By Jason Sarfati, Chief Privacy Officer & Vice President of Legal

With its iOS14 update, Apple implemented a new privacy framework across a variety of its platforms. While it was rolled out in the name of consumer privacy, it also caused severe disruptions to app developers and the entire digital advertising ecosystem. But Apple isn’t alone. Last year, Google announced it will no longer support third-party cookies, with the complete extinction of the online tracking function expected in 2022. 

A lack of legislative action on a national level has opened the door for behemoth companies to use privacy tools to become leaders in consumer protection. While these changes are being implemented in the name of consumer privacy, in a real-world context they stand to upend the digital economy and consolidate consumer data in the hands of just a few, powerful corporations—ultimately, at the expense of consumers.

The digital advertising ecosystem extends far beyond the industry’s household names. It includes tens-of-thousands of other companies, some large and many small. These range from independent and corporate app developers to publishers, data providers, advertising platforms, networks, and agencies—all playing their part in a complex and highly-networked ecosystem. Increasingly, people shop, socialize and learn online, and they expect their favorite companies to know what they want to do, buy, or see next. Whether serving up digital content, informing new product or service features, or targeting advertising, this entire ecosystem relies heavily on consumer data to give their customers—and online consumers—the best possible experience.

There remain important questions about how this consumer data is collected and managed: When is it permissible to collect data from individuals? Who should have access, and under what conditions can consumer data be used? How much data is too much data, and what can we do to ensure that it is never abused? These and other questions, however, should not be answered by big tech—but rather by our elected representatives. We need a federal consumer data privacy law that both protects the individual interests of consumers and establishes guardrails for all businesses that handle consumer data.

Contrary to popular opinion, Congress has a long history of passing well-developed privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA). Every piece of data privacy legislation to date has been the product of ballot initiatives or democratically elected officials who, representing the interests of the American public, debate the pros and cons of each possible approach before anything becomes law. The same is generally true for international privacy laws, including the EU’s General Data Protection Regulation (GDPR).

Ceding this responsibility to private companies—no matter how well-intentioned—disrupts this time-honored tradition. Individuals, through their elected representatives, must have a say in the laws that govern the handling of their data.

Individual states have already begun to act. California’s Consumer Privacy Act (CCPA) took effect in 2020, and Virginia’s Consumer Data Protection Act (CDPA) has cleared both chambers of the Virginia legislature. It is now headed to the Governor who has declared his intention to sign the bill by March 1. Multiple states passing their own privacy laws further underscores the need for a comprehensive, federal privacy law—one that preempts individual states’ efforts and addresses the needs of individuals residing in the 48 states now left out.

In the absence of comprehensive, federal privacy law, it is individuals who stand to lose the most. Consumers will most likely have fewer free apps to choose from and receive more irrelevant ads as a result. Likewise, the impending arrival of more paywalls stands to dampen our internet user experience, as lower-income users face the real possibility of being priced out of certain corners of the Internet.  

Worse still, the fact remains that over 80% of the U.S. population is not currently covered by any data privacy law. For this reason, some companies, including Gravy Analytics, have chosen to extend the rights afforded to California residents to all consumers, but there is no legal requirement for any company to do so. Companies in the digital advertising ecosystem, too, will be challenged to comply with a patchwork of multiple, different state laws, and to continue to grow their respective businesses in the face of the ongoing privacy debate.

Without comprehensive federal legislation, large companies will necessarily continue to create their own frameworks that establish privacy norms and rules. The largest of these companies have the power to exert significant market influence and to disrupt entire areas of the digital economy. Although these changes are implemented in the name of privacy, they also have the singular power to fundamentally alter business relationships and fuel a “digital land grab”.

The time for federal data privacy legislation in the United States is long overdue, and the time to act is now.