Less than three months after Europe's General Data Protection Regulation went into effect, some U.S. technology companies with EU operations are reporting significant financial and strategic impacts from the new privacy law, but others say it is too early to measure.
In quarterly earnings reports, social media giants Facebook Inc. and Twitter Inc. directly attributed recent user declines to the new law, which went into effect May 25, while Alphabet Inc.'s Google and Snapchat-parent Snap Inc. said the EU rule changes were immaterial to their results. Analysts and legal experts say it is still too early to know whether the law will result in better safeguards for consumers' data, but they note its impact will be unevenly felt among big and small companies or those with more or less resources and expertise in data collection and compliance standards.
Part 1: Tech firms face data disruption amid Privacy Shield uncertainty
Part 2: US weighs potential response to EU's new data protection law
Part 3: US big tech reports mixed impact from EU data protection law
The GDPR is a series of rules and privacy laws designed to strengthen the protections around how EU citizens' data is collected, stored and managed. The rules apply to organizations operating within the EU, as well as foreign entities that offer goods and services to EU customers. Among other provisions, the GDPR requires a company to obtain unambiguous affirmative consent from a user before collecting or processing the user's personal data, and it instructs companies to alert users of certain types of data breaches within 72 hours of learning of the occurrence. Companies found in noncompliance could face steep fines.
Facebook Inc. is among the first U.S. companies to directly attribute a decline in some of its key engagement metrics to the new EU law. The social media giant said both its daily active users, or DAUs, and monthly active users, or MAUs, fell in Europe during the second quarter as a result of the GDPR: European MAUs fell 1 million to 376 million, while DAUs slipped 3 million to 279 million. Executives also warned that the privacy law, along with Facebook's various platform updates and security investments, could weigh on revenue growth in the second half of the year. Facebook reported an 11% year-over-year increase in monthly active users globally, to 2.23 billion as of June 30.
Twitter Inc. attributed a 1 million sequential drop in MAUs in the second quarter in part to GDPR. Its numbers were also affected by the company's efforts to remove fake or suspicious accounts from the site. Twitter's global MAUs totaled 335 million for its most recent quarter. Company management warned that the data protection law could contribute to a further decline in active users in the third quarter.
GoDaddy Inc. Vice President of Global Policy James Bladel said at a Senate subcommittee hearing in July that GDPR compliance has been a "major undertaking" at the company, "diverting time and engineering resources away from customer service and product development." GoDaddy is an internet domain registrar and web hosting company.
Bladel said the new privacy regime has "significantly disrupted" the industry's WHOIS service, an online directory of contact information for domain name registrants. WHOIS aids law enforcement in criminal investigations, but can also enable spammers to acquire personal data. The company is working to strike the right balance of providing WHOIS data for legitimate needs while protecting users' private information, Bladel said.
Executives at other tech companies reported a more muted impact in the most recent quarter. Those at Snapchat-parent Snap said they have not yet seen a meaningful impact from GDPR on their businesses; Alphabet's Google said they have been working on compliance for months, but did not provide further details during a second-quarter earnings conference call.
Kendall Burman, a cybersecurity and data privacy counsel at law firm Mayer Brown and a former deputy general counsel in the U.S. Department of Commerce, said in an interview that certain aspects of the GDPR have the potential to strengthen data protection in positive ways, but other components could present a "compliance burden" for companies that do not gather large amounts of sensitive user information.
The GDPR could also have significant implications for how U.S. companies invest in emerging technologies, such as blockchain and machine learning, she added.
"Some aspects of GDPR compliance will intersect with those technologies [and] could certainly have an effect on their adoption in [companies'] products and services," Burman said.
Konstantin Rychkov, an analyst at market-research firm IDC, noted that the EU member states have not yet fully formed the list of auditing bodies to ensure company compliance, adding to the uncertainty surrounding the law's implementation. Companies operating in the EU were required to be fully compliant with the GDPR by May 25.
In an environment of increased regulatory risk and awareness about data security, legislative efforts like the GDPR could pave the way for a global privacy standard, but "how that will progress is a big question," Rychkov said in an interview.
Overall, Michael Connor, executive director of Open MIC, a nonprofit organization that works with investors on media and technology issues, said in an interview it is too early to determine how the GDPR will impact U.S. companies and their business strategies.
"The law has been adopted and what remains to be seen is how effectively it can be implemented," Connor said.
Editor's note: This article is part of a series about the future of privacy and data regulation in the EU and the U.S.