Defendants regularly assert a wide array of purported justifications for their conduct. These include technical necessity in product design, the prevention of competitor free-riding on investments, and the protection of consumer health and safety. Not all are cognizable in antitrust law. Since few cases proceed past the analytical step of considering procompetitive justifications, the question of what is—and is not—cognizable as a justification may play an important role in determining the outcome of Section 1 and Section 2 Sherman Act cases.
This article considers a new justification being invoked by defendants—the need to protect consumer data privacy. For example, in the recent Epic Games, Inc. v. Apple Inc. decision, a Northern District of California judge found evidence of anticompetitive effects arising from the restraints technology giant Apple imposed on its online application (app) store under Section 1 of the Sherman Act. Apple, however, then established that its restraints improved data privacy and security for end users of its online store, which enhanced competition between mobile device operating systems. This privacy-based justification played an important role in Apple avoiding Section 1 liability.
Epic v. Apple is one of the first U.S. antitrust cases to recognize data privacy and security protection as a procompetitive justification, but it is far from the only matter raising privacy-as-justification arguments. Several other digital platforms are invoking user data privacy in response to allegations of anticompetitive conduct.
This article analyzes when such claims of data privacy protection are—and are not—cognizable as a procompetitive justification in U.S. antitrust law. It argues that privacy restraints are justified only when the impugned restraint also has procompetitive effects. It then applies this legal argument to two scenarios: a critique of the Epic v. Apple reasoning on privacy as a justification, and a hypothetical in which data privacy disclosure obligations improve market transparency and competition.
The article also considers the types of evidence that may be useful to courts and agencies in evaluating whether asserted privacy justifications are merely pretextual. Finally, it concludes by distinguishing the analysis of privacy as a justification from the separate legal question of whether privacy regulation may render conduct immune from antitrust law.
Establishing a Procompetitive Justification in Antitrust Law
The rule of reason is the prevailing analytical standard in assessing Sherman Act violations. This analysis typically proceeds using a burden-shifting framework. The plaintiff must first demonstrate a prima facie case of harm to competition. If harm is shown, the burden shifts to the defendant to establish a nonpretextual, procompetitive justification for its actions. Once the defendant establishes a procompetitive justification, the burden shifts back to the plaintiff, who may rebut the justification by showing a less restrictive alternative to achieve the same procompetitive effect or “demonstrate that the anticompetitive harm of the conduct outweighs the procompetitive benefit.”
At the second stage of this framework, courts describe valid business justifications in varying terms, often with a focus on improved efficiency and consumer welfare. In United States v. Microsoft Corp., the D.C. Circuit described a procompetitive justification as “a nonpretextual claim that [the monopolist’s] conduct is indeed a form of competition on the merits because it involves, for example, greater efficiency or enhanced consumer appeal.” The First Circuit similarly describes a justification asserted in response to a Section 1 Sherman Act claim as “valid if it relates directly or indirectly to the enhancement of consumer welfare” such as the “pursuit of efficiency and quality control.” At times, courts describe justifications in more granular terms of increased output, improved operating efficiency, enhanced quality or greater consumer choice.
As with much of modern antitrust law, these judicial references to “efficiency” are generally understood to mean economic efficiency. However, certain cases like United States v. Brown University adopt a non-economic, or at least tenuously economic, view of what constitutes a justification. Such decisions should be viewed as outliers. The weight of Supreme Court precedent confirms that cognizable justifications are premised on improvements in economic welfare, in keeping with the consumer welfare standard that is applied more broadly in antitrust law.
The jurisprudence makes clear that the ultimate question is whether an asserted justification is procompetitive in its effects. A mere desire to maintain a monopoly market share, or to thwart the entry of competitors, cannot constitute a justification. Unless the justification gives rise to “some countervailing procompetitive virtue”—which usually takes the form of improved efficiency—then the restraint or conduct is not justified. For this reason, although justifications are referred to in some judicial decisions as a “defenses,” it is more accurate to say that, where the defendant establishes a procompetitive justification for its conduct, there is no violation to defend against. By definition, “[a]nticompetitive conduct is conduct without legitimate business purpose that makes sense only because it eliminates competition.”
Based on these general criteria of improved economic efficiency and enhanced competition, courts have accepted a number of different justifications as procompetitive. Cognizable justifications often include the prevention of competitor free-riding on investments, technical necessity in product design, the reduction of transaction costs, and the ability to provide new products to customers.
When Is Data Privacy Protection Cognizable as a Justification in Antitrust Law?
Rather than a formalistic inquiry into previously established categories of justifications, this law indicates that the Supreme Court will look to demonstrated economic realities to assess the justifications asserted by defendants. The effects on competition and consumer welfare are determinative. New types of justifications may therefore be recognized where there are demonstrated, positive effects on competition. For example, as the judicial understanding of competitive effects evolved over time, courts recognized the economic reality that vertical restraints may be procompetitive, and therefore potentially justified.
