A Practical Guide to Is Big Tech Actually a Big Problem

This guide explains Is Big Tech Actually a Big Problem in practical terms, with a focus on privacy-first analytics decisions.

Big Tech is not a problem simply because a company is large. Some digital products require scale: search engines need broad indexes, marketplaces need buyers and sellers, and social networks become useful only when enough people participate.

The privacy problem begins when scale, market power, and data collection reinforce each other. A company with dominant distribution can collect more behavioral data. More behavioral data improves targeting, personalization, and ad measurement. Better monetization funds more acquisitions, integrations, and defaults. Over time, the market can start to feel less like a set of choices and more like infrastructure controlled by a handful of companies.

Scale Changes the Meaning of Consent

Consent is easier to defend when a user has a realistic alternative. It becomes weaker when the service is socially or commercially unavoidable.

If a small website asks to measure aggregate pageviews, a visitor can leave with little consequence. If a dominant platform asks to combine data across search, maps, video, advertising, app stores, messaging, and embedded third-party pixels, the decision is not symmetrical. Refusing may mean losing access to essential communication, business reach, or discovery.

This is one reason the EU Digital Markets Act focuses on "gatekeepers." The European Commission has designated major platforms including Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft, and Booking as gatekeepers for specific services, listed on the Commission's DMA gatekeepers page. DMA obligations include restrictions on combining personal data across services without valid consent and requirements that make digital markets more contestable.

Competition law and privacy law are different tools, but they meet at the same pressure point: data advantages can become market advantages, and market advantages can make privacy choices less meaningful.

Why Data Combination Is So Powerful

One dataset can be limited. Combined datasets are much more revealing.

A search query shows intent. A map route shows location. A video history shows interests. A shopping history shows household needs. A login identity connects activity across devices. A third-party pixel can show what someone did after leaving the platform.

When these signals are joined, the company does not need one sensitive field labeled "health" or "income" to infer sensitive things. Patterns can imply pregnancy, job loss, political interest, financial stress, religious practice, or medical concerns. That is why privacy risk is not only about whether a form asks for a name. It is about whether the system can connect enough observations to profile a person.

The U.S. Federal Trade Commission has made a similar point about data brokers. Its report, Data Brokers: A Call for Transparency and Accountability, found that brokers collect data from extensive online and offline sources, often without consumers' knowledge. Big Tech platforms are not identical to data brokers, but the underlying lesson is the same: opacity plus scale creates asymmetric knowledge.

Analytics Is Part of the Power Story

Website owners often install invasive analytics not because they want surveillance, but because the dominant tools are bundled into advertising, search, and conversion optimization workflows.

This creates a dependency loop:

• Ads require conversion measurement.
• Conversion measurement requires scripts.
• Scripts feed platform reporting.
• Platform reporting shapes budget decisions.
• Budget decisions make the platform harder to leave.

Google Analytics is the clearest example. The product is useful and familiar, but its role in the broader Google ecosystem creates legal and trust questions. Several European data protection authorities found that specific uses of Google Analytics involved unlawful transfers of personal data to the United States after the Schrems II ruling. The Italian authority's decision, summarized by the European Data Protection Board, said Google Analytics transfers lacked adequate safeguards in that case (EDPB summary).

For a small business, the practical question is not "Is Google evil?" It is "Do we need this much data, this many third parties, and this level of legal complexity to understand our website?"

Often, the answer is no.

The Case for Proportionate Measurement

A privacy-first analytics strategy starts with proportionality:

• Measure aggregate visits, sources, pages, and conversions.
• Use UTMs to understand campaigns without cross-site tracking.
• Avoid personal identifiers unless a specific workflow requires them.
• Keep retention short enough to match the business need.
• Separate product analytics from advertising profiles.
• Make analytics understandable in the privacy notice.

This does not prevent a company from learning. It prevents analytics from becoming a silent data exhaust pipe into a larger profiling system.

What Regulation Is Trying to Fix

The GDPR addresses lawful basis, transparency, purpose limitation, data minimization, user rights, and international transfers. The DMA addresses platform gatekeeping and unfair data advantages. The Digital Services Act addresses systemic platform risks and transparency. California's privacy laws and Delete Act address consumer rights and data brokers.

These laws differ, but they share a direction of travel: large-scale data extraction is no longer treated as a harmless default.

For smaller companies, that is an opportunity. You do not need to wait for enforcement against the largest platforms to build a better measurement stack. Reducing dependency on invasive tracking can lower compliance risk, improve page speed, simplify consent, and make your privacy promise easier to defend.

What Businesses Should Do Now

Audit where customer and visitor data goes. Include analytics scripts, pixels, chat tools, heatmaps, CDPs, CRMs, email platforms, and ad networks.

For each tool, ask:

• What data does it collect?
• Is the data personal, pseudonymous, or aggregate?
• Is it shared with a third party for that party's own purposes?
• Does it leave the visitor's region?
• Do we have a lawful basis and a clear notice?
• Could we answer the same business question with less data?

Then remove or replace tools that fail the test. A simple analytics setup that answers 90% of operational questions is often better than a complex system nobody can explain during a privacy review.

Smaller-Stack Actions

Turn the privacy concern into controls a small business can actually own: remove unnecessary third-party scripts, avoid broker enrichment, keep analytics aggregate where possible, shorten raw-data retention, publish plain-language data use, and make opt-outs easy. The value is not only compliance. A smaller data footprint means fewer vendors to review, fewer breach consequences, fewer consent prompts, and a clearer trust story.

The Bottom Line

Big Tech's privacy problem is not size alone. It is the combination of dominant access, cross-service data, advertising incentives, and weak user choice. Businesses can respond by choosing measurement tools that fit the actual decision at hand: enough data to improve the website, not enough to participate in a surveillance economy by default.