The State of Antitrust
A look at different global regulatory efforts and what's next
The current US antitrust regulatory framework dates back to the late 19th century: Congress passed the Sherman Antitrust Act of 1890 to make it illegal to form a monopoly or limit trade. Twenty-four years later, the Clayton Antitrust Act of 1914 prohibited mergers and acquisitions that would stifle competition. The Federal Trade Commission Act of 1914 also established an agency with authority to police unfair competition and deceptive practices. Some 131 (!) years later, antitrust has taken on two main forms: privacy (“Data collection is intrusive and needs to be regulated.”) and addressing Big Tech monopolies (“The largest technology companies are too powerful and must be broken up or regulated to level the playing field for new and smaller, independent entrants.”). While they may appear different at first glance, these are two sides of the same coin: Applying old monopoly regulation to modern tech companies isn't going to cut it, but solving for data usage rights and – more importantly – opening up the data layer to competition has a chance. To date, there’s certainly been more activity on the latter front.
In a nutshell
Different countries and regulatory bodies have taken different approaches. If you were to consider global privacy and antitrust laws on a spectrum, the minimal, sector-specific approach of the United States would sit on one end, with the EU’s comprehensive General Data Protection Regulation (GDPR), implemented in 2018, sitting on the opposite. The United States has a patchwork of regulations, such as the California Consumer Privacy Act (CCPA), which only applies to the personal data of California residents, and the Children’s Online Privacy Protection Act (COPPA), a law that restricts data access and collection for children, along with a mishmash of other vertical-specific laws that often have too narrow of an interpretation to affect Big Tech platforms. China, another enormous market, had initially pursued a similar approach as the United States, but it seems to have revised its path and is now moving toward a much more comprehensive regulatory framework that more closely resembles GDPR, though not quite as detailed. And between China and Europe would sit Australia, which is currently amending its Privacy Act of 1988 to better accommodate the digital economy that has evolved in the 33 years since its inception.
The rise in new global data protection and antitrust laws reflect the reality that most governments recognize that they need to regulate the internet economy, but they face doing so with severely outdated tools. In many cases, governments were asleep at the wheel as tech companies grew into the massive tech giants we have today. There is a now-familiar battle cry that Big Tech is bad or too big and must be broken up at all costs, but that stance is rooted in the monopoly structures of a bygone era, which are much different than the concentration of power we see in today’s digital economy. And while many recognize the need for some sort of regulatory activity to make the large digital platforms less dominant, no one has fully figured out what that should look like.
But that hasn’t stopped governments from experimenting with new approaches. Here is a look at how the United States, European Union, Australia, and China are approaching data protection and antitrust laws, which collectively cover nearly 2.2 billion people, or roughly 28% of the world’s population. What are regulators in each country/territory focusing on?
United States: no rules are good rules
Federal initiatives
In early October 2020, Congress issued a report about anticompetitive behavior by Facebook, Alphabet (Google’s parent company), Apple, and Amazon. The report from Democrats on the House Antitrust Subcommittee found plenty of potential offenses: Amazon allegedly has a monopoly over its site’s third-party sellers; Apple exerts monopoly power through its App store; Facebook achieved its monopoly power by acquiring, copying, or killing competitors; and Google holds a monopoly in search and search advertising.
A few weeks later, the Department of Justice filed a lawsuit against Google that focuses on its search monopoly, including services, search advertising, and search text advertising. The DOJ accused Google of striking deals with device makers to improperly protect its search monopoly, including paying Apple a small fortune to make its search engine the default on iPhones and forcing smartphone manufacturers that use its Android operating system to also set its search engine as the default. Eleven states were listed as plaintiffs in the original lawsuit, and others have since joined. What’s next: The judge set Sept. 12, 2023 as the trial date, and the trial is expected to last between five and 12 weeks. Antitrust cases generally move at a glacial pace.
