After last year’s Cambridge Analytica scandal, Facebook announced a major change to its ad targeting system. As of October, the company has permanently eliminated its “Partner Categories” feature, which had enabled advertisers targeting hyper-specific user demographics to do so by purchasing access, through Facebook, to consumer data gathered by third-party brokers like Acxiom, Datalogix, Epsilon, BlueKai, Oracle , and others.

In effect, the social network decided it no longer wanted to be responsible for data that it didn’t directly control. Advertisers can still use Facebook’s own powerful internal tools to micro-target users, but if they wish to use third-party data, they’ll need to acquire it themselves and certify that it has been obtained appropriately.

Advertisers reacted to the move with a mix of resignation and anger, with some agencies accusing Facebook of forcing them to rely more on the social media firm’s own data, helping to boost the company’s profits and solidify its power as a walled garden ecosystem.

The regulatory route

It’s easy to see why advertisers would object to Facebook’s new data rules. Facebook’s users, on the other hand, barely seem to have registered the news. It isn’t that they don’t care about privacy: 91% of consumers think companies shouldn’t be accessing their data without their consent, according to a University of Pennsylvania Annenberg School for Communication study.

Look deeper into the Annenberg study, and you’ll start to see that most simply don’t understand how their information is bought and sold online. Most strikingly, the researchers found that 65% of U.S. adults thought the mere presence of a privacy policy meant that the website wouldn’t share their personal information without their consent.

Many Americans may not know it, but companies that sell consumer data compile it from an enormous range of sources: public records, financial reporting, social media, web traffic, device location, and more–all of which can be used to infer your lifestyle, preferences, and personality. And as long as it’s legal and profitable to do so, they’re almost certain to continue. In fact, according to a report by the Interactive Advertising Bureau, U.S. companies spent nearly $19.2 billion–an annual increase of 17.5%–on third-party data acquisition and management solutions in 2018, despite the potential of regulation.

The first approach toward a regulatory solution–to make collecting, using, or sharing consumers’ data without their consent illegal–would require a U.S. version of the European Union’s General Data Protection Regulation (GDPR). The first GDPR-based action against a major tech company, filed by France, levies an unprecedented $57 million fine against Google for transparency and ad personalization violations. A Google spokesperson responded that it is “studying the decision to determine our next steps,” and that Google is “deeply committed to meeting those expectations and the consent requirements of the GDPR.”