This suggests nothing in existing law would preclude the recognition of privacy restraints or privacy-protective conduct as a procompetitive justification. Such privacy protections ought to be cognizable as a justification in antitrust law when, and only when, they have procompetitive effects. The relationship or effect of the restraint on data privacy is not determinative. Rather, what matters is the effect of the restraint on competition and, correspondingly, consumer welfare. Data privacy protection is simply a new category of justification appearing in response to claims of anticompetitive conduct.
A 2016 Canadian case reinforces this view, and provides one of the most detailed considerations to date of privacy protection as a potential justification for anticompetitive conduct. In Commissioner of Competition v. Toronto Real Estate Board, Canadian competition enforcers brought an antitrust claim against the Toronto Real Estate Board (TREB), alleging that TREB had abused its dominance in residential real estate brokerage services in certain markets. TREB operated a database of real estate listings that, at the time of the case, had no readily available substitute. TREB had promulgated exclusionary rules that denied online real estate brokers access to certain home listing data in its database, while making that same data available to traditional brick-and-mortar brokers. This practice excluded online brokers, who posed a competitive threat to TREB’s many traditional realtor members by undercutting their prices and providing more direct consumer access to real estate listings.
In response to this abuse of dominance allegation, TREB argued that it had limited the online distribution of certain listing data to protect the data privacy of the individuals who were selling their homes through its real estate platform. TREB claimed it had restricted online brokers from accessing certain information, such as historical home selling prices, because its distribution online would violate the home sellers’ privacy interests. TREB presented a number of arguments in support of this position, arguing that its denial of online data access was necessary to comply with Canadian privacy law, and to accord with TREB’s own terms and conditions of service for its home sales database.
The case was heard by the Canadian Competition Tribunal, an adjudicative body that specializes in Canadian competition law. The Tribunal found that TREB had failed to establish on the facts that user privacy protection was a significant driver of its misconduct. Importantly, though, the Tribunal recognized in obiter dicta that privacy could be cognizable as a justification in law, explaining that “there may be legal considerations, such as privacy laws, that legitimately justify an impugned practice, provided that the evidence supports that the impugned conduct was primarily motivated by such considerations.” The decision suggests there is no barrier in Canadian antitrust doctrine to recognizing a privacy protection as a procompetitive justification. Similar logic applies under U.S. law.
Evidence of Benefits to Competition from Privacy Protection.
For a justification to be cognizable in law, defendants must provide evidence that the impugned restraint is likely to generate the claimed economic benefit to competition not just generally, but in the particular case where this is argued. Courts have rejected justification claims where there is inadequate evidence of the claimed economic benefits. As the Eleventh Circuit explained in McWane, Inc. v. FTC, even where the claimed conduct “could result in increased efficiency in the right market conditions,” the defendant will not establish a justification unless it demonstrates “reasons to think that such conditions exist in [the given] case.” This means the defendant will often need to produce relatively specific economic evidence to substantiate the procompetitive effects of its actions and to demonstrate that procompetitive benefits flow from its challenged restraint or conduct.
Producing this type of evidence may prove difficult for many privacy-related restraints. The legal understanding of privacy economics is at an early stage of development. Leading economic scholars criticize the Federal Trade Commission for the dearth of economic foundations in privacy enforcement pursued under Section 5 of the FTC Act. Though there is growing recognition that privacy may be the basis of non-price competition, there is little concrete economic research or methodology that courts could rely on for an in-depth understanding of the effects of competition on privacy quality in specific markets. The still-emerging economic foundations of privacy harm may pose a significant practical challenge for defendants seeking to establish data privacy protection as a procompetitive justification.
When Is Data Privacy Protection Not Cognizable as a Justification in Antitrust Law?
Since “privacy” is a wide-ranging and often amorphous concept, it is also helpful to understand when a claim of data privacy protection is likely not cognizable as a justification in antitrust law.
In both National Society of Professional Engineers v. United States and FTC v. Indiana Federation of Dentists, the Supreme Court firmly rejected arguments that restraints on competition are justified because their effect is to improve public health or safety. In Professional Engineers, the Department of Justice, Antitrust Division (DOJ) established that the defendant engineering society’s ethical rules were per se anticompetitive. The rules prohibited members of the society from bidding against each other to supply engineering services. The defendant claimed that its rules were justified because their enforcement protected the public from the inferior and unsafe engineering work that would result if engineers competed on price, driving down quality in order to achieve these lower prices.
The Supreme Court flatly rejected this justification, calling it “nothing less than a frontal assault on the basic policy of the Sherman Act,” because the argument relied on the premise that competition is harmful to consumers. The Court reasoned that the Sherman Act is a legislative judgment that competition is positive for consumers. Even if that judgment is not correct in every market, “the statutory policy precludes inquiry into the question whether competition is good or bad. . . . The judiciary cannot indirectly protect the public against this harm by conferring monopoly privileges on the manufacturers.” Accepting arguments that competition is sometimes “bad” for consumers, like the argument of the defendant engineering society, would amount to the creation of judicial exceptions to this policy, substituting the court’s view for that of Congress on the proper role of competition. The Supreme Court confirmed that, in considering whether a restraint is unlawful, the court’s inquiry is properly “confined to a consideration of impact on competitive conditions.”
