Facebook will have to re-obtain consent from all its existing users, for all the data it is currently holding on them, according to Europe's new "ePrivacy law" and the upcoming General Data Protection Regulation.

"Existing data will risk becoming obsolete," Goldman Sachs says.

The law applies to all tech companies that do business in Europe, but Facebook will be especially affected because its business consists entirely of user data.

COO Sheryl Sandberg has already told analysts she expects Facebook to see a small decline in daily average users in Europe, but otherwise the company is prepared.



Sometime after spring this year Europe's new ePrivacy law will come into effect. The most disruptive part of the proposed regulation, according to tech industry insiders and analysts, is the requirement that companies obtain consent for any data they keep on their users. Old data will not be exempted or "grandfathered in" under the new law.

As it currently stands, that means companies will have to re-obtain consent from all their existing users for all the data they are currently storing on them, no matter how old, according to several analysts and policy experts.

In theory, the law will ban Facebook from using the data it already has, unless the company can persuade you to re-register your permission for all the info you have already given the company. The two largest companies affected by the law will be Facebook and Google.

But Facebook, perhaps, has the bigger hurdle to overcome in order to comply. It not only uses your data as part of your personal Facebook account, it also supplies that data to advertisers through its Audience Network and Custom Audiences products, which generate ads on other websites and apps outside Facebook. The new ePrivacy law will force Facebook to ask all its European users to give permission for each separate type of data being stored or shared by Facebook.

It is not clear when ePrivacy will actually be enacted, although observers estimate early 2019. The new law will work in conjunction with a second EU law that goes into effect in May 2018, the General Data Protection Regulation (GDPR).

Goldman Sachs: 'Existing data will risk becoming obsolete'

"Organizations will have to re-obtain user consent (for the data they wish to keep) and build a fully documented permission trail before GDPR becomes enforceable – or existing data will risk becoming obsolete. There is a risk of further customer data loss once users have the right to opt out of marketing campaigns and erase their personal data as mentioned above," according to a note sent by Goldman Sachs analyst Lisa Yang and her team.

"Facebook and Google will either be (a) prohibited from using the unprecedented amounts of data already in their control; or (b) subject to fines and penalties that will, for the first time in history, have a significant impact on their bottom lines," according to a white paper prepared for the trade organization Digital Content Next, which represents tech companies.

The EU is not kidding about those fines, either. The maximum penalty for breaking the law is 4% of total global annual revenues, which in Facebook and Google's cases would be about $1.6 billion (£1.1 billion) and $4.4 billion (£3.1 billion), respectively.

Goldman's Yang told clients that Facebook has already repeatedly fallen afoul of existing consumer privacy law in Europe:

"We note that Facebook was recently fined €1.2 mn by Spain’s data protection agency for violating the country’s privacy rules, with the regulator noting that "Facebook's privacy policy contains generic and unclear terms," and that "The agency considers that Facebook does not adequately collect the consent of either its users or nonusers, which constitutes a serious infringement". This followed a similar ruling from the French data regulator which fined Facebook €150,000 for collecting and compiling user data without a legal basis and explicit consent."

Facebook also this year lost a court ruling in Germany, which declared its privacy settings illegal because it fails to obtain the correct level of consent.

'Much of the EU data subject data on which Facebook and Google currently sit could lose its value'

The new requirement is as dramatic as it sounds, according to the DCN paper. Facebook's entire existing European user graph is under threat:

"Under the proposed ePrivacy Regulation, much of the EU data subject data on which Facebook and Google currently sit could lose its value because it could not be used for online behavioral or targeted advertising purposes, without dramatic changes to their current practices."

Similarly, at a Citi Research event held in late December, Yves Schwarzbart, the head of policy at the Internet

Advertising Bureau UK, was asked, "Does that mean that you would have to restart building a user graph from scratch?"

He replied, "To some extent potentially, yeah."

The new regulation will affect any tech company from any country that does business in Europe. It is still being debated by the European Commission, so it may be changed or softened before launch.

Goldman's Yang believes both Facebook and Google are relatively well placed to handle the changes because they have "direct" relationships with people. Their users are so dependent on both their platforms, they are likely to hand over consent rather than be locked out of their email, Facebook, Messenger and WhatsApp. But even so, the fear is that when each European users is forced to review and consent to every single data-type they hand over the Facebook, they may reduce their total permissions, thus lowering engagement overall.

Sheryl Sandberg: 'We also know that there may be a DAU impact for implications on European usage'

Facebook is already preparing for the new laws.

COO Sheryl Sandberg said on her last earnings call that Facebook might take a hit: "We're going to continue to give people a personalized experience to be clear about how are using the data and give choices, and we realize that this means that some users might opt out of our ads targeting tool. We also know that there may be a DAU impact for implications on European usage."

But, she said, "The Facebook family of apps already applies the core principles in GDPR framework." The company rolled out a blog post highlighting its privacy settings options in January.