SAN FRANCISCO — In Europe and the United States, the conventional wisdom is that regulation is needed to force Silicon Valley’s digital giants to respect people’s online privacy.
But new rules may instead serve to strengthen Facebook’s and Google’s hegemony and extend their lead on the internet.
That could begin playing out next month, when Europe enacts sweeping new regulations that prioritize people’s data privacy. The new laws, which require tech companies to ask for users’ consent for their data, are likely to hand Google and Facebook an advantage. That’s because wary consumers are more prone to trust recognized names with their information than unfamiliar newcomers. And the laws may deter start-ups that do not have the resources to comply with the rules from competing with the big companies.
In recent years, other regulatory attempts at strengthening online privacy rules have also had little effect at chipping away at the power of the largest tech companies, ultimately aiding internet incumbents rather than hurting them.
“Regulations help incumbents,” said Avi Goldfarb, a marketing professor at the University of Toronto who has studied the effect of privacy regulations on competition. Mr. Goldfarb was the co-author of a 2013 report that said privacy regulation could be anti-competitive because the cost of getting permission from users for their data was typically much higher for a younger company than for an established firm.
That Facebook and Google may emerge stronger from all of this can seem like a distant prospect. The Silicon Valley companies have been under scrutiny for months for how they collect and use people’s data, with Facebook reeling from revelations that the political research firm Cambridge Analytica harvested the personal information of up to 87 million of its users. That led to Congress dragging Mark Zuckerberg, Facebook’s chief executive, to Washington this month for a grilling.
Google, too, has grappled with questions about its online video service YouTube as it tries to duck lawmakers who fear that the search giant’s data-collection machinery is as robust as Facebook’s, if not more so.
At the same time, countries like Brazil and Argentina are exploring European-style privacy regulations that will further test the companies’ advertising-based business models. United States lawmakers also showed more openness to regulating Silicon Valley during Mr. Zuckerberg’s testimony this month.
Yet past attempts at privacy regulation have done little to mitigate the power of tech firms. Consider what happened in Europe after earlier attempts at checking the power of Facebook, Google and others.
In 2014, Europe’s highest court ruled that people had the “right to be forgotten” online, meaning they could ask Google and other digital companies to delete search results about them. Since then, Google has instead become a chief arbiter of what information is kept online in Europe because the company itself is responsible for determining the fate of each deletion request.
Another 2011 European law requiring websites to alert visitors to “cookie” trackers that collect data on browsing history has largely turned into a distracting annoyance rather than changing how companies operate. People often accept the tracking to get rid of the pop-up warning without reading details about the tracking.
Today, the uproar over data privacy has also done little to diminish the businesses or usage of Facebook and Google. Mr. Zuckerberg said this month that the Cambridge Analytica scandal had no meaningful effect on Facebook’s business, which is expected to show sales growth when the company reports quarterly earnings this week. Alphabet, Google’s parent company, said on Monday that its revenue rose 26 percent for its most recent quarter as its ad business continued to grow.
Spokeswomen for Facebook and Google declined to comment.
In Europe, the coming data privacy laws are known as the General Data Protection Regulation. These rules will restrict how tech companies collect, store and use personal data from people across the region. The laws, which take effect on May 25, require companies to explain how they plan to use people’s personal information in simple, unambiguous language and detail what other entities will gain access to that data. Companies can no longer hide behind convoluted and often ignored user agreements, but must obtain consent with a full understanding of the user where their data may go.
Lawyers, consultants and businesses preparing for the privacy laws said that reining in the large technology companies was not the primary goal of the European legislation.
Some privacy advocates also bristle at the idea that these new restrictions would help already powerful internet companies, noting that is a well-worn argument employed by tech giants to try to prevent future regulation.
But Nicolas Colin, a co-founder and director at the Family, a Paris-based start-up accelerator, argued that “people tend to give that permission to companies they trust.” He said that “stricter rules strengthen companies because they have that key asset that is trust.”
The European privacy laws may crimp targeted advertising by limiting the flow of personal data, but firms like Google and Facebook still have an advantage because advertisers are likely to turn to services with reach and enormous audiences — akin to buying an ad during the Super Bowl. Facebook has more than 2.2 billion monthly users, and Google’s YouTube has 1.5 billion monthly users.
Giovanni Buttarelli, the European data protection supervisor who was involved in the creation of privacy rules, said much of the impact would be determined by regulators who enact the law and who will be up against well-funded teams of lobbyists and lawyers. Google and Facebook will be overseen by the Irish data authority because their European headquarters are in Ireland. Mr. Buttarelli noted that Europe had staff of about 2,500 across all the countries working on the issue.
“That’s peanuts compared to the lobbyists in Brussels and Strasbourg,” he said, referring to the cities where the European Commission and Parliament operate.
He said large technology companies had advantages but would also be under a microscope. Enforcement of the law is skewed to companies that handle the most personal data.
“There are pros and cons to being a tech giant,” he said. “We want to treat small and medium-sized businesses differently.”
Yonatan Zunger, a former Google privacy engineer now working at human resources start-up Humu, said Europe was holding Google and Facebook to “a much higher bar” when it came to gaining consent from users. These companies now cannot make data sharing a condition of using their products because consent needs to be freely given, whereas smaller companies are not held to that same standard, he said.
Still, there are already signs the big companies are adjusting to the new privacy norms.
Facebook last week rolled out a new consent form asking users globally — not just Europeans — to accept its targeted advertising and to allow features like face recognition. It has also limited access to data brokers such as Acxiom, in a concession to privacy advocates.
Google, which spent years preparing for the new rules, has stopped scanning Gmail messages for keywords used to target advertising. And it recently introduced a new marketing product for publishers that shows ads based on the context of other articles or content on a website, instead of relying on personal information.
In response, privacy critics have challenged Facebook’s new consent forms, saying they are intended to continue encouraging users to share information widely. And Google came under fire for an updated European user consent policy that has open-ended language, which critics said violated a tenet of European privacy rules that requires companies to ask for user consent in specific and explicit ways.
“I’m worried that a lot of people have invested a lot of hope in G.D.P.R., and I’m not sure it’s going to deliver,” said Ben Scott, a senior adviser to the Open Technology Institute at New America, a think tank based in Washington. “It will all depend on how it’s going to be enforced.”