Balancing Innovation with Compliance: Data Privacy Lessons From Threads Launch

Threads, the Twitter alternative developed by Meta, made news for being a "privacy nightmare" that won't launch in the EU. But that did not stop it from becoming the fastest growing mobile app, reaching 100 million users in five days.

The growth of Threads is attributed to its tight integration with Instagram, giving it an opportunity not only to grab a captive audience that can join easily using their existing Instagram accounts but also to access their personal data to provide better personalization and facilitate targeted advertising. Interestingly, Meta's decision to bypass the EU is also attributable to these same factors.

The rapid growth of Threads app while avoiding compliance conflict in the EU is a pivotal moment in data privacy. Here are 5 key take-aways.

1. Privacy Enforcement Matters To The Bottomline

Threads launch strategy is notable for a high profile app where launch in a specific geographical region was avoided due essentially to its privacy enforcement regime. Even though this was eventually a business decision, it comes on the heels of high profile fines and other adverse rulings by EU regulators related to data protection issues similar to those implicated by Threads.

First in January, Meta was slapped with fines of $435 million (€400 million) by EU watchdogs who declared unlawful the legal basis Meta had been using to process personal data from EU Facebook and Instagram users to run targeted ads. Then in July, the European Court of Justice, the EU’s supreme court, upheld that Meta has to get user consent before gathering data for its targeted, behavioral ads. Meta is also considered amongst the companies identified as “digital gatekeepers” under the new Digital Markets Act (DMA) which are subject to strict rules that prohibit locking users in their digital ecosystem or requiring data sharing across multiple services for them to operate.

Meta's decision, then, to bypass the EU (and its 250 million Instagram users) is an attempt to avoid any further legal liabilities in an already complicated battle with the EU regulators. At the same time, it is a recognition of the real difference in the data privacy regimes on either side of the Atlantic that app developers have to continuously grapple with. Meta is just the most high profile name amongst them.

2. Pan-Atlantic Gap in Data Privacy Regimes is Real

When it comes to data protection, the long list of rulings and regulations affecting Meta point to the fact that Europe and the U.S. have “a fundamental conflict of law.”

Threads is tied to Instagram, and both apps collect and share with each other a treasure trove of personal data about their users, including all things from location and browsing history to health and financial data. Threads is actually transparent about this data collection and provides a clear notice to users when installing the app about what identifiers are collected and sold to advertisers. Unlike in the EU, this approach works just fine in the US (and in the U.K. and most of the rest of the world).

Given this pan-Atlantic gap, it is not the future of Threads alone that is at stake in Europe. The rulings against Meta could in theory extend to most other companies as well that rely on the same legal mechanisms for processing personal data of EU citizens. This is way bigger than Threads.

3. Personalization Trumps Privacy in Growth Phase

Meta might in theory have had the option to launch Threads as a fully standalone service in the EU. The question is whether it would have been worth it.

In all likelihood, Threads wouldn’t have taken off as quickly if Meta couldn’t exploit that existing Instagram audience. Without that personalization advantage, it will be more effort for users to join up, it will take longer to build a network, and it will be harder for the business to tailor recommended content to users. And so if Threads can’t capitalize on Instagram’s strength in Europe, it might be a better strategy to hold off until Threads has gained a bit of traction in the U.S. and U.K.

This suggests that businesses may prioritize personalization-friendly privacy regimes in the growth phase. Over time, with more content and bigger existing network, the business may recalibrate its strategy to expand to regions with stricter privacy regimes.

4. Privacy by Design Is Not One Size Fits All

The deliberate decision by Meta to de-prioritize the launch of Threads in EU in order to de-risk the business is also relevant to how teams should approach privacy by design when building new products or features.

The process of privacy by design usually involves introduction of appropriate privacy controls at an early stage in the product design phase. The controls should be consistent with the liability exposure of the organization, and what controls to introduce will depend on the jurisdiction relevant to the launch of the product.

It is advantageous to create a modular process that takes into account jurisdiction-specific requirements as opposed to being one-size-fits-all. For example, in the case of Threads, recognition of the pan-Atlantic gap in the data privacy regimes allowed the business to focus on personalization-friendly privacy regimes (such as US and UK) and introduce the controls necessary to launch, while avoiding EU where the controls required to launch would have worked against its goals.

5. Don't Let Consistent be The Enemy of Flexible

Although Threads launch strategy is in contrast to the view that companies should strive for consistency in handling regulatory requirements across multiple data privacy regimes, we cannot let consistency be the enemy of flexibility.

One example of being consistent is to always adopt the strictest requirement across all regimes (for e.g. using GDPR's 72 hour breach notification rule as a standard) because it keeps things simple and compliant across the board. Though a consistent approach has its advantages, sometimes the business may need more flexibility to innovate, and choose to adopt a more permissive standard.

Threads emphasis on personalization during the growth phase is an example of doing just that. Of course, the business must also mitigate any outstanding risks resulting from this decision, and in the case of Threads, that mitigation was to avoid launching altogether in the EU due to its stricter requirements related to personalization.

Connect with us

If you would like to reach out for guidance or provide other input, please do not hesitate to contact us.