New privacy laws -- including Europe's General Data Protection Regulation and California's Consumer Privacy Act -- could end up creating "protective moats" around established companies like Google and Facebook, while thwarting start-ups, according to Federal Trade Commissioner Noah Joshua Phillips.
"Privacy rules ... may skew to benefit large incumbents," Phillips said in prepared remarks for a speech at the Internet Governance Forum in Washington, D.C. on Friday.
"I want today to register my concern that laws and regulations intended to promote privacy may build protective moats around large companies (some of which already possess significant amounts of data about people) by making it more difficult for smaller companies to grow, for new companies to enter the market, and for innovation to occur," he said.
He added that laws that require consumers to consent to the use of their data may favor large companies with well-known names. "Consumers are more likely to trust the companies they know," Phillips said. "And, to the extent large incumbents also provide popular services ... the big guys win again."
The GDPR, which took effect in May, requires companies to obtain consumers' explicit consent to process their data.
California's new law, slated to take effect in January 2020, requires companies to disclose data about consumers to them at their request, and allows consumers to opt out of the sale of their data to third parties. That measure applies to all businesses that collect personal information from at least 50,000 consumers per year.
Phillips compared both laws unfavorably with the more common approach in the U.S., which involves what he called a "risk-based" approach to privacy -- meaning that federal laws only protect privacy in certain areas, like health care or education, where data is particularly sensitive.
"The United States’ risk-based approach imposes the greatest costs on businesses at the points where our democratic process has determined the greatest privacy need exists," he said.
Phillips, who was sworn in to the FTC in May, isn't the only one to raise concerns about the new California law. The Association of National Advertisers has said it hopes to see some provisions revised before it takes effect.
Santa Clara University law professor Eric Goldman also has criticized the measure for several reasons, including its breadth. "The law was supposed to curb the purportedly abusive privacy practices of internet giants (like Google and Facebook) and data brokers," he writes in a column posted last week on the International Association of Privacy Professionals' website. "Unfortunately, the law overshot this goal; it reaches most businesses, online or off. Facebook may have been the target, but the local pizzeria will bear the law’s brunt."