Better than deregulation

Last week, we heard that the Government is looking at reforming our data laws. Outside of the European Union, there is the opportunity to diverge from some of the sillier aspects of EU data protection law. It seems likely that ineffective and irritating cookie notices will disappear (n.b. If you really hate cookie notices, there are dozens of browser extensions that automatically remove them).

On the face of it, this is welcome news. There’s evidence that GDPR reduced investment in European startups and entrenched market power in the digital advertising markets.

But I’m not holding my breath for two reasons. First, any real divergence risks undermining our data adequacy agreement with the EU. I suspect most startups would tolerate the inconveniences and problems of GDPR if it was the price of admission to trading with the EU.

Second, the harms of badly designed regulations often can’t be unpicked by deregulation. Implementing GDPR was expensive for SMEs as in some cases it meant rebuilding email marketing lists that had taken years to build. But moving forward, most email marketing services have GDPR compliant practices as standard. In some cases, they have become international norms as US firms seek access to the EU market. Of course, there are still ongoing costs. The fact that many newspapers geoblock content for the EU and UK is proof of this. But in general, the biggest costs of regulation are in transition. Redesigning your website so it has a Cookie Notice was expensive, but once you have it the costs are insignificant.

The truth is deregulation is an inadequate substitute for not passing bad laws. If policymakers care about eliminating burdensome requirements and growing the UK’s tech sector they should spend less time deregulating and more time blocking bad new regulations. It’s easier to make omelette out of an egg than an egg out of an omelette.

Take the age appropriate design code, which aims to protect children from harmful content online. Its aims are laudable but it will carry major costs. As Coadec argues it could tilt the playing field against startups and towards incumbents.

Tech companies may have to build multiple versions of their products, one for adults and one for kids, which will inevitably favour tech giants over startups and SMEs. Alternatively, they could apply the rules to all users but that would force significant business model change that will be hard to unpick later.

The biggest problem is the requirement for age assurance. If you want to avoid the onerous restrictions of the age appropriate design code, as most businesses that operate online services will, then you will have to implement an age gate collecting personal information about all of its users. As the FT notes, this will be concerning to retailers and newspapers as well as social media platforms. The News Media Association warn that:

“In practice, the draft Code would undermine commercial news media publishers’ business models, as audience and advertising would disappear. Adults will be deterred from visiting newspaper websites if they first have to provide age verification details. Traffic and audience will also be reduced if social media and other third parties were deterred from distributing or promoting or linking titles’ lawful, code compliant, content for fear of being accused of promoting content detrimental to some age group in contravention of the Code.

Ahead of the code’s implementation, we have seen many tech firms implement new global changes aimed at protecting children on their platform. However, as the NSPCC’s Andy Burrows points out “The code is going to require age assurance, and so far we haven’t seen publicly many, or indeed any, of the big players set out how they’re going to comply with that, which clearly is a significant challenge.”

It is worth considering how onerous this requirement is. As Open Rights Group’s Heather Burns writes:

“To implement the age gate, all businesses within the Code’s scope will be required to collect age verification data, such as a passport or credit card, for all users, and to process and retain it in full accordance with GDPR. This age gating will render all internet usage access in the UK personally identifiable to an individual, creating massive private databases of personal internet access.”

This is technically very hard. But as The Guardian’s Alex Hern states:“very soon UK law isn’t going to take ‘it’s hard’ as a sufficient excuse.”

This move could tilt the balance against startups as consumers are understandably reluctant to hand over personal information such as their passport or credit card details to new businesses. 

It is ironic that the Government is discussing eliminating inconvenient cookie notices while simultaneously proposing to age gate the internet – a much, much more inconvenient requirement.

Attempts to eliminate poorly functioning regulations should be welcomed, but in many cases the damage is already done. To really ease the regulatory burden on the UK’s startups, the Government should focus on blocking bad new laws.