Regulating Big Tech

Two new long-awaited European Commission regulations have gone into effect.

The Digital Markets Act [DMA] seeks to regulate “gatekeepers” with special attention to those that operate “two-sided” online marketplaces. Two-sided means that they act as a middleman between seller and customer. There are six gatekeepers. The Digital Services Act [DSA] seeks to regulate the behavior of large services and the way they track and serve ads to users. 13 companies got caught up in this one, a superset of the gatekeepers.

For context, Europe, which is more than just the EU, is typically the second most lucrative region for all these companies after North America. To use Facebook (META) as an example, in Q2 45% of revenue came from North America, 23% from Europe, 20% from Asia-Pacific, and the remaining 12% from the rest of the world. But there are very stark differences in revenue conversion rates in the digital ad space:

Just Facebook, not Instagram or WhatsApp. MAU = monthly active user. (Facebook quarterly reports; analyst calculations)

The strong dollar is magnifying this now, but you see those huge dropoffs — 66% from North America to Europe, and 76% from Europe to rest-of-world. Everybody who breaks out revenue and user data this way has a chart that looks similar to that one, just with different numbers. So Europe is not the most important region, but still important enough that everyone has to care what the EU says and does. They can’t just pull out.

The new regulations only apply to EU citizens and business customers, but for some of it, it will make no sense, or will be impossible to separate out.

The gatekeepers, from the DMA:

Did the European Commission really need Floaty the Robot top-left? (European Commission)

All of them also got caught up in the DSA. In addition to those companies, the DSA covers Alibaba (BABA), Booking (BKNG), Pinterest (PINS), Snapchat (SNAP), Twitter, Wikipedia and Zalando (ZNDO).

For the purposes of this article, I am going to stop treating them as separate laws. Both of them have very harsh fines for falling out of compliance. I think the best way to organize it is company-by-company, and the effects of both laws on each of them. I will be primarily focusing on the gatekeepers, excluding Bytedance.

Apple (AAPL)

In their last fiscal year, Apple got 24% of revenue from their “Europe” segment, but that also includes some fast-growing EMs in Africa, the Middle East and South Asia.

In an important way, the new regulations cut to the core of how Apple likes to do things. This email exchange, evidence in a lawsuit, is sort of the Rosetta Stone for understanding how Apple approaches 3rd parties on iPhone:

“Cocoa touch” is what they then called iOS apps. (Internal Tech Emails)

This was October 2007. Steve Jobs you know; Bertrand Serlet was Apple VP of Software back then. iPhone had been released the previous June. While most people saw it as a “phone,” plenty saw that it was a little pocket computer that could do a lot. People were clamoring for 3rd party apps, and a software development kit [SDK] from Apple.

So that’s the context: should we make an official SDK, app store, etc.? The answer of course was “yes”, but note Serlet’s priorities in the bullets:

User security and privacy. Network security. Keep app development under Apple’s control. Limit what hardware and software they expose to 3rd party apps. There is no number 5. Nothing about money.

That’s how they viewed it then, and that’s how they still view it. Keeping App Store a closed system adds to the bottom line, but the more important goals to Apple are those four top bullets, especially the top two.

So the following new restrictions and obligations really cut into that:

Open up to 3rd party app stores and direct download from the web, AKA “sideloading.” Sideloading is a recurring nightmare SVP of Services Eddy Cue has, because it is a massive security and privacy hole Apple cannot control.

Allow alternative in-app purchases. This is going to be huge. Everyone has moved to this revenue model — free download and then pay for the app to actually work. Apple is going to try and bill developers for their 30% cut.

They have to allow 3rd party browser engines, a recurring nightmare for SVP of Software, Craig Federighi, because it is a massive security and privacy hole Apple cannot control.

No more private APIs or hardware. All iOS and hardware services have to be open to 3rd parties, including the NFC payments chip. A massive security hole, attached to payments.

They cannot favor their own apps in the App Store, which they most definitely do.

iMessage and FaceTime are not caught up in this yet, but it looks like at least iMessage will be. They will have to comply with the new inter-operability requirements for text, voice and video over time. Given the way Apple has this set up, they may have to redo large portions of their backend to these services, and it may not make sense to do it EU-only. This is also a massive security hole. iMessage exploits have been key in commercial spyware, including just this month.

I think their advertising, such as it is, already complies with everything.

The thing in the law that may wind up saving Apple is that it is littered with language like this:

The gatekeeper shall not be prevented from taking, to the extent that they are strictly necessary and proportionate, measures to ensure that 3rd-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper, provided that such measures are duly justified by the gatekeeper.

So that’s the seam Apple is going to keep trying to run through. It’s going to be up to the Commission to determine what “duly justified” means.

