Twenty percent of all users on Facebook will fall under the EU's new General Data Protection Regulation law (GDPR) in May.

Facebook must ask all European users for permission to store or share their data, which might prompt users to disclose less to the company.

Some analysts think investors are being "complacent" about how big an effect that might have on user engagement or ad targeting.

User engagement is already in decline.



Twenty percent of all users on Facebook will fall directly under Europe's new General Data Protection Regulation law (GDPR), which comes into effect in May of this year.

The fear, among a small number of Wall Street analysts, is that the tighter privacy controls that Facebook must obey in Europe will further reduce the level of engagement on the app. There is "complacency" around this threat, according to Deutsche Bank.

On the Q4 2017 earnings call, CEO Mark Zuckerberg said engagement on Facebook was already falling, with the amount of time users spend on the site declining by 50 million hours a day.

Europe and GDPR probably feel very far away at Facebook's Menlo Park, California, headquarters. But there are more European users on Facebook than there are Americans, and they are growing faster too:

Facebook's Daily Active Users (DAUs):

Europe: 277 million (up 6% yoy)

US & Canada: 184 million (up 2% yoy)

Europe is a bigger market than the US, and it's growing faster

US and Canada DAUs actually declined by 1 million quarter-on-quarter, where Europe's rose.

Although revenue per user is much lower in Europe ($8.86) than it is in North America ($26.76), there are 131 million more European monthly active users (370 million) than there are in North America (239 million).

Europeans are 20% of all Facebook users globally.

Facebook's stock reacts violently to any changes in user growth or engagement. So negative surprises coming from GDPR could hurt FB. (For comparison, Deutsche Bank estimates that Google's revenues could take a 2% hit from GDPR).

COO Sheryl Sandberg made soothing noises about GDPR on the earnings call:

"The Facebook family of apps already applies the core principles in GDPR framework, which are transparency and control and we are building on this to make we’re ready to fully comply by May."

"We're going to continue to give people are personalized experience to be clear about how are using the data and give choices and we realize that this means that some users might opt out of our ads targeting tool. We also know that there may be a DAU impact for implications on European usage. But from the targeting, we're not forecasting a big impact here. There's some risk and more watching closely. Over the long run, we feel confident that we're very well placed to navigate the transition."

Users might prevent Facebook from using their data as an ad targeting mechanism

She is right: Facebook routinely puts its users through a "privacy check" which shows users what data they are showing publicly and gives them options to share less, if they want. But GDPR requires more disclosure about data usage than users have previously had, and gives users more control over how that data is used. Customers can also prevent Facebook from storing or sharing certain data about them with other companies. They might, for instance, prevent Facebook from using their data as an ad targeting mechanism, or prevent that data from being used by third-party advertising companies that partner with Facebook.

The price of mistakes is higher under GDPR, too. The EU can fine companies 4% of their global revenues.

One risk is that European users, when prompted to look at their GDPR privacy options, will be unpleasantly surprised at how much data Facebook is getting from them, and switch some of that off. In the current political climate around "Big Tech," and with Facebook facing routine public criticism in Europe for paying a paltry amount in corporate taxes (just £5 million a year in the UK), it's easy to imagine it becoming trendy for European users to starve Facebook of the data it values so highly.

'The outlook for margins remains opaque'

"The outlook for margins remains opaque," according to BMO Capital analyst Daniel Salmon. "We are cautious on the impact of GDPR on EU campaigns powered by Custom Audiences, which has been a vital on-ramp for intent data, of which GOOG and AMZN have more," he told clients recently.



He reduced his forward-estimates for MAUs and DAUs in part because of "the potential impact of GDPR in Europe."

At Deutsche Bank, Lloyd Walmsley and his team told clients, "We sense some investor complacency around GDPR risks, though the company sounds optimistic the impact will be minimal."

"Despite a positive outlook around GDPR from Facebook, we see some risk that the company and/or its advertising partners could fail to obtain consent to use data critical for ad targeting, and we sense a general complacency on this issue among investors. In addition, the company pointed to a potential negative DAU impact from GDPR in Europe."

'We're modeling for a modest decline in MAUs and DAUs in 2Q and 3Q as GDPR goes into effect'

SunTrust Robinson Humphrey's Youssef Squali called GDPR "a headwind" for Facebook. "We believe this could have ramifications on time spent, engagement and revenue as well across the EU. While still early to know for sure, we're modeling for a modest decline in MAUs and DAUs in 2Q and 3Q as GDPR goes into effect," he told clients.

Of course, the other scenario — arguably more likely — is that GDPR will be little more than a speed bump for Facebook. The company's apps, including Messenger, Instagram, and WhatsApp, are so deeply embedded in European life that even if folks wanted to dial down their sharing on the platform Facebook might be in a position to require certain data from users as a condition of use. That's the default position of most apps, currently, which tend to be useless if users do not agree to give the app access to certain data, such as contacts and demographic info.