Twelve years later in FTC v. Indiana Federation of Dentists, the Supreme Court reaffirmed this view. Leaning heavily on Professional Engineers, the Court rejected the defendant’s claim that its restraints on competition improved the quality of dental care, and therefore improved consumer health. The asserted benefit to consumers flowed from an absence of competition, created by the defendant’s unlawful conduct, and did not constitute a justification in antitrust law.
Applied to the context of data privacy, this jurisprudence suggests courts will reject arguments that conduct is “justified” because it improves privacy by limiting competition. Consider the example of a dominant seller of online display advertising who also operates a popular web browser. The ad seller/browser company initially allows rival ad publishers to use cookies to track end-users’ ad viewing through its browser. Later, the company changes its policy, and bars rivals from collecting this advertising data. Competing ad publishers claim this policy change substantially limits competition in the sale of online display advertising (which depends on the collection of ad-viewing data). They challenge the restraint as an unlawful refusal to deal. In the face of these claims, the browser company argues that its limits on data access are justified, because the effect is to protect end-users’ privacy. Without its restraints, the company claims that rivals would compete to track more and more of individuals’ online ad-viewing habits, eroding the privacy protection in markets for online display advertising to sub-optimal levels.
Like the justifications asserted in Professional Engineers and Indiana Federation of Dentists, this argument is likely to be rejected by courts, because it is premised on the social benefits derived from limiting competition. Much like the claims of public health and safety improvement in these earlier cases, the promotion of data privacy is a socially desirable and worthwhile goal. Data privacy benefits consumers, and the broader public, playing an important role in personal autonomy, dignity and freedom. That does not, however, render the protection of privacy, in itself, an antitrust concern. Nor does it exempt arguments in favor of data privacy from the basic antitrust premise that competition is good for consumers.
The browser company’s argument, without more, amounts to a claim that consumers must be shielded from online advertising competition, or else their data privacy will be eroded to the detriment of the public interest. This is at odds with the basic premise of promoting competition under the Sherman Act, because it relies on the assumption that competition is harmful to consumers. Supreme Court jurisprudence confirms that restraints on competition cannot be justified based exclusively on claims of social welfare improvements that stem from an absence of competition. However, this type of normative pro-privacy claim is distinct from a cognizable justification that a restraint improves efficiency and privacy-based competition in a market, examples of which are discussed below.
How has antitrust law distinguished between these two types of arguments—data privacy as it relates to competition, in contrast to claims that privacy is normatively important? Here, the more extensive experience with data privacy in merger reviews provides useful insight.
In 2007, the FTC refused to intervene in Google’s acquisition of ad-serving company DoubleClick on the basis of normative privacy concerns. Consumer privacy advocates, and one dissenting FTC Commissioner, worried that post-merger, the parties would combine their ad-related data sets in a manner that negatively impacted consumer privacy. The majority of the FTC Commissioners acknowledged that the Bureau of Consumer Protection had closely examined privacy concerns in the behavioral advertising industry (where Google and DoubleClick both operated their businesses) for many years. However, the FTC’s investigation of this particular acquisition found little evidence that Google’s purchase of DoubleClick would adversely impact non-price attributes of competition, such as the quality of consumer privacy.
The FTC majority analogized any effects on privacy to concerns in past mergers regarding impacts on the environment or on labor, and concluded that “[a]lthough such issues may present important policy questions for the Nation, the sole purpose of federal antitrust review of mergers and acquisitions is to identify and remedy transactions that harm competition. . . . the Commission lack[s] legal authority to require conditions to this merger that do not relate to antitrust . . . .”
The agency, in effect, crafted a limit for the role of privacy in merger reviews. The FTC was willing to consider whether the merger negatively affected privacy as a non-price parameter of competition. However, there was insufficient evidence of such privacy quality effects arising from the proposed merger. Any other adverse effects on consumer privacy that might arise from the combination of data post-merger were considered outside of the FTC’s jurisdiction in conducting its merger review.
Since Google/Doubleclick, the FTC and the DOJ have continued to take a similar position on the limits of privacy considerations in antitrust analysis. When—and only when—privacy is a parameter of quality-based competition in a market it may be considered as part of the antitrust analysis. If a merger is likely to cause a decline in competition to supply privacy features or privacy-related products that are valued by consumers, the agencies appear willing to consider those effects as part of the overall antitrust analysis. For example, the DOJ’s ongoing monopolization case against Google alleges a decline in online search quality “on dimensions such as privacy, data protection, and use of consumer data,” as a result of the company’s exercise of monopoly power to restrict competition.