This will take a bite out of growth in Apple’s Services segment, where App Store is a very large part, about a quarter of revenue.

But the bigger thing in my opinion is that Apple will lose control over key parts of the user experience, which is at the top of the pyramid of things they care about. Apple’s business model is simple: make great products with a great user experience, market it well, keep operations efficient, and you’ll be rewarded with high margins and loyal customers. The key to all of it is great products with a great user experience, and they are losing control over key parts of the user experience.

Google (GOOGL)

In the last fiscal year, Google got 30% of their revenue from Europe/Middle East/Africa.

Google is probably the most covered here, and there are so many facets to it: Search, 1st party ads, the ad network, Android, YouTube, Maps, Play, Shopping and Chrome.

Like Apple, this cuts through the heart of how Google does business.

Provide a lot of great services for “free”. The purpose of those services are to collect user data. Provide free software and services to businesses, like web statistics and “Sign in with Google," the purpose of which is to siphon data about their customers. Also get data from advertisers and publishers on the Google 3rd party ad network. Combine all that user data with publicly available data and create a very complex portrait of individuals. Use that to target ads.

Now, the combining part in bullet #4 is out. All the services will have to be siloed. I’m not even sure how Google will begin to separate that all out, or whether it will be just for EU citizens. But just to give the most obvious example, combining location data from Maps with everything else is a huge part of Google’s ad targeting in all their services, and now that’s out. This is the entire point of Maps, and now it is much less useful across the entire company, at least in the EU countries.

Moreover, bullet #2, collecting data from other apps and sites, is now opt-in in the EU. This will cut off a big source of data the way it did with iOS App Tracking Transparency.

Other new obligations and restrictions

They will have to provide anonymized search data to competing search engines under FRAND conditions. This is an interesting one, and it’s hard to know how that plays out until the EC defines what those conditions are.

They cannot favor Google apps in the Play Store, which they do.

They will be required to allow 3rd party app stores, in-app purchases and sideloading like Apple. They already do, to some extent, and this is less of a big deal for them than it is for Apple. The roughest part will be, like for Apple, in-app purchases.

No private APIs in Android. Again, a bigger thing for Apple.

Better enforcement of illegal activity in their ad inventory.

Bans all ad targeting based on religion, political beliefs, ethnicity or sexual orientation. I don’t know about Europe, but in the US, these are key demographic crosstabs for advertising.

Very tight restrictions on advertising to children.

Provide more transparency about how recommendation and ad algorithms work, and provide ad repositories to the EC.

Share data with EC agencies and select researchers.

The overall effect on Google and all the digital ad companies is less effective ad targeting, at least in the EU countries, and less ability to control public narratives around their services.

Facebook (META)

In the last fiscal year, 20% of Facebook’s revenue came from Europe, which in their case is both a continent and a reporting segment (includes Turkey and Russia).

Facebook gets all four of their services — Facebook, Instagram, WhatsApp and Messenger — covered by one or both the laws. The crucial things for them, like Google:

Erecting walls between the user data in those 1st party services.

Only integrating 3rd party data from “Sign in with Facebook” and other software with opt-in consent.

Better enforcement of illegal activity in their ad inventory. Instagram has a particular problem right now with that.

Bans all ad targeting based on religion, political beliefs, ethnicity or sexual orientation.

Very tight restrictions on advertising to children.

Provide more transparency about how recommendation and ad algos work, and provide ad repositories to the EC.

Share data with EC agencies and select researchers.

So, “Google, with less complexity, and no Android or Chrome.”

In addition, because they have social and communication services:

They must allow opt-out of algorithmic feeds in social. This is a big one for the social platforms, who always try and push users to their more lucrative algo feeds rather than reverse chronological following-only. They can still default to the algo feed, but following-only must be available.

Messenger and WhatsApp will have to support interoperability for text, voice and video. Like with iMessage, this will not be easy to pull off, but they have time to roll it out.

Overall, less effective ad targeting, and less ability to control the narrative around their services. Also, to whatever extent people choose the following-only feed, this will mean less engagement.

Amazon (AMZN)

Amazon does not break out European revenues.

Their new restrictions and obligations apply to the retail site, their relationship with 3rd party sellers on Marketplace, and ads.

They cannot favor Amazon Basics or other white label brands in browsing or search listings.

They cannot favor their own inventory over Marketplace inventory in browsing or search listings.

They cannot use data from 3rd party Marketplace sellers to inform their own decision making.

They must enforce illegal listings and ads for the same.

No ad targeting based on religion, political beliefs, ethnicity or sexual orientation.

Very tight restrictions on advertising to children.

