Coyote Blog

Step 1:  Large, high-profile company has business practice that ticks lots of people off -- e.g. Facebook slammed for selling user data to Cambridge Analytica

Step 2:  Regulation results -- e.g. European GDPR (though it predates the most recent Facebook snafu, it was triggered by similar outrages in the past we have forgotten by now so I use the more recent example)

Step 3:  Large, high-profile companies that triggered the regulation by their actions in the first place are the major beneficiaries (because they have the scale and power to comply the easiest).

GDPR, the European Union’s new privacy law, is drawing advertising money toward Google’s online-ad services and away from competitors that are straining to show they’re complying with the sweeping regulation.

The reason: the Alphabet Inc. ad giant is gathering individuals’ consent for targeted advertising at far higher rates than many competing online-ad services, early data show. That means the new law, the General Data Protection Regulation, is reinforcing—at least initially—the strength of the biggest online-ad players, led by Google and Facebook Inc.

This is utterly predictable, so much so that many folks were predicting exactly this outcome months ago.

My "favorite" example of this phenomenon is toy regulation that was triggered a decade ago by a massive scandal and subsequent recall by toy giant Mattel of toys with lead paint sourced from China.

Remember the sloppily written "for the children" toy testing law that went into effect last year? The Consumer Product Safety Improvement Act (CPSIA) requires third-party testing of nearly every object intended for a child's use, and was passed in response to several toy recalls in 2007 for lead and other chemicals. Six of those recalls were on toys made by Mattel, or its subsidiary Fisher Price.

Small toymakers were blindsided by the expensive requirement, which made no exception for small domestic companies working with materials that posed no threat. Makers of books, jewelry, and clothes for kids were also caught in the net. Enforcement of the law was delayed by a year—that grace period ended last week—and many particular exceptions have been carved out, but despite an outcry, there has been no wholesale re-evaluation of the law. Once might think that large toy manufacturers would have made common cause with the little guys begging for mercy. After all, Mattel also stood to gain if the law was repealed, right?

Turns out, when Mattel got lemons, it decided to make lead-tainted lemonade (leadonade?). As luck would have it, Mattel already operates several of its own toy testing labs, including those in Mexico, China, Malaysia, Indonesia and California.

The million bucks was well spent, as Mattel gained approval late last week to test its own toys in the sites listed above—just as the window for delayed enforcement closed.

Instead of winding up hurting, Mattel now has a cost advantage on mandatory testing, and a handy new government-sponsored barrier to entry for its competitors.

I have been reading all the articles (and the storm of emails in my inbox) on European GDPR privacy rules implementation with some dispassion.  After all, it does not affect me, right?  I run a camping business all in the US.  But then I got to thinking about it and realized that I had three avenues of exposure  -- my blogs, my jobs mailing list, and my company web site.  I will preface this by saying that I am no expert and I am not really hugely at-risk, but perhaps this will be useful to someone.  More importantly, if you ARE an expert and see something I am screwing up please email me!

The blog exposure strikes me as pretty narrow, particularly since we do not serve up advertisements (except in the comments via Disqus) and do not have a mailing list.  I don't store or have access to any user data (though I wonder if server logs count?) so I assess my main liability as secondary if Disqus screws up something.  I have been reading Disqus's updates and I would evaluate them as working on it but not done.  I suppose if the EU wants to come after me for "up to 4%" of this site's revenue they are welcome to do so.  Sort of like when I was unemployed being told to spend 2 months salary on my wife's engagement ring  (which in fact I did exactly, since it was my mom's ring given to me as a gift for the purpose).

Similarly, I think my liability surrounding the mailing list we maintain for job openings is pretty limited.  First, it would shock me if more than 0.0001% of the people on that list are in Europe, since I can't really legally hire Europeans in most cases and it is unlikely they will drive their RV over here to work in a campground.  More importantly, all the names are there through what I would call extreme opt-in -- they have to click on a special link and go sign up on a dedicated page just to join the mailing list.  The email provider is Constant Contact so again my liability is likely limited to whether they screw anything up in their compliance, but this is probably unlikely in my case.  Again there is no advertising and all people on the list ever get are notifications of new job openings and links where to apply.

Which brings me to our business web site.  There is no log-in or user information entered or advertising on our web site, so we are mostly fine.  With one large exception -- we have our own reservations site that gathers and stores customer reservation information.  Eek!  That sounds like it could be a problem.  The most dangerous piece of data we could potentially have in our hands is a credit card number, which is why our system was set up so our company never has the credit card number in our possession.  Customers are passed over to Stripe (highly recommended company, by the way) who handle all that dangerous stuff on their servers, and just pass us back a confirmation.  But we do have customer name, address, email, and camping stay dates on our server.  Maybe we are compliant already -- we treat that stuff with a lot of care.  Maybe we are not.  But since we really don't get any reservations at all from Europe, it was easier just to go black there, so right now my software guy is working on blocking traffic from European IP addresses.

Postscript:  On some of my posts, people write me and ask, "Why did you even bother to publish that."  And my answer is that I often write to think, so it may be that it is only for my own benefit.  My software guy is a reader of this blog and was probably laughing as he read this post because I stopped a couple times in writing it to fire off new questions or requests to him.

Update:  Hah, what timing!   This just appeared on my blog when I scrolled down to the comments so I guess Disqus must indeed be working on this.