These agency views on the role of privacy in merger reviews and in monopolization claims hint that a similar dichotomy—and similar limits—are likely to emerge when a defendant asserts that data privacy justifies its anticompetitive conduct. When a defendant makes arguments based on normative or standalone privacy concerns, for example, with no nexus to competition at all or premised on limiting competition to improve privacy, then courts and agencies are likely to find that those purported justifications are not recognized in antitrust law. In contrast, when the justification is tied to improving the quality of privacy through competition, or otherwise increasing competition based on privacy, it is likely to be cognizable in antitrust law.
Epic v. Apple Recognizes Data Privacy and Security as a Justification under Section 1 of the Sherman Act.
The recent Epic v. Apple decision is one of the first to accept privacy and data security as a procompetitive justification for the conduct of a digital giant. The case illustrates the important distinction at the heart of this article, albeit unwittingly, by first accepting a justification based on the normative value of privacy to consumers—which is likely incorrect in antitrust law—and then by accepting a second justification of interbrand privacy-based competition, which is correct in law.
The Epic v. Apple litigation centers on Apple’s rules and restrictions for the distribution of iOS apps through its online store. Apple’s store is the near-exclusive source of application downloads for consumers who use Apple’s popular mobile devices. As a condition of distribution through its app store, Apple mandates that apps use the company’s proprietary in-app payment processing system, and collects a 30 percent commission on all in-app purchases made using its system. The litigation arose when Epic challenged these app-store rules, introducing its own in-app payment methodology within the popular Fortnite app on the Apple app store. Apple banished Fortnite from the app store for this knowing violation of the store rules and Apple’s developer licensing agreement.
In response, Epic brought antitrust claims in the Northern District of California alleging that Apple’s technical and contractual restrictions, which it imposes as a condition of distribution of apps through its app store, violate Sections 1 and 2 of the Sherman Act and state unfair competition law. This discussion focuses only on the Section 1 claims, because that portion of the lengthy decision contains the most extensive consideration of justifications.
Epic based its Section 1 allegations on the anticompetitive effects of Apple’s in-app payment rules and Apple’s distribution rules. The challenged distribution restraints included prohibitions on “store-within-a-store” apps (preventing decentralized distribution), technical prohibitions on app downloads from outside the Apple store (preventing “sideloading” of apps), and the requirement that Apple employees conduct a human review of app functionality and descriptions (collectively referred to in the decision and this article as the “app distribution restrictions”).
In her ruling of September 10, 2021, Judge Yvonne Gonzalez Rogers of the U.S. District Court for the Northern District of California finds Apple’s payment and distribution restraints to be anticompetitive. She first concludes that the developer agreement between Apple and app developers was not a concerted agreement, because it was unilaterally imposed by Apple onto developers. However, she goes on to find direct and indirect evidence that the restraints were prima facie anticompetitive in their effects. Judge Gonzalez Rogers reasons that Apple’s ability to maintain its 30 percent in-app commission rate likely “stems from market power.” Apple’s restraints on distribution preclude developers from opening other game stores for iOS apps, which would compete with Apple on commission rates, likely lowering prices to end users and producing more innovative features in game distribution. The decision explains that since Apple has constructed an “ecosystem” of interlocking restrictions, the effect of any one restriction is difficult to assess in isolation. Instead, Judge Gonzalez Rogers concludes that Apple’s practices are linked by “common threads” of unreasonable restraints on competition and harm to consumers, which enable the company to charge supracompetitive commissions.
Of key interest here, Judge Gonzalez Rogers then goes on to accept two procompetitive justifications proffered by Apple for its anticompetitive conduct. Both are premised on Apple’s protection of user data privacy and security in the app store.
The decision adopts the law from FTC v. Qualcomm, a 2020 United States Court of Appeals for the Ninth Circuit decision, to determine what constitutes a justification: “a nonpretextual claim that [defendant’s] conduct is indeed a form of competition on the merits because it involves, for example, greater efficiency or enhanced consumer appeal.”
The first justification that Judge Gonzalez Rogers accepts, termed the “security justification” in the decision, is that Apple’s restraints on app distribution and payment are permissible because they enhance privacy and security within the app store. In an earlier fact section, the court explains why Apple’s elimination of either type of restriction would likely cause user privacy and security within apps to decline. Apple’s centralized app distribution, and, in particular, the human review of apps, helps to protect consumers against malware, fraud, and privacy intrusion. The court provides the example of Apple’s human review confirming that the app’s access to user information is reasonable given the function of the app. A simple gaming app, for example, does not necessarily require access to real-time health data stored on the user’s device. If Apple loosened its review standards, or permitted stores-within-stores to distribute apps, the company would no longer be able to ensure that the apps being distributed would maintain Apple’s standards of privacy and security, which consumers have come to expect when they download apps from the Apple store. Particularly given that app developers may prefer more access to data and lower levels of user privacy than Apple requires as a condition of app distribution, the decision finds that “privacy, more than other issues, likely benefits from some app distribution restrictions.” The app store restraints thus benefit consumers by providing a safe and trusted source for iOS app downloads.
