In January 2022, submissions on the discussion paper are due and a reform bill may follow at some point next year.
China: from laissez-faire to structured regulation
It seemed like China would continue to pursue a relatively regulation-free privacy regime that more closely resembled the United States, but in October 2020, China released a draft of what would be its first comprehensive data protection law — and it appeared to take more inspiration from GDPR than the United States. In some ways, China’s Personal Information Protection Law (PIPL), which was passed in August 2021 and went into effect on November 1, 2021, is even more stringent than GDPR and, as one would expect, it gives Chinese regulators significant leeway in matters related to personal data and national security. PPIL may fine up to 5% of a company’s annual revenue during the previous year for what it considers to be “grave violations,” compared to 4% for GDPR, but it also allows fines for individuals, or “responsible personnel” at a company — up to $155,000 for “grave” violations and up to $15,500 for less serious infractions. Under the law, these offenders may also be forbidden from leadership roles for a certain period of time. Companies outside China that run afoul of the law could be placed on a blacklist and prevented from processing personal data of Chinese citizens.
PIPL is similar to GDPR in that it also gives individuals more control over their data, such as access to the information that’s been collected about them and the right to have this personal data corrected or deleted. Companies must have some sort of legal basis to process someone’s data, but it is narrower under PIPL compared to GDPR. PIPL takes a hard line on national security issues. For example, while GDPR generally promotes the free flow of data between countries, the PIPL requires a security assessment by the Cyberspace Administration of China before personal data is transferred outside the country. Companies that collect a certain amount of people’s data in China must also store that data within China, which could complicate matters for Apple and a handful of international technology companies that still have an operating presence in the country. Another regulation, the Data Security Law, which went into effect on September 1, 2021, dictates how data must be classified based on national security risk and economic value. Taken together, these laws have clamped down on the amount of information about China that is allowed to leave the country, including the locations of ships in Chinese waters, making it more difficult to gauge port activity during a time of persistent supply-chain bottlenecks.
China has also taken its own significant steps to regulate its largest tech companies in what some have called a year-long campaign against Big Tech. China’s market regulator has doled out dozens of antitrust fines against companies such as Alibaba, Tencent, and Baidu. In October 2021, it published a draft amendment to its 2008 Anti-Monopoly Law, and it recently launched an anti-monopoly enforcement bureau. All told, China’s new regulations amount to a significant set of laws that gives it more control over the data being collected from one in five people on the planet.
The need for a new regulatory toolkit
What would happen if some government really succeeded in breaking up Google or Facebook? We don’t believe that any divestiture would actually address the data asymmetry that creates the walled gardens’ advantage. So, while the “break-them-up” mantra is hard to resist for some, the incremental value in Google divesting a small portion of their stack would be minimal. There really is no easy answer.
The landmark United States vs. Microsoft antitrust lawsuit that was decided 20 years ago seems to be the closest parallel we have to the current antitrust discussion about Google and Facebook, in terms of how Microsoft evolved from startup to global powerhouse over a similar time span. But even the tools that were available to regulators to relitigate and regulate then were not a good fit, and they haven't evolved dramatically since.
In February 2021, Democratic Sen. Amy Klobuchar introduced the Competition and Antitrust Law Enforcement Reform Act of 2021 to update the Clayton Act. The bill would increase M&A scrutiny and barriers for dominant companies. It would also give the FTC and DOJ much bigger sticks in the form of larger penalties for anticompetitive behavior — up to 15% of a company's total US revenue, or 30% of US revenue in affected markets, per Protocol. The bill is highly controversial: The US venture-backed innovation model relies on acquisitions as successful exits for challenger companies. Making acquisitions harder isn’t necessarily in the best interests of entrepreneurs and the long-term health of our innovation ecosystem. The effort, which would also affect Big Ag and Big Pharma, doesn’t appear to be going anywhere. But the fight against Big Tech has taken on urgency in the wake of testimony from a whistleblower and former Facebook employee that detailed troubling allegations about the company’s business practices. Now there seems to be growing bipartisan support for other legislation, including a package of bills that, if passed, could fundamentally change the Big Tech platforms as we know them. The American Innovation and Choice Online Act would treat the platforms, such as Google’s search engine, as essential to commerce, like a dominant railroad operator, which would make it illegal for it to give its own products an advantage over competitors. Similar bills in the House secured committee approval but have otherwise stalled as Congress focused on the infrastructure bill.
We believe that the Biden administration (and other national-level regulators across the globe) must consider what the basic internet structure should look like and approach it as an infrastructure challenge. Could that look like the regulation of the financial markets? That’s not a good fit either. There needs to be some consideration for what is actually creating this monopoly effect for Big Tech but isn't being articulated in the current regulation. We also need to shift the conversation away from privacy and more toward data usage rights. We must create an environment in which consumers can specify what types of data exchanges they would like and where they will find value, as opposed to just the platforms, data aggregators, or third parties accruing all of the commercial advantages of data transactions, with consumers having no say in how their data is packaged, used, or activated.
One question
Where is the consumer in all of this? While some privacy considerations (especially around leakage of potentially sensitive data) likely trigger an immediate reaction, numerous public hacks have demonstrated that consumers tend to brush off these breaches or have a hard time understanding their potential impact. Do current regulatory efforts adequately reflect consumer perspectives and priorities?
Thanks for reading,
Ana, Maja, and the Sparrow team
Enjoyed this piece? Share it, like it, and send us comments (you can reply to this email).
Who we are: Sparrow Advisers
We’re a results oriented management consultancy bringing deep operational expertise to solve strategic and tactical objectives of companies in and around the ad tech and mar tech space.
Our unique perspective rooted deeply in AdTech, MarTech, SaaS, media, entertainment, commerce, software, technology, and services allows us to accelerate your business from strategy to day-to-day execution.
Founded in 2015 by Ana and Maja Milicevic, principals & industry veterans who combined their product, strategy, sales, marketing, and company scaling chops and built the type of consultancy they wish existed when they were in operational roles at industry-leading adtech, martech, and software companies. Now a global team, Sparrow Advisers help solve the most pressing commercial challenges and connect all the necessary dots across people, process, and technology to simplify paths to revenue from strategic vision down to execution. We believe that expertise with fast-changing, emerging technologies at the crossroads of media, technology, creativity, innovation, and commerce are a differentiator and that every company should have access to wise Sherpas who’ve solved complex cross-sectional problems before. Contact us here.