Well, that didn't take long. The European Union's long-awaited (and commercially dreaded) privacy regulations, known as the General Data Protection Regulation (GDPR), have already begun wreaking havoc online.
Before the rules took effect on May 25, commentators had warned that the GDPR would consolidate power in the hands of market titans while confusing businesses about what exactly the regulations require. Indeed, early signs show that Facebook and Google, despite the threat of fines, are the big regulatory market winners. And EU bureaucrats themselves don't seem to know what "compliance" really looks like.
But the GDPR has caused chaos in more unexpected ways also. Here are just a few of the head-scratching unintended consequences that the GDPR has wrought across the globe.
Email-a-palooza: Most people's familiarity with the GDPR begins and ends with the avalanche of consent emails they received in the weeks before the regulations took hold. Services that you may not have heard from for years were suddenly quite eager to extol their "updated privacy policies" and cajole you for your approval.
For some of us, this was good opportunity to de-list ourselves from long-forgotten apps and web sites with which we'd sooner not share our data. But for a lot of people, it was merely another exercise in clicking "agree" without reading a word of the fine print. This doesn't do a lot for improving data privacy, but it might protect some services from hefty GDPR fines.
Or not. Ironically, companies that sent out GDPR emails on good faith to ensure compliance may have ended up actually violating the GDPR. In a Kafkaesque kind of Eurocratic catch-22, some EU watchers argue that a company that lacks the consent for their current data practices could also lack the consent to email people to gain their consent. Have a headache yet? This is just one small sliver of the GDPR red tape nightmare.
Another irony unfolds in how consent practices have largely ended up helping the tech titans that EU regulators wished to rein in. A household name like Facebook or Google will have a much easier time getting consent from users than an unknown competing platform or ad vendor. The big guys effortlessly check the box, but the upstarts get lost among the piles of consent emails—all for nothing.
The Google Data Protection Regulation: While we're on the subject of Google, the publishing industry has taken to calling the GDPR the "Google Data Protection Regulation" for its market consolidating effect. Google already dominates the ad market, accounting for some 44% of online advertising revenues in 2017 (Facebook snags another 18%). In the EU, Google accounted for 50% of all ad spends before the GDPR. The first day after the rules took effect, Google vacuumed up an astounding 95% of EU ad money.
Google benefits in second-order ways as well. Any policies that Google sets for its vendors yields dramatic impacts. Ad tech vendors have reported dramatic drops in business following the GDPR, and Google had limited the number of approved vendors that can participate on its platform until recently. If the EU wanted to tame Google's online dominance, they have a funny way of showing it!
Now you see it, now EU don't: The GDPR is long and complicated. It is so dry and ambiguous and monotonous that a meditation app called "Calm" offers a soothing bedtime reading of the 88-page regulation to help the listener "lie back, wind down, and drift off to the sound of a new legal regulation."
Not everyone has the time to read and internalize such a dry and complicated document. Some U.S.-based websites and services opted to put off dealing with the GDPR altogether.
Instapaper, a bookmarking service owned by Pinterest, announced on May 24 that it would be unavailable to EU members because of GDPR uncertainty, adding that it intended to "restore access as soon as possible."
News-minded EU citizens found themselves locked out of American media platforms on the day that the GDPR took effect. European fans of the Los Angeles Times, Chicago Tribune, and other Tronc- and Lee Enterprises-owned news services were greeted with a message that the websites were unavailable until the publishers found a way to deal with GDPR compliance. A&E Networks, which includes A&E, Lifetime, and the History Channel, simply decided to pull down their websites from EU access. Needless to say, this cut off European audiences from significant sources of American news, all because some random regulator decided it was not in their best interest to access it.
Others took a segregating approach. The Gannett-owned USA Today directing those with an EU IP address to a stripped-down platform known as "the EU experience." NPR similarly directed readers who opted out of its cookie and tracking policy to a text-only website. The Washington Post charges for its version of a GDPR-compliant subscription package, which costs 50 percent more than a normal subscription.
Who knows? Maybe some platforms will decide that dealing with European users just isn't worth the hassle. EU citizens will have their own regulators to thank.
It's about data in gaming: Will gamers rise up against the GDPR? Some gaming platforms have been forced to close servers or shut down altogether over costs wrought by the EU regulations.
Some of the affected games include Loadout, Super Monday Night Combat, and Ragnarok Online. The CEO of Loadout, Rob Cohen, was pretty blunt in an interview with Motherboard about the changes: "There is a pretty lengthy list of changes required by GDPR. We'd have to update our client, server, database, and more. It's a pretty big amount of development work for a game that is no longer in development." Loadout fans enjoyed their last sad gaming session on May 24, the day before the rules took effect.
The situation was similar for Super Monday Night Combat, another online game. This long-running platform has struggled to keep its servers up in the past. Add in the major regulatory liability of the GDPR, and you've got a basically unworkable situation. SMNC's CEO Jeremy Ables told Engadget that they just couldn't afford to make the changes that the GDPR required. So the game shuttered its doors instead. Ragnarok Online, on the other hand, decided to simply shut off access to EU players. Only time will tell if this evasive maneuver is enough to keep the potential €20 million in GDPR fines at bay.
Photo Credit: M-sur / Dreamstime.com