In light of this evidence, Judge Gonzalez Rogers concludes that privacy and security are a valid and nonpretextual rationale for Apple’s limits on app distribution. By providing the protections for the app store, “Apple provides a safe and trusted user experience on iOS, which encourages both users and developers to transact freely and is mutually beneficial,” in turn “enhanc[ing] consumer appeal,” the latter prong described in FTC v. Qualcomm.
This reasoning is problematic in light of Professional Engineers and Indiana Federation of Dentists. In place of the health and safety claims in these prior cases, here the asserted social welfare improvement is greater app security and privacy for consumers. The reasoning seems to accept limits on competition in order to achieve improved data privacy and security of Apple’s app store. In other words, a privacy-protective and secure app store is normatively “good” for consumers, even if its achievement requires the absence or reduction of competition. This is the approach to justifications that Professional Engineers warns against, albeit in the context of consumer safety rather than privacy. Finding that privacy and security are improved by preventing the distribution of competing app storefronts, or other limitations on competition for app distribution, is “nothing less than a frontal assault on the basic policy of the Sherman Act,” because it relies on the premise that competition is harmful to consumers in its erosion of privacy and security. It is true that a reliable, secure source for app downloads benefits consumers in the broader sense of social welfare achieved through privacy and security protection. However, this type of normative privacy claim is not cognizable as a justification under current antitrust case law.
The Epic v. Apple decision goes on to accept a second privacy-related justification for Apple’s app store restraints: the promotion of interbrand competition between mobile operating systems. This portion of the reasoning provides an excellent example of privacy as a cognizable justification, illustrating the argument above that such justifications must have procompetitive effects.
This portion of the reasoning relies on Leegin Creative Leather Prods., Inc. v. PSKS, Inc., in which the Supreme Court found that resale price maintenance may be permitted under the rule of reason if it promotes interbrand competition—despite the potential for such price minimums to limit same-brand retailer competition. Citing Leegin, Judge Gonzalez Rogers explains that Apple’s centralized app distribution or “walled garden” approach is the company’s competitive differentiator from rival operating systems like Google’s Android. Apple’s testimony and survey evidence indicated that many consumers choose Apple because their devices offer strong data and privacy protection. The restrictions Apple places on app distribution pricing increase the available choices for consumers, “allowing users who value open distribution to purchase Android devices, while those who value security and the protection of a ‘walled garden’ to purchase iOS devices.” Apple’s restraints are justified because they enable the company to better compete for users with other mobile operating systems.
Apple’s argument for this interbrand competition justification is not merely about the normative value of ensuring consumers’ privacy. Rather, it relies on a modern analogy to Leegin, a decision which was influential in its recognition that interbrand competition may serve as a procompetitive justification. The free-riding argument in Leegin involved a manufacturer who imposed minimum resale prices on the retailers selling its products. The manufacturer argued that this restraint encouraged retailers to invest in benefits for consumers, such as improved customer service, higher-quality showrooms, and training for employees. The price restraints were necessary to eliminate the risk that dealers who invested in these value-added services would then be undercut on price by Leegin’s other (same-brand) dealers who failed to make similar investments. By preventing such undercutting, this price maintenance encouraged investments by retailers to the benefit of consumers and, in turn, enhanced competition between brands.
Apple adapts this argument to assert that Epic seeks to “freeride” on the investments Apple makes in enforcing high standards of privacy and security, by operating a rent-free store of Epic’s own without the same user privacy protections. Apple’s filings argue that, as in the traditional free-riding cases, the company invests heavily in its app store, including in the review of apps, customer service, distribution, marketing, and developer tools. Apple argues that its mandatory in-app purchase commissions, and its restraints on app distribution, enable such investment and, in turn, the maintenance of a “secure and trusted platform for consumers to discover and download software.” Apple then paints a picture of Epic’s attempts to evade the app store restrictions, first with a request to offer its own competing Epic Games mini-store within the broader Apple store, then with its own payment system in the Fortnite app, which violated the Apple app store guidelines and agreements between the parties.
By analogy to traditional free-riding arguments, Apple is essentially claiming that market conditions are such that “privacy” maintenance is required to limit the quality erosion that would occur in the absence of app store restraints. Apple claims that Epic does not uphold privacy and security standards equivalent to Apple’s and points to Epic’s history of offering apps outside of iOS that contain security vulnerabilities. If Apple’s rules were loosened to allow Epic to offer a “store within a store,” consumers would presumably see Epic’s offerings within the same Apple app store from which they ordinarily download Apple-vetted apps, and assume the apps meet Apple’s usual privacy and security standards. Like the retailers who freeride on the investments of other retailers in service and showrooms, Apple would then lose sales to Epic, the privacy-quality discounter. Privacy would erode to a level below that preferred by customers, as Apple loses the margin that enables it to maintain app store privacy quality. Apple’s distribution restraints alleviate this privacy erosion problem, by preventing Epic from undercutting privacy and security quality in the app store. This adaptation of classic free-riding arguments to the data privacy context makes sense, satisfying the legal requirement that a justification have a “countervailing procompetitive virtue.”
