Here’s something to puzzle over. In December, the Federal Trade Commission and a coalition of states filed antitrust lawsuits against Facebook, alleging that as the company grew more dominant and faced less competition, it reneged on its promises to protect user privacy. In March, a different coalition of states, led by Texas, accused Google of exclusionary conduct related to its plan to get rid of third-party cookies in Chrome. In other words, one tech giant is being sued for weakening privacy protections while another is being sued for strengthening them. How can this be?
That question, and others like it, are going to become increasingly urgent over the next few years. Antitrust enforcers are bringing cases against the biggest tech companies while states enact new privacy laws and Congress prepares (maybe, perhaps, hopefully) to pass one of its own. Meanwhile, those very companies are making all sorts of splashy changes to their privacy policies even as the government lawyers close in. If policymakers and enforcers can’t figure out the right way to think about how to reconcile privacy law with competition law, they risk badly screwing up both.
To win a monopolization suit under Section 2 of the Sherman Act, the government has to prove not only that a company is a monopoly, but that it has used its power to harm consumers—to do things it can get away with only because there’s nowhere else to go. (This rule, which is controversial, is called the “consumer welfare standard.”) The typical example is when a dominant firm raises prices after cornering the market. Since Facebook’s main products are free, that argument won’t work against it. But there’s another way to show an impact on consumer welfare: declining product quality. That’s the role privacy plays in the Facebook case. According to the lawsuits, the erosion of user privacy over time is a form of consumer harm—a social network that protects user data less is an inferior product—that tips Facebook from a mere monopoly to an illegal one. (This allegation, which the company denies, is only one of many antitrust claims raised against Facebook.)
That argument against Facebook illustrates the leading theory of how antitrust and data privacy intersect: As you turn up the competition dial, you get more privacy, because companies will try to woo customers by offering better protections. If a market gets monopolized, that incentive to compete disappears.
Sometimes, however, the privacy and competition relationship is inverted: As you turn the privacy dial up, you get less variety in the market. This is increasingly the case now that the most monopolistic companies are often the ones making the most extensive and lucrative use of personal data. In March, Google announced that it was moving ahead with a plan to block third-party trackers from Chrome, which has a global market share in the 60 percent range. Under its Privacy Sandbox framework, instead of cookie-based ad targeting, Google says it will implement a new system in which the browser does the tracking, and serves ads to users based on cohorts they fit into rather than targeting them individually.
On its face, this is a step forward for privacy. Getting rid of cookies will make it harder for strangers to get hold of your personal data. According to Texas, however—and the dozen or so experts I’ve discussed the matter with—the Privacy Sandbox will further entrench Google’s staggering position in the advertising market. By cutting off other companies’ ability to track users in Chrome, while keeping that power for itself, the company will add to its already formidable user-data advantage, and make it even harder for rival companies and publishers to compete for advertising dollars.
Here, privacy is not the thing being lost due to decreased competition; it’s the justification for the behavior being challenged. (Whether the Privacy Sandbox will even keep user data as secure as advertised is up for some debate, but let’s assume for now that it will.) So the goals of enhancing user privacy and enforcing competition appear to be at odds with each other. What should the outcome of this part of the Texas case be? Just about everyone agrees that third-party cookies are terrible. It would be weird if Google was prevented from killing them in the name of antitrust law. Don’t we want companies to cater to privacy-conscious consumers?
Information about you, what you buy, where you go, even where you look is the oil that fuels the digital economy.
According to Erika Douglas, a law professor at Temple University and the author of a recent Yale Law Journal essay titled “The New Antitrust/Data Privacy Law Interface,” there are a few ways a legal challenge like this can play out. (To be clear, the Chrome allegation is only one of many claims being brought against Google, some of which may be dropped or dismissed before the case gets to trial.) First, a court could rule that privacy isn’t the real reason for the company’s actions—that it’s a fig leaf covering up a power grab. That’s certainly how the state of Texas sees things. “Google’s upcoming cookie changes in the name of privacy are a ruse to further Google’s longstanding plan to advantage itself by creating a closed ecosystem out of the open web,” the amended complaint argues. “At the same time, Google is trying to hide its true intentions behind a pretext of privacy.” The complaint cites heavily redacted internal documents as evidence that the Privacy Sandbox is merely a new version of a long-running scheme to wall off the open web.
Google disputes this, of course. If it convinced the court that its privacy goals are sincere, the issue would move to a different question: Is there a legitimate business purpose to the Privacy Sandbox changes? This would be uncharted territory for antitrust doctrine. “We’ve not answered in law if privacy can be a business justification for anticompetitive conduct,” said Douglas. “Did you engage in this conduct primarily to exclude competitors, or did you engage in this conduct primarily to protect user privacy? If the real reason why was privacy, but it also has a competitive impact, that's something that antitrust law would probably allow.”
But the question might be even more complicated. What if privacy and competition aren’t separate concepts at all, but rather overlap? Google’s Privacy Sandbox proposal targets one very specific definition of privacy: limiting the number of people or businesses who get access to a user’s personal data. There are plenty of good reasons to cheer such a move: the less exposed your data, the less it can be used—and misused—without your permission. But that isn’t the only way to think about digital privacy. In her book Privacy Is Power, the Oxford philosopher Carissa Véliz describes privacy as a form of freedom from manipulation. When we lose control over our personal data, it enables “powerful people and institutions” to “make us act and think differently from the way we would in the absence of their influence.”
Google, of course, has amassed its empire by selling advertisers the power, at least in theory, to persuade consumers. On this account, it’s not so easy to tell where privacy ends and anti-monopoly law begins. If a dominant company cuts off competitors’ access to user data, but keeps using that data to influence people, it may be less a net gain for privacy than an instance of pushing water around the balloon—shifting control over data, and the power that accrues from it, from third parties to itself.
“What Google is doing is trying to not rethink its business model,” said Véliz. “In Spanish, we would call it a refrito—something you cook again, trying to make it look like a different dish.”
Maybe, then, the right way to think about what should happen when the privacy and competition dials diverge is to ask whether a company is cutting off access to personal data that it intends to keep using itself. That could help distinguish between a case like the Privacy Sandbox, on the one hand, and Apple’s App Tracking Transparency framework, on the other. Apple’s new policy will force all iPhone app developers to ask for permission before tracking users. That is expected to hurt companies that make money by tracking users across the web, most notably Facebook, which has reportedly considered filing an antitrust lawsuit to block the change. But since Apple doesn’t make its money by selling personalized ads based on surveilling user behavior, it’s harder to argue that it is hoarding access to user data for its own purposes. That makes the tension between privacy and competition easier to resolve.
Not that Apple will always come out ahead in this analysis. Contrast the Facebook spat with the ongoing feud between Apple and Tile, which sells tracking technology to help users find lost stuff and thus competes with Apple’s own “Find My” software. According to Tile, Apple has discriminated against the company by prohibiting certain practices, like background location tracking, that it requires to function. Apple says the rules are meant to protect user privacy. If it were to sue, Tile might have a stronger case than Facebook because its product competes more directly with Apple.
As Douglas notes in her essay, data privacy law has only begun to exist over the past two decades or so, during a period of very little antitrust activity. “This coincidence of timing—quiet in anti-monopolization enforcement while data privacy law bloomed—means that these areas of law are only now beginning to coexist in American law,” she writes. In fact, US privacy law isn’t much to look at, either. The country still lacks a federal data privacy law, and indeed any basic agreement over what privacy law should even be about. A lively and long-overdue debate over how to reform antitrust law is playing out in Washington. It might be tempting to save privacy for later. But each new allegation against a tech giant shows how big a mistake that could be.