Beyond Fines: The True Cost of Intrusive Business Models 

From a business perspective, what’s the point of respecting people’s privacy and digital rights? It’s the right thing to do, of course—but saying so might get you laughed out of the boardroom. 

From a business perspective, what’s the point of respecting people’s privacy and digital rights? It’s the right thing to do, of course—but saying so might get you laughed out of the boardroom. 

But there are costs associated with unethical activities—and opportunities to be found in transparency and fairness. 

As data-hungry big tech firms continue to face regulatory action and stunted growth, does the cost of violating people’s privacy outweigh the profits gleaned from their data? 

It’s a complicated picture, but the evidence is beginning to tip in favour of transparency and respect. 

The Cost of Doing Business 

First, the fines. 

Paying penalties to data protection regulators and reaching costly settlements with litigants has seemingly become part of doing business for many large tech companies. 

 Google, for example, has settled for nearly $400 million (and rising) with more than 40 US states after misleading users about its location tracking on mobile devices. However, the sanction might be little more than an inconvenience for a company that turned over more than $257 billion in 2021. 

And consider the July 2021 penalty against Amazon under the EU General Data Protection Regulation (GDPR). At €746 million ($882.5 million), this is the largest GDPR fine on record—but it represents around 0.22% of Amazon’s $386 billion 2020 revenues. 

Even Meta’s record-breaking $5 billion 2019 settlement with the US Federal Trade Commission (FTC) failed to make a substantial smudge on the company’s annual report. 

Even when they reach billions of dollars, regulatory fines themselves can sometimes be chalked up as a minor business expense.  

But such penalties carry other costs. 

Privacy and the Bottom Line 

Can fines and settlements impact investor and customer confidence in a company? 

Some research suggests that the impact of regulatory action on a company’s bottom line can outweigh the cost of a fine itself. 

A 2022 study by Ford et al. analysed the impact of 25 GDPR fines on the market value of publicly listed companies. The study found “statistically significant cumulative abnormal returns of around 1% on average up to three days after the events were identified.” 

This damage to share price, the researchers found, “far outweighed the monetary value of the fine itself.” Indeed, even “relatively minor fines” were found to result in “major market valuation losses for companies.” 

Similarly, a 2021 Comparitech analysis found that 34 companies affected by data breaches suffered an 8.6% average drop in share value after three years. 

But this is a complex issue. Indeed, Meta’s share price actually rose following its aforementioned FTC penalty—possibly because the settlement did not seriously impact the company’s underlying business model. 

And despite investigations into numerous privacy scandals—such as allegedly enabling consultancy Cambridge Analytica to influence elections via Facebook users’ private data and deceiving people into accepting cookies—Meta continued to grow at a fairly consistent rate until late 2021. 

In fact, the first major hit to Meta’s market cap was delivered by Apple. 

Apple: The World’s Toughest Regulator 

As the most valuable company in history, Apple has built a reputation for transparency and respect for its customers’ data. Having launched a suite of privacy-protecting apps and functionalities in recent years, the company is not shy of throwing shade at competitors such as Google and Meta. 

And despite the worldwide proliferation of data protection laws over the past decade, no entity has been more effective at punishing privacy violations than Apple. 

For example, Apple’s App Tracking Transparency (ATT) framework, implemented with iOS 14.5, forced third-party app developers to request consent before tracking user activity across apps or website for marketing purposes 

Confronted with the choice between allowing or forbidding apps to track them across websites, iPhone users overwhelmingly chose the latter. Estimates of those who opted to keep their data private ranged as high as 96%. 

Apple’s policy has attracted criticism. The company faces a complaint in Germany over allegations that ATT is anti-competitive, and was recently fined €8m by France’s data protection regulator for having previously exempted some of its own apps from the framework. 

But the impact on social media companies is undeniable. With ATT, Meta lost its ability to collect and share third-party data about millions of people—all because those people finally got a choice over what happened to their data. 

Years of reliance on a data-hungry, non-transparent, “take it or leave it” approach meant that when ATT started to bite in early 2022, Meta’s stock price fell by around 25%—alongside falls in value for other tracking-focused companies such as Snap and Twitter. 

The End of an Era? 

Apple’s policy change might have presented the biggest shock to Meta’s market value, but ATT is not the only existential threat to the social media giant’s business model. 

Penalties aside, the practical impact of several recent GDPR decisions could have a much bigger impact. There is a fundamental conflict between rules that seek to protect personal data and business models that rely on its exploitation.  

In recent years, Meta has received multiple orders to bring its operations into compliance with Europe’s data protection law—but has, so far, managed to delay any major impact on its business. 

In September 2020, for example, Meta said it was “not clear” how Facebook and Instagram could continue to operate in Europe following the “Schrems II” court judgment, which would force the company to stop transferring user data from Europe to the US. 

Meta has repeatedly stated that compliance with the ruling would threaten its European operations. Given that Meta’s ability to monetise its EU users partly depends on its ability to move data around between its corporate entities, this statement might not be a bluff. 

In September 2022, a probe into Instagram exposed issues with how Meta justifies processes children’s data. And in January 2023, EU regulators decided that the company could no longer force users to agree to receive targeted ads under Facebook and Instagram’s terms of use. 

These GDPR decisions take aim at fundamental parts of Meta’s business model. If Meta has to ask its young users to get parental consent or allow European users to decline targeted ads, this could lead to an unsustainable drop in revenue. 

And Meta is not alone among tech companies struggling to maintain growth. The five biggest tech stocks lost over $950 billion in value at one point last year. 

There are many reasons for big tech’s crash. 

But as regulatory demands increase and consumer attitudes shift, companies that have based their growth on non-transparency and coercion might find that growth increasingly hard to sustain.