The Federal Trade Commission (FTC) filed a lawsuit against Facebook on Dec. 92020 alleging that it destroyed competition by acquiring or crushing companies in a predatory manner, including one-time rivals Instagram and WhatsApp. The FTC seeks a permanent injunction that could include forcing Facebook to divest Instagram and WhatsApp and refrain from harming future competition, such as restricting third-party software developers that provide a competing service or tool. The lawsuit follows an investigation in cooperation with a group of 46 states, which filed its own similar but separate lawsuit on the same day as the FTC’s. (See below.) What’s next: The two separate cases will be heard by the same judge, but no trial date has been set yet.
State initiatives
New York led a group of 46 states and two territories to also sue Facebook on Dec. 9. Many of the arguments and resolutions alleged and sought by the states mirror the FTC’s since the agency and states cooperated during a 20-month investigation of Facebook’s business. What’s next: This case will be heard by the same judge presiding over the FTC’s case. The timeline is unclear.
Colorado led a group of 38 states and territories in a search-focused lawsuit against Google on Dec. 17 that is similar to the DOJ’s but goes a bit further, including allegations that Google is trying to dominate new distribution channels such as smart speakers and lock out vertical search providers like Yelp and TripAdvistor. What’s next: This case will be heard by the same judge overseeing the DOJ’s case against Google, and the two cases were combined for pre-trial preparation. No confirmed timeline yet.
Texas led a group of 10 states to sue Google on Dec. 16 over an alleged digital advertising monopoly that began with its acquisition of the DoubleClick ad server. The lawsuit claims a slew of ad tech-related offenses, including maintaining monopolies on both the buy and sell sides, making the use of its publisher ad server a requirement for the use of its ad exchange, using privacy as an excuse to further its business interests, and trying to destroy header bidding through a clandestine deal with Facebook. What’s next: A potential hearing in late February or early March may determine if the case will be moved to California.
In terms of privacy, the US has a very liberal data market but no federal data protection or privacy framework. In the absence of a nationwide law, several states have moved to fill the void with their own rules, most notably California.
In November 2020, California voters approved the California Privacy Rights Act (CPRA), which extends the newly implemented CCPA. For instance, consumers can opt out of the sale of their personal data under CCPA, but CPRA also allows them to opt out of their personal data being shared. CCPA covered businesses that derive more than half of their revenue from the sale of consumers’ personal information (PI), but CPRA extends that to companies with more than half of their revenue coming from the sharing of consumer PI. CPRA strictly regulates a new class of “sensitive personal information” that includes government identifiers, precise geolocation data, information related to sexual orientation, race, religious or philosophical beliefs, health information, and financial account and login information. What’s next: The law creates an agency dedicated to the protection of consumer personal information and privacy protection; it will assume responsibility for CPRA rulemaking by July 1, 2021. The final regulations should be adopted by July 1, 2022, with the law going into effect on Jan. 1, 2023. Enforcement will begin on July 1, 2023.
In our view, the sooner the United States has a federal privacy law, similar to the European Union’s GDPR, the better off we will be because the current molasses of uncertainty is unhelpful for everyone – except for walled gardens, which it seems will always come out on top.
European Union: setting the standard on privacy regulation
The European Union aggressively scrutinized Google’s anticompetitive business practices for more than a decade and levied a record $10 billion in fines, but with little impact on Google’s dominant market position. The EU has launched new investigations into Google’s advertising practices, including ad tech and data collection. The UK, which is of course no longer part of the EU, is also examining Google’s plans to deprecate third-party cookies in Chrome in 2022. In December, the EU introduced the Digital Markets Act, which would essentially regulate Big Tech platforms to prevent them from abusing their dominant market power and level the playing field for smaller companies. It would prohibit tech companies from preferencing their products and services, for example, and preclude them from reusing user data in other products.
The aggressive legislation follows the landmark privacy law GDPR. Since its inception, we have seen some smaller companies receive what we would consider to be exemplary fines for egregious violations of GDPR. However, it appears that we are starting to see some of the first signs of more serious GDPR activity and enforcement, including against larger players. In the last 12 months, European regulators have levied 158.5 million euros in fines and more than 121,000 breach notifications, a 19% increase from the year before.
