Europe's new privacy laws are going to make the web virtually unsurfable in the EU.

GDPR and the ePrivacy law will require tech companies to get consent from any user for any information they gather on you and for every cookie they drop, each time they use them.

It will turn the web into an endless mass of click-to-consent forms.

Beneficiaries are likely to be US tech giants Apple, Google, Facebook and Amazon.

Losses will come at the expense of European companies like Criteo, WPP, and the German publisher Axel Springer.



New online privacy laws going into effect in Europe this spring will hand a huge advantage to large American tech companies like Apple, Facebook, Google and Amazon, at the expense of smaller European publishers and advertising companies, according to research from five different investment analysts, seen by Business Insider.

While the likes of Apple and Facebook will benefit, it will come at the expense of European companies like Criteo, WPP, and the German publisher Axel Springer.*

Two new laws will come into effect in the European Union, including Britain, sometime after May this year. The first, called "the General Data Protection Regulation" (GDPR), requires tech companies to get affirmative consent from any user for any information they gather on you.

The second, "the ePrivacy law," governs tracking cookies, and requires tech companies to get affirmative permission from consumers for every cookie they use, each time they use them. The laws apply to any company that does business in Europe, even if they are based outside the continent. So most American tech companies have to obey this, too.

The laws have triggered a widespread freakout among tech companies doing business in Europe.

Breaking the law will cost companies 4% of global revenues

The law imposes fines of 4% of global annual revenues, or €20 million (about $25 million), whichever is larger.

The ePrivacy law will be particularly onerous for any business with a website. News sites — like Business Insider — typically allow a dozen or more cookies to be "dropped" into the web browser of any user who visits. Cookies can signal to advertisers that the user has arrived, so that ads can be placed on the pages they are looking at. They can also record the user's web history, so that someone who might have looked at a website about shoes can be targeted with shoe ads when they arrive at a different website.

The new law requires users to affirmatively click on a permission form several times, once for each cookie, before they can see the content they clicked on.

Macquarie analyst Tim Nollen and his team describe it this way (emphasis in the original):

"For each cookie dropped, both publishers and consumers will need to ask if the placement of the cookie improves the internet experience in order to be in compliance. Companies will thus be forced to justify and may need to acquire consent for each cookie that they place on each user. Each time.”

What Goldman Sachs thinks the browsing experience will be like after GDPR comes in. Goldman Sachs

SunTrust Robinson Humphrey analyst Youssef Squali and his team suggested to clients that the simple act of surfing the web in Europe might become a nightmare of endless repeated consent-form clicks:

"If a website is trying to track or deliver targeted advertisements to an individual, that individual will have to explicitly opt in each time he visits that particular site."

The law also requires publishers to allow users to see their sites even if they decline permission for cookies — meaning that sites cannot simply put a "cookie wall" in front of their content to block users who decline consent. They will be required to show some content for free, in other words.

Europe already requires websites to warn all users that they are using cookies, and to give users guidance on blocking them. But the two new laws — which replace that warning — are more stringent than that.

'Coping with the new requirements and costs associated is also likely to be more difficult for the smaller players'

GDPR contains some exceptions for companies that have ongoing direct relationships with their users. Amazon, Facebook, Google and Apple all require logins, and thus will find obtaining consent from their users easier, according to Goldman Sachs analyst Lisa Yang and her team. A login could function as pre-existing consent for all future visits. She recently told clients:

“We think organisations that have a direct and trusted relationship with clients and can demonstrate a clear value exchange are more likely to gain user consent (e.g. renowned brands and publishers, GOOGL, FB, AMZN), while those that rely on third-party data for targeting purposes with no direct user relationship may find it more challenging (e.g. ad tech, ad agencies). In our view, coping with the new requirements and costs associated is also likely to be more difficult for the smaller players (be it ad tech, brands or publishers)."

Dan Salmon, an analyst at BMO Capital, downgraded the stock of Criteo — an ad tech company — to "market perform" in January because of GDPR. "If GDPR implementation is materially negative, the stock will likely be headed to the teens,“ he told clients. The stock was trading at around $22 at the time of writing. (For its part, Criteo told Business Insider it was ready to tackle GDPR: "Even though the GDPR carries a firm compliance deadline of May 25, 2018, Criteo has followed programs for several years that put us in the position for full compliance by the required date," s spokesperson said.)

Analysts also see the new laws as negative for the large US companies, mostly because all their European users will be required to run a gantlet of permission requests, and they may see users decline or reduce their engagement permissions.

Facebook's "Custom Audiences" or its "Audience Network" products — which allow advertisers to target Facebook users who may not be on Facebook when they see those ads — will face difficulties, for instance. Existing user databases won't be grandfathered in — companies will have to re-register all their users with data permissions, according to the new laws.

But Facebook et al are bigger, richer, and have more lawyers and software engineers to tackle the new laws than smaller European companies, or news publishers. So while everyone will take a hit, the big US players will emerge with less damage.

"Facebook and Google would be negatively impacted overall, but would end up taking share," Nollen told clients. "Assuming no distinct restriction on whitelisting, browser providers may find a new revenue stream by vetting online publishers and taking fees to allow them to bypass default cookie blocker settings."

'I think those guys probably won’t necessarily survive'

Strengthening the hand of US companies vs. their European competitors is the exact opposite of the law's original intent, according to Yves Schwarzbart, head of policy for IAB UK, the online ad industry lobby group.

“From those who remember when the GDPR was negotiated, it was very much framed in the context of ‘How can we regulate American tech giants and the way they use data from European individuals?’” he told a Citi Research panel recently.

The new laws might kill some companies, he told Citi's clients:

"I think where we will probably see less traffic in our space is those publishers or those kind of services that users use to perhaps kill time. You know, a sort of sensationalist headline on some random publisher that you’ve never really accessed before, just because you think, ‘Oh, God, I’ve got a minute to kill. Let me just have a quick look at that article.’ I think those guys probably won’t necessarily survive. If they then have to face users with an information notice that is overly descriptive and very long, users will probably think for that publisher, ‘I’ll probably never visit them again, I’m not going to bother.’"

*Axel Springer owns Business Insider.