US Tech Firms Embrace Data Protections to Comply with EU Big Tech Rules

Privacy Protections for Europeans: Impact on US Tech Firms and Beyond

Efforts by the European Union (EU) to strengthen data privacy regulations have led to significant changes in how American tech companies handle user data in Europe. The Digital Services Act (DSA), which went into effect on Friday, imposes strict requirements on very large online platforms with over 45 million users. The law prohibits targeting users with ads based on sensitive data and introduces transparency requirements for algorithms. It also holds platforms accountable for illegal content, including hate speech and deceptive design patterns.

Changes in Targeted Advertising

One of the most noticeable effects of the DSA is the prohibition of targeted advertising based on sensitive data such as sexual orientation. Tech companies like TikTok and Meta (which owns Facebook and Instagram) have already announced changes to comply with the law. TikTok will allow users to disable personalized results in its feed and automatically opt out users aged 13-17 from personalized ads. Meta is implementing keyword-based searches instead of personalized activity-based results and plans to switch to a “consent-based” model for behavioral advertising.

However, it is uncertain whether these alterations will satisfy EU regulators. Twitter and TikTok recently underwent voluntary “stress tests” overseen by the European Commission, and both reportedly fell short of meeting the new standards. Past attempts in the US to ban the use of sensitive and children’s data for targeted advertising have been unsuccessful. While not banned, such practices have caused American tech companies to face legal challenges, as seen in Facebook’s settlement with the Justice Department in 2022 over housing discrimination allegations.

Trickle-Down Effects on Global Regulation

It is too early to determine whether the DSA, like the General Data Protection Regulation (GDPR), will have global effects. GDPR influenced privacy protections worldwide, and according to Gabriela Zanfir-Fortuna from the Future of Privacy Forum, similar outcomes could be expected with the DSA. The reliance on targeted advertising as a key revenue source for tech giants implies that protections and functions compliant with the DSA may eventually be made available outside of Europe as well.

Challenges and Compliance

While American companies have allocated significant resources to comply with the DSA, there are challenges due to limited guidance for platforms. Anthonia Ghalamkarizadeh of Hogan Lovells highlighted that compliance requirements are still unclear in many aspects. The lack of explicit guidance may lead to privacy complications, particularly regarding the treatment of minors. Although not mandated by the DSA, some companies might implement age verification technologies that raise additional privacy concerns and data collection issues.

Centralized Enforcement and Swifter Actions

One major difference between the DSA and other EU data privacy laws is the centralized enforcement process through the European Council, rather than individual countries’ data protection agencies. This centralized approach may lead to swifter enforcement actions against large tech companies. However, it is too early to determine the implications fully.

In conclusion, the EU’s new data privacy regulations have already transformed the way American tech companies handle user data in Europe. The impact of the DSA on global regulation and the eventual compliance adjustments made outside of Europe remain uncertain. Tech companies face challenges in interpreting the law, and privacy concerns may arise from unintended consequences. As enforcement mechanisms evolve, the relationship between tech giants and EU regulators will continue to shape the future of online privacy and data protection.