Privacy advocates in the (pre-Brexit) UK and Netherlands filed separate class-action lawsuits against Oracle and Salesforce in August over their use of third-party cookies for tracking and targeting purposes. The companies are considered to be data brokers under GDPR, but the plaintiffs contend that the companies’ practices fail to secure the proper consent as required by the law. The lawsuits are stayed until the resolution of theLloyd vs Google case at the UK Supreme Court, which is expected this year and could open the floodgates for future claims. Meanwhile, Norwegian regulators recently threatened the gay dating app Grindr with a $12 million fine for failing to give users appropriate control over their data. The app allegedly didn’t allow users to opt out of data sharing with third parties and forced users to accept its privacy policy in order to use its free version. Grindr previously ran afoul of the Norwegian Consumer Council for illegally sharing personal data with third parties for marketing purposes. The current fine amount represents about 10% of Grindr’s revenue, which notably exceeds the 4% allowed under GDPR. (Norway isn’t a formal bloc member but follows most of the EU’s rules.) Grindr has until Feb. 15 to respond.
Australia: modernizing a solid foundation
In 2019, the Australian Competition and Consumer Commission (ACCC) published its Digital Platforms Inquiry report, which examined how digital platforms affect the state of news and journalistic content and the ramifications on consumers, media content creators, and advertisers. The report recommended that the government review whether the Privacy Act 1988 should be reformed to better reflect today’s digital economy. The government agreed. The review will likely consider several themes, according to Australian consultancy Salinger Privacy. For example, there is an obligation to balance both a consumer’s need to protect their data with a company’s need to engage with consumers online. There is also a desire to align the Privacy Act more closely with GDPR, potentially paving the way for the trading of personal information between Australia and European nations. The government released an issues paper in October 2020 that asks for feedback on areas of potential reform, including the definition of personal information, whether the Privacy Act effectively protects personal information, and if individuals should have direct rights of action to enforce obligations laid out under the Privacy Act. In early 2021, a second issues paper will be released that will likely seek more specific public comment on preliminary outcomes.
The ACCC’s Digital Platforms Inquiry report also recommended the development of codes of conduct to address a bargaining power imbalance between media companies and digital platforms. The ACCC was ordered to draft a mandatory code of conduct, which, among other actions, may include making Facebook and Google pay Australian media companies for the news that runs on their platforms, similar to how syndication fees once worked. Facebook said it would block news sharing in response. Google vowed to pull its search engine from the Australian market. Google accounts for 94% of Australia’s search market, and competitors such as Microsoft are eager to take market share with their own search services. Google then announced that it would revive plans to launch its own news website, which it originally planned to introduce last year. Google’s news site launched today with seven Australian publishers that Google will pay to host content in its News Showcase.
What’s next: We’re keeping our eye on the resolution of the “pay media companies for links” spat because we anticipate that it may be used as precedent in other countries. (France has indicated interest in pursuing a similar path, which led Google to recently agree to pay an association of French publishers to reuse bits of their content.)
China: from laissez-faire to structured regulation
It seemed like China would continue to pursue a relatively regulation-free privacy regime that more closely resembled the United States, but in October, China released a draft of what would be its first comprehensive data protection law – and it appears to take more inspiration from GDPR than the United States. For example, China’s Personal Information Protection Law (PIPL) is more expansive than the United States’ and shares similarities with GDPR in its definitions of personal information, sensitive information, individual rights, and legal bases for data processing, though there are differences between the two. PIPL doesn’t differentiate between a data controller and processor as GDPR does, and it takes a hard line on national security issues. For example, while GDPR generally promotes the free flow of data between countries, the PIPL requires a security assessment by the Cyberspace Administration of China before personal data is transferred outside the country. What’s next: The window to comment on the draft legislation has now closed, but the timeline for revisions and enactment into law isn’t clear. Some experts predict that it will go into effect as early as 2022.