Both Epic and Apple have since appealed this decision to the Ninth Circuit. The case promises to be worth watching for its development of data privacy and security as a justification in law and in fact. Apple’s privacy and security justifications played an important role in the company avoiding Sherman Act Section 1 liability, given that Judge Gonzalez Rogers found that Epic had put forth sufficient evidence of anticompetitive effects to carry its prima facie burden, and rejected the only other (intellectual property-related) justification. The ultimate success of Apple’s privacy-as-justification arguments is likely to impact other digital platform cases, including future liability findings.
Privacy Disclosure Obligations as a Potential Justification: Increasing Market Transparency.
Epic v. Apple hints at, but does not address, another scenario in which privacy protections may be cognizable as a procompetitive justification, when the court observes Apple’s requirement that apps make certain privacy disclosures to users. It is common for digital platforms to require that third-party services provide certain privacy disclosures, or privacy options, to consumers.
Imagine a dominant app store operator introduces a requirement that all apps distributed through its online store make real-time privacy disclosures to indicate when a consumer’s location is being tracked by the app. Assume the app store operator also offers its own, vertically-integrated apps in competition with the app developers in its store. Many app developers are unhappy with this new requirement because it changes consumer behavior and reduces the developers’ ability to collect and monetize user location data. The store operator then removes all non-compliant apps from its store, including some competing apps. This prompts some app developers to complain to antitrust authorities, alleging that the operator’s conduct significantly reduces competition, and constitutes a refusal to deal in violation of Section 2 of the Sherman Act. Assume the rival app developers could establish that the operator has monopoly power and make a prima facie showing of anticompetitive conduct.
Here, the app store operator has a strong argument that the restrictions are justified as procompetitive. By their nature, the required privacy disclosures are likely to increase transparency for consumers in the relevant market for apps. In the absence of the operator’s disclosure rule, it is difficult and time consuming for consumers to obtain accurate information about how and when apps track their location. The terms and conditions for apps are often dense, and app companies could change their terms unilaterally and regularly. Even if diligent consumers examined these changing terms for each app they used—an impractical and time consuming scenario—the disclosures often will not state with specificity how or when location tracking occurs within a given app.
The app store’s rules on location-tracking disclosure may make the relevant market more efficient, to the benefit of consumers. The disclosure rules and their enforcement likely increase privacy transparency in the market, making it easier for consumers to compare location tracking by apps, and to choose apps that suit their privacy preferences. The disclosure rules are likely to reduce the search costs for consumers who are seeking an app that has minimal or no tracking, or who want to find out whether their location is being tracked by an app they use (or an app they are considering using). This increased transparency in location tracking may well drive competition between apps to provide better privacy protection, perhaps reducing the extent to which apps track user location, or prompting the use of just-in-time consumer consent to tracking when it occurs.
This app store argument is analogous to the procompetitive justification established in California Dental Association v. FTC on remand to the Ninth Circuit. The FTC challenged the dental association’s advertising rules, which required member dentists to include certain disclosures in their ads. The FTC argued that the enforcement of these rules impermissibly restricted truthful advertising, in violation of Section 5 of the FTC Act.
Applying a rule of reason standard, the Ninth Circuit found that the dental association guidelines were justified. In particular, the court found it was likely that the rules reduced information asymmetries inherent in the dental services market. Dentists know much more about their services than consumers do, and it can be difficult for consumers to obtain accurate information about dental service quality until after those service are purchased. Economic expert testimony indicated that the advertising disclosure rules made it easier for consumers to obtain accurate information about dental services and reduced the search costs for consumers to find the information needed to compare different dentists. The effect of the rules was to make it easier for consumers to find their desired dental services, and this likely enhanced overall competition.
Much like the dental association, with supporting economic evidence, the app store operator in the hypothetical above could demonstrate that its privacy disclosure requirements make the relevant market for apps more efficient. The app store operator may even find it easier to demonstrate that its conduct is justified, because its case would involve unilateral conduct, not concerted action like that by the association of competitors in California Dental. The app store rules may increase disclosure of location tracking, reduce information asymmetries between the apps and consumers regarding when tracking occurs, and lower the search costs for consumers to find apps that match their privacy preferences. In short, such data privacy restraints may reduce competition from apps barred from the app store for non-compliance, but the restraints also improve transparency, enhancing the efficiency of the market and promoting privacy-based competition.
Pretextual Privacy Justifications?—A Factual Analysis
Though these questions of law are important, often the facts will determine whether a defendant is successful in establishing a justification related to data privacy protection.
Courts will reject business justifications that are merely “pretextual” on the facts. This is an evidentiary question. Courts and agencies will look for testimony and contemporaneous documents that support the defendant’s claimed justification for its conduct. Ostensible justifications will be found pretextual when evidence (or a lack of evidence) indicates that the claimed rationale does not plausibly explain the defendant’s conduct.
