In what would be the biggest GDPR fine of all time, Luxembourg’s data protection commission (CNPD) recently levied a $425 million fine on Amazon. Although the CNPD’s draft decision still needs to be approved by other EU privacy regulators, it begs the question: Is this the best way to rein in Big Tech’s misuse of user data? After all, $425 million only accounts for 2% of Amazon’s 2020 net income ($21.3 billion). In order to make powerful tech conglomerates take consumer privacy seriously, we need to rely on more than GDPR enforcement.

In the United States, we’re seeing the emergence of a patchwork of data privacy laws at the state level. Just last week, the Colorado Senate passed bill SB21-190, the Colorado Privacy Act (CPA), which Governor Jared Polis is expected to sign into law. Colorado is poised to join California (CPRA) and Virginia (CDPA), likely becoming the third state to pass consumer data privacy legislation. Like the CPRA, the CPA allows consumers to opt-out of the processing of personal data, and it mandates that businesses obtain consumers’ permission before they collect certain sensitive personal data. Similar bills in Florida and Washington recently failed; however, a pattern is certainly emerging.

There is not widespread agreement as to whether or not the United States should adopt a federally mandated consumer data privacy law like the GDPR. That said, there is agreement on both sides of the aisle that Big Tech’s largest players—Alphabet, Facebook, Amazon, and Apple—have too much unbridled access to consumer data. Part of the problem lies in monopolistic practices and allegedly anti-competitive behavior; so in addition to fining large companies for misuse of user data, some legislators are concurrently calling for antitrust intervention. Just last week, senators Mike Lee (R-UT) and Chuck Grassley (R-IA) introduced a bill that would move antitrust enforcement to the DoJ, effectively stripping the FTC and FCC of their antitrust authority. Although politicians may disagree on the fine print, both sides of the aisle agree that something needs to change when it comes to Big Tech and user data privacy.

Widespread M&A has exacerbated Big Tech’s reliance on consumer data

We’ve witnessed a tidal wave of M&A activity in recent years. Facebook bought Instagram and WhatsApp; Amazon acquired WholeFoods and Zappos, and Google picked up Waze, DoubleClick, Nest, and FitBit. There was a great deal of scrutiny around the FitBit acquisition, which makes sense, as the deal gave Google access to the health data of over 28 million users.

Detractors view acquisitions like these as anti-competitive maneuvers that stifle innovation, hurt small businesses, and provide consumers with less choices. Lina Khan, an academic fellow at Columbia Law School, supports a breakup of Amazon. In her celebrated 2017 Yale Law Review Journal essay, “Amazon’s Antitrust Paradox,” Khan argues that Amazon shouldn’t be allowed to operate anticompetitively with impunity just because their prices are low and customers are pleased. As expected, Amazon is quick with a rebuttal: Amazon’s businesses only account for roughly 4% of all U.S. retail transactions. Nevertheless, Khan posits that market share is not a strong enough benchmark for antitrust. Comparing Amazon to the railroad behemoths at the turn of the century, Khan writes, “The thousands of retailers and independent businesses that must ride Amazon’s rails to reach market are increasingly dependent on their biggest competitor.” Khan argues that regulating Amazon as if it were a utility company is a viable, and legally sound, option.

Whether a court will rule that Amazon can be regulated like a utility company remains to be seen. As an aside, just last week, Ohio’s attorney general, Dave Yost, filed a lawsuit, attempting to get Google declared a public utility—and in turn, subject to government regulation. Nevertheless, the strength of Amazon’s (as well as Facebook’s and Google’s) business model certainly involves the monetizing of consumer data.

Not everyone is worried about how Big Tech monetizes our personal data

The effects of M&A within Big Tech isn’t all negative. As Information Technology & Innovation Foundation (ITIF) president Rob Atkinson notes, consumers benefit when tech conglomerates’ subsidiaries work in tandem, and economies of scales provide consumers with lower prices. The question is—at what cost? At a certain point, surely many consumers would pay more for goods and services if it meant their personal data would be protected?

Tech entrepreneur Mark Cuban has argued that if Facebook/Instagram/WhatsApp isn’t able to sell our data to third-party advertisers, then they will harvest the data themselves, positioning it as an all-too-powerful player in the space. Also, Cuban notes that while the U.S. is in a race with China, Russia, and other nations to harness the power of AI, it is currently US-based companies—Google, Facebook, and Amazon—who are leaders in the space. Cuban claims it would be a fatal error to break these companies up, as it would jeopardize the US’ standing in this AI race. Lastly, he argues that Facebook and Amazon are not technically noncompetitive because people do not have to use their services and platforms. Whether or not we agree with his arguments here, one thing many of us can agree on is that Big Tech’s (often surreptitious) monetization of consumer data has gone too far.

A partial solution: a federal data privacy law

If designed well, a federal user data privacy law would put consumers and media conglomerates on the same page. Ideally, users would have the rights enabled by the CPRA, including, “(1) the right to know how their personal information is collected, used, and shared; (2) the right to delete certain personal information that businesses collect; and (3) the right to opt out of the sale of their personal data.” Over the past few years, industry-affiliated lobbyists have helped draft several versions of a federally mandated privacy law, such as Intel’s proposed “Ethical Data Use Act of 2019.” Last year, Senators Blackburn (R-TN), Fischer (R-NE), Thune (R-SD), and Wicker (R-MS) introduced the SAFE DATA Act. More recently, this past March, former Microsoft executive and current state representative Suzan DelBene (D-WA) put forth the Information Transparency and Personal Data Control Act (ITPDCA).

Importantly, there’s an argument that businesses stand to gain from such a federally mandated privacy law. With the passing of a federal law, businesses wouldn’t have to worry about complying with a patchwork of state laws. Having one single set of data privacy requirements would allow businesses to streamline their compliance framework. Additionally, for many businesses, this law would result in a much-needed analysis of their data collection and processing practices; not only would this help protect their customers’ data, but it would also make their own internal data more safe. So, it’s the opinion of this author that a federal data privacy law is a good start for all parties concerned.