China has also taken its own steps to regulate its largest tech companies. In November its market regulation bureau released draft rules to curtail anti-competitive practices of its internet giants and protect consumers’ interests. According to Morgan Stanley, Alibaba, Tencent, Pinduoduo, JD.com, and Meituan will be affected by the rules, and they have each been accused of unfair competition at some point. The law’s targeted behaviors include preferential treatment for merchants that sign exclusive agreements with platforms, price discrimination, and requisite user data collection.
The need for a new regulatory toolkit
What would happen if some government really succeeded in breaking up Google or Facebook? We don’t believe that any divestiture would actually address the data asymmetry that creates the walled gardens’ advantage. So, while the “break-them-up” mantra is hard to resist for some, the incremental value in Google divesting a small portion of their stack like DoubleClick, for example, would be minimal. There really is no easy answer.
The landmark United States vs. Microsoft antitrust lawsuit that was decided 20 years ago seems to be the closest parallel we have to the current antitrust discussion about Google and Facebook, in terms of how Microsoft evolved from startup to global powerhouse over a similar time span. But even the tools that were available to regulators to relitigate and regulate then were not a good fit, and they haven't evolved dramatically since.
This week, Democratic Sen. Amy Kobuchar introduced the Competition and Antitrust Law Enforcement Reform Act of 2021 to update the Clayton Act. The bill would increase M&A scrutiny and barriers for dominant companies. It would also give the FTC and DOJ much bigger sticks in the form of larger penalties for anticompetitive behavior – up to 15% of a company's total US revenue, or 30% of US revenue in affected markets, per Protocol. The effort, which would also affect Big Ag and Big Pharma, faces an uphill battle given the Democrats’ slim majority. It’s also highly controversial: The US venture-backed innovation model relies on acquisitions as successful exits for challenger companies. Making acquisitions harder isn’t necessarily in the best interests of entrepreneurs and the long-term health of our innovation ecosystem.
We believe that the Biden administration (and other national-level regulators across the globe) must consider what the basic internet structure should look like and approach it as an infrastructure challenge. Could that look like the regulation of the financial markets? That’s not a good fit either. There needs to be some consideration for what is actually creating this monopoly effect for Big Tech but isn't being articulated in the current regulation. We also need to shift the conversation away from privacy and more toward data usage rights. We must create an environment in which consumers can specify what types of data exchanges they would like and where they will find value, as opposed to just the platforms, data aggregators, or third parties accruing all of the commercial advantages of data transactions, with consumers having no say in how their data is packaged, used, or activated.
One question:
Where is the consumer in all of this? While some privacy considerations (especially around leakage of potentially sensitive data) likely trigger an immediate reaction, numerous public hacks have demonstrated that consumers tend to brush off these breaches or have a hard time understanding their potential impact. Do current regulatory efforts adequately reflect consumer perspectives and priorities?
Dig deeper:
How the Biden administration might address privacy
JonesDay note on CPRA
Thanks for reading,
Ana & Maja
Enjoyed this piece? Share it, like it, and send us comments (you can reply to this email).
Who we are: Sparrow Advisers
We’re a results oriented management consultancy bringing deep operational expertise to solve strategic and tactical objectives of companies in and around the ad tech and mar tech space.
Our unique perspective rooted deeply in AdTech, MarTech, SaaS, media, entertainment, commerce, software, technology, and services allows us to accelerate your business from strategy to day-to-day execution.
Founded in 2015 by Ana and Maja Milicevic, principals & industry veterans who combined their product, strategy, sales, marketing, and company scaling chops and built the type of consultancy they wish existed when they were in operational roles at industry-leading adtech, martech, and software companies. Now a global team, Sparrow Advisers help solve the most pressing commercial challenges and connect all the necessary dots across people, process, and technology to simplify paths to revenue from strategic vision down to execution. We believe that expertise with fast-changing, emerging technologies at the crossroads of media, technology, creativity, innovation, and commerce are a differentiator and that every company should have access to wise Sherpas who’ve solved complex cross-sectional problems before. Contact us here.