When a firm is simply invoking a “justification” post hoc, it will often be difficult to demonstrate credibly that its actions were driven by the asserted rationale. For example, in United States v. Dentsply International, Inc. the Third Circuit found that the claimed justification for exclusive dealing requirements was pretextual, because the justification was inconsistent with almost all of the evidence regarding the challenged policy, including the company’s “announced reason for [its] exclusionary policies, its conduct enforcing the policy, its rival suppliers’ actions, and [its own] dealers’ behavior in the marketplace.” In other cases, ostensible business justifications have been undermined by more innocuous evidence, such as testimony from company leadership that the rationale for the conduct “did not cross [their] mind.”
In Epic v. Apple, the Northern District of California did not expressly address whether Apple’s claims of privacy protection were pretextual. Instead, the Court seems to accept the credibility of Apple’s claim of data privacy protection, given the evidence that privacy and security are important competitive differentiators for Apple in the eyes of consumers. Future cases are likely to present more pressing factual questions about whether a defendant was actually acting to protect user data privacy, or merely invoking user privacy ex post to ward off allegations of anticompetitive conduct.
The Commissioner of Competition v. Toronto Real Estate Board case provides more insight on how this analysis might proceed for purported privacy justifications. The Canadian Competition Tribunal was persuaded by the absence of contemporaneous documents identifying user privacy protection as a reason for the defendant’s conduct, and by the evidence of TREB’s other practices related to data and consumer consent. The documentary evidence showed that, when TREB had faced earlier privacy concerns over the online posting of interior home photos (unrelated to conduct challenged in the case), TREB had sought legal advice, then modified the consent provision in its standardized listing agreements to facilitate such postings. TREB took no equivalent action when it came to the privacy concerns asserted as a justification before the Tribunal. This discrepancy suggested that privacy was not, in fact, a motivating factor in TREB’s restriction of online brokers’ access to home listing data.
Further, in other business contexts TREB had interpreted preexisting consumer consents as sufficiently broad to enable it to disclose consumer data. When it came to the challenged restraints in the case, however, TREB interpreted its user consent obligations as more onerous, invoking those obligations as a reason to limit data access. This overall context, along with the lack of documentary evidence reflecting privacy concerns, demonstrated that “privacy played a comparatively small role” in TREB’s choice to adopt and enforce the disputed policy. The Tribunal found that the asserted privacy concerns were pretextual—an “afterthought,” raised in the face of litigation.
Early U.S. cases suggest that antitrust courts will be similarly skeptical of claims by large digital platforms that their conduct was driven by concerns over user data privacy. In the recent hiQ Labs, Inc. v. LinkedIn Corp. decisions, both the Northern District of California and the Ninth Circuit were dubious of LinkedIn’s claim that it excluded a rival to protect users’ privacy interests. Initially, the social media company LinkedIn had permitted hiQ, a data analytics company, to scrape data from user profiles on LinkedIn’s popular social networking service. HiQ used that information to power its data analytics software, which alerted employers to changes to their employees’ LinkedIn profiles. Since LinkedIn is primarily used for professional social networking, such profile updates were used as a proxy to identify employees potentially at risk for leaving their job.
LinkedIn later blocked hiQ from accessing any user profiles on its social networking service. HiQ claimed that LinkedIn had terminated its access to protect LinkedIn’s competing data analytics services, in violation of state unfair competition law. LinkedIn argued it had acted out of concern for users’ data privacy, not competition. HiQ was scraping data from individual profiles in a manner that LinkedIn argued was violating users’ individual privacy settings and reasonable expectations of privacy.
On hiQ’s motion for a preliminary injunction to regain access to LinkedIn profiles, the District Court was unconvinced that “actual” consumer privacy expectations were “shaped by the fine print of a privacy policy buried in the User Agreement that likely few, if any, users have actually read.” This skepticism is at odds with the FTC’s fundamental assumption in Section 5 FTC Act enforcement that consumers’ reasonable expectations of privacy are established by the terms of privacy policies. This longstanding view is reflected in the FTC’s earliest privacy-related Section 5 enforcement, which was premised on the idea that “[c]ompanies that made express or implied promises simply had to keep them.”
On appeal, the Ninth Circuit was similarly doubtful that users had expectations of privacy in their LinkedIn profile data, but the court focused more on the public nature of the profile information being scraped by hiQ. While acknowledging that posting publicly on social media does not necessarily imply consent to the use of data for “all purposes,” the court ultimately concurred with the district court finding that user privacy expectations in LinkedIn profile information were “uncertain at best.” Even if such privacy interests did exist, they were outweighed at the preliminary injunction stage by hiQ’s interest in accessing the profile data so it could continue to operate its business.
Along similar lines, a recent state antitrust enforcer complaint expresses preemptive skepticism of Google’s user data privacy justification for its planned termination of third-party access to cookies on the Chrome internet browser. A Texas-led group of state attorneys general are pursuing a high-profile monopolization case against Google. Their amended complaint includes allegations that the company is acting in an anticompetitive manner with its plans to block third-party access to cookies on Chrome. The complaint describes Google’s privacy justifications for the change as “a ruse” and mere “pretext.”