Provide more transparency about how recommendation and ad algos work, and provide ad repositories to the EC.

Share data with EC agencies and select researchers.

“Sign in with Amazon” can no longer siphon off 3rd party data without opt-in.

This is one of the more interesting cases, because of that relationship with the Marketplace 3rd party sellers. In order to grow it faster, Amazon gave up control of a large portion of their site inventory to 3rd party sellers, and now the EU is trying to rebalance that relationship towards the sellers. Amazon’s fast growing ads business is based on charging rent to the sellers, and I wonder if this puts a big dent in that.

Microsoft (MSFT)

Microsoft does not break out European revenue.

Microsoft has the least exposure, though Bing, Edge browser and Microsoft Advertising may get caught up. For now we are talking about Windows and LinkedIn.

LinkedIn will be subject to all the social media and advertising restrictions and obligations.

Erecting walls between the user data in LinkedIn and all other Microsoft customer relationships.

Only integrating 3rd party data from “Sign in with Microsoft,” "Sign in with LinkedIn,” or “Sign in with GitHub” with opt-in consent.

Better enforcement of illegal activity in their ad inventory.

Bans all ad targeting based on religion, political beliefs, ethnicity or sexual orientation.

Very tight restrictions on advertising to children. This is likely not an issue with LinkedIn.

Provide more transparency about how recommendation and ad algos work, and provide ad repositories to the EC.

Share data with EC agencies and select researchers.

They must allow opt-out of algorithmic feeds.

Lately, Microsoft has gotten very aggressive again with Windows, pushing their own software very hard during initial setup, and frequently thereafter. This is especially apparent with OneDrive and their Edge browser. For example, links from Outlook and Teams now open up in the Edge browser, regardless of default browser settings. They will have to cut this out, at least in the EU.

I don't think there are any major issues with the Windows app store, though they will have to stop favoring Microsoft apps.

Other Social: TikTok, Twitter, Snapchat (SNAP) and Pinterest (PINS)

These will all have the new social and ad restrictions and obligations. These companies are more monolithic than the ones we have been talking about, so erecting walls between services is not an issue for them.

The bigger issue for these services, especially TikTok, is the opt-out of the algo feed. That feed is the life blood of TikTok, and why it is so addictive. Probably the best example of a commercial AI out there making money is the AI that picks the next TikTok video for you to watch. To the extent that users choose to opt out, that will drain their legendary engagement.

The Rest

I am going to skip Alibaba, Booking and Zalando, because I don’t really know their businesses well. Obviously, Wikipedia is in there for the sake of completeness. This only restricts things they might do in the future, not anything they are doing now. They will have new reporting requirements, and that is a cost. Fortunately, the Wikimedia Foundation can afford it

The Upshot

First off, it’s unclear how this is all going to play out. This is a multiplayer game, and only one player, the EC, has moved. We still don’t know how the companies are going to react, how successful they will be in getting exemptions for security and privacy, and the ways in which they try and skirt the law (though there is a whole section on anti-circumvention measures).

But a few things we can conclude

This will cut into digital ad revenue in Europe. How much? I suspect a small but meaningful amount, something like 5%-10% in the EU countries.

To the extent that users choose the following-only feed in social, this will lead to less engagement in Europe. I suspect this will be minimal, and most will leave the default setting on.

One thing that is being overlooked in my view is the transparency measures for social and advertising. Social networks have been cutting researchers off, because it has led to some ugly headlines for them and PR headaches. Now, they will be unable to do that, and will have less control over the narrative surrounding their services.

The most affected will be Apple, Google and Facebook, because some of these changes cut to the heart of how they like to do things. For Apple, they will have to give up some control over the user experience, and there will be some revenue loss to go with that. If iMessage gets roped in, that’s a huge headache for them.

For Google and Facebook, they have spent years building systems that bring in data from multiple sources to build very complex profiles of users and target ads at them. Now, at least in Europe, they will have to silo all these sources, some of the 3rd party stuff will get cut off, and their targeting will suffer.

But again, this multiplayer game is just now starting. No one is just going to bail on all of the EU — that would be too costly. Non-compliance would also be costly. The fines are pretty draconian — 10% of worldwide revenue, and 20% for repeat offenders. Companies have a lot of decisions on how they want to approach this, and how much they want to push back. There is a lot of wiggle room in the language, especially surrounding security and privacy. A lot will depend on enforcement. Companies will be probing the limits of that enforcement for the first few years.

Given all these unknowns, I can only venture a vague opinion, which is that the effect will be real, but relatively minor at the end of the day. But it is also just another chip out of digital surveillance advertising, and another signal that the freewheeling anything-goes days of that business are behind us.