Although these cases are in early stages, this initial skepticism toward claims of privacy protection as a justification seems understandable. Many of the digital platforms now invoking the need for user data privacy protection have also been high-profile, repeat targets of data privacy law enforcement for violating those same users’ data privacy. This may explain the generalized doubt around claims by these companies that user privacy is driving their actions to exclude competitors.
The sense of skepticism may also stem from the separation between the party whose privacy interests are at stake (often users) and the party invoking those interests (often the digital platform). It is more typical for defendants to invoke their own rights or interests, such as intellectual property rights, as a justification for their conduct. However, this separation of privacy interests may be narrowing somewhat, as digital platforms face a growing threat of liability for failures to police third-party privacy misconduct on their services. For instance, the FTC made clear in an order against Facebook that “Facebook will be liable for conduct by [third-party] apps that contradicts Facebook’s promises about the privacy or security practices of these apps.”
Ultimately, it will be important for agencies and courts to evaluate privacy justifications based on the specific evidence and arguments in each case. As in so many other antitrust cases, internal documents—particularly those that predate litigation—are likely to play an important role in determining whether the claimed privacy justification is pretextual or not. Documents that directly discuss the rationale for the defendant’s conduct will be the most helpful. Other relevant evidence may include records on the enforcement of, and changes to, the terms of the defendant’s privacy policy over time. Such documentary evidence could reveal, for example, uneven privacy policy enforcement meant to disadvantage competitors. Or, it may instead prove that the defendant tracks and responds to its rival’s privacy policy changes, suggesting privacy-based competition is at play. As in TREB and hiQ, evidence of the defendant’s past and current data privacy practices may also shed light on whether a justification is pretextual, though this indirect evidence should not overshadow more specific proof where it is available.
The Distinct Question of Data Privacy Law and Regulated Conduct Immunity
These claims of data privacy as a procompetitive justification hint at a related legal argument not yet raised in U.S. litigation. Could the regulation of conduct under data privacy law render that conduct immune from antitrust law?
Detailed analysis of this question is beyond the scope of this article. However, it is worth noting the three general approaches that privacy legislation may take to addressing antitrust immunity. A privacy statute may expressly exempt conduct from antitrust enforcement through an immunity or preemption clause. Alternatively, a privacy statute may expressly preserve the application of antitrust law through a savings clause. Finally, a privacy statute may simply remain silent on the issue of whether privacy regulation or antitrust law takes precedence. In this last scenario, the courts are left to conduct an implied immunity analysis to determine whether, and to what extent, antitrust law cedes to privacy regulation.
Conduct compelled by other federal law is generally immune from antitrust law, and this principle would ordinarily apply to privacy law obligations. Older cases have applied a standard requiring “plain repugnancy” between the regulatory requirement (here, the privacy law obligation) and the antitrust prohibition before concluding antitrust law is inapplicable.
Extending the hypothetical of the app store operator above, this legal question could arise if the app store operator, instead of invoking general data privacy interests of consumers, took the argument one step further to claim it was obligated by federal data privacy law to require that apps disclose location tracking.
However, U.S. antitrust cases have not yet raised this question of regulated conduct immunity based on data privacy regulation. As demonstrated by the cases in this article, the arguments to date are not claiming that a particular statutory authorization, permission, or conflict is occurring due to privacy law. Instead, the cases involve generalized assertions that the anticompetitive conduct improves or protects the privacy interests of consumers to the benefit of competition and is therefore justified. However, these immunity questions are more likely to arise as U.S. privacy law expands. The proliferation of state privacy statutes, and perhaps even the passage of a federal omnibus privacy law, will create greater potential for cases that involve privacy regulation and antitrust immunity.
Further, antitrust immunity arguments often do not involve a direct conflict—instead, the question is whether antitrust law applies to conduct that may be authorized or permitted under the regulatory statute (here, the privacy legislation). Cases like Verizon Commc’ns Inc. v. Law Offices of Curtis V. Trinko, LLP have found that industry-specific regulatory regimes may supplant antitrust law, even where both areas of law impose compatible obligations. This jurisprudence is not clear on the extent of regulation required to forestall antitrust claims, and it has yet to be applied to the interaction between antitrust and data privacy.
Conclusion
This article examines whether and when data privacy protections may justify anticompetitive conduct under the rule of reason. It argues that the protection of consumer data privacy is cognizable as a justification when—and only when—the impugned privacy restraint has procompetitive effects. Applying Supreme Court precedent, it argues that the law should reject claims of privacy as a justification when the asserted privacy benefits depend on limiting competition.
This emergence of data privacy as a justification for anticompetitive conduct presents a difficult new issue in individual cases. It also implicates broader policy questions in the red-hot debate over digital regulation. How might policymakers, enforcers and courts understand the interactions between privacy and competition, in order to optimize consumer welfare? When might consumers benefit from greater data privacy, or rather, greater data-driven competition? Could innovative policy solutions and enforcement approaches advance both interests? These questions are fundamental to the cohesive regulation of the digital economy, and require creative, cross-doctrinal thinking to advance the social and economic welfare of consumers.