Apology of the regulator
Three things that I love, in no particular order: countries that are both very cold and very sunny, Donald Duck impressions (especially if there’s a puppet involved), and e-commerce regulation.
But since this is not a travel newsletter, and it’s most definitely not a Donald Duck newsletter (let me know if one exists), today we’re talking about e-commerce regulation. More specifically, we’re talking about the hidden opportunities that are sometimes created through regulatory initiatives.
We’ll start with a personal story.
When the GDPR was initially passed in 2016, I was not at Nebulab yet. Instead, I worked as a fractional CTO, and some of my clients were based in Europe. I remember the sheer disgust on their faces as I explained to them the technical, operational, and financial implications of this new law that no one really understood. Back then, we all felt like no consumer in their right mind would spend their time writing angry emails asking you to delete their data.
Fast forward a few years, and people will now eat you alive if they get a whiff that you’re doing something even remotely sketchy with their personal information. As a result, (most) companies treat data security and portability as must-haves, not something to add when you need to pass an audit.
In retrospect, there were a few elements that contributed to the success of the GDPR (besides the hefty fines for non-compliance):
- It rode an existing cultural shift. The GDPR wasn’t born in a vacuum. It resulted from increasing consumer pressure to have more visibility and ownership over their data. It gave dignity to the idea that a person’s information is theirs to manage, however and whenever they want.
- It was detailed enough to become a standard. The GDPR outlines a clear set of rights, standards, and timelines that companies must respect when dealing with consumer data. The fine framework is also straightforward, making it easy to enforce the regulation and run a cost-benefit analysis on (non-)compliance.
- It was flexible enough to accommodate reality. Despite that, the GDPR is still generic enough to play nice with a wide range of scenarios and use cases. While GDPR compliance doesn’t come for free, it’s a regulatory framework created for real businesses working with real consumers, with all its nuances and edge cases.
However, there’s one thing that the GPDR didn’t have but that would have made it absolutely perfect. It’s the one element that transforms compliance from something you have to do into something you want to do.
It’s the ability to create economic opportunity.
India might be the most successful country in the world in creating economic opportunity through regulation. They first did it with the Unified Payments Interface, an open-source protocol for instant money transfers between bank accounts. UPI has become the de facto standard for domestic electronic payments, handling roughly 15% of India’s GDP.
Their current project, however, is much more ambitious: the Open Network for Digital Commerce is (again) an open-source protocol to power the country’s entire e-commerce infrastructure in a standardized, interoperable, and decentralized way. The ONDC aims to give e-commerce infrastructure operators (carriers, warehouses, brands, platforms, etc.) a single communication protocol, allowing even the smallest players to natively integrate with the entire ONDC network.
McKinsey estimates that, once it’s fully operational, the ONDC could increase digital consumption in India by $340 billion—how’s that for value creation?
The ONDC reminds me of a concept recently outlined by Filippo Conforti, CEO of Commerce Layer. In a blog post entitled “The commerce layer” (duh!), he describes commerce as a latent component of Internet infrastructure, a plane of consumer interaction that merits its own place in the OSI model.
I wholeheartedly agree with Filippo, and I entertained similar thoughts in the past: commerce in all its forms is core to the fabric of our society, and it’s screaming for standardization.
In Europe, we’re finally making some timid steps in that direction. The European Commission is discussing design and implementation proposals for a Digital Product Passport (DPP). The idea is to require every product manufactured in the EU (or imported into the EU) to embed a data carrier (an NFC chip, a QR code, or a barcode) that provides consumers, manufacturers, and regulators with data about the product’s supply chain, materials, impact, ownership, and anything else that might be useful as the product changes hands.
The DPP ticks all three checkboxes we’d like to see in regulatory initiatives:
- It rides an existing cultural shift—consumers becoming more interested in supply chain transparency and circular economy.
- It’s detailed enough to become a standard—the spirit of the proposal and the regulatory requirements are clearly outlined.
- It’s flexible enough to accommodate reality—DPPs will support different vendors, deployment architectures, and customer experiences.
In the last point also lies the economic value of DPPs: for virtuous brands, product passports can be an opportunity to turn a tedious compliance burden into a source of consumer delight and first-party data.
Imagine this: you’re buying a secondhand watch online. Rather than going through a third-party authenticator, you can just inspect the product’s DPP to verify its authenticity, which will also provide you with information about the brand, their supply chain, and their manufacturing practices. Perhaps you can subscribe to their newsletter or follow them on social media.
When you finally buy the watch, ownership of the DPP is automatically transferred to you, which in turn gives the brand valuable data about the resale market for their products. While these interactions are not a native part of the DPP standard, they’re not impossible either, and they are the kind of possibility that would make more brands excited to adopt the standard.
At this point, you might be thinking: so what? I can already slap a QR code on a pair of trousers, point it to my website, and call it a day, and it’s going to be much cheaper and easier to do it on my own than to follow the EU’s regulatory requirements.
To which I say: of course you can, and given enough brand equity, you might be able to get a few people to scan it. But for the average brand, there’s no chance whatsoever that a consumer will take the time to go through that process—it’s just not ingrained in their thought pattern.
Thoughtful regulation is a forcing function for cultural imprinting, and therein lies its beauty**.** By changing how we see ourselves and the world, it enables unique experiences, creates novel opportunities, and increases the wealth (however you want to define it) of all the actors it touches.
Just like the GDPR ushered in a new era of intentionality and awareness around consumer data rights, and the ONDC allowed small e-commerce infrastructure providers to compete with industry giants, DPPs have the potential to enrich and augment consumer interactions, creating more depth in our economy.
But for that to happen, we need to recognize regulatory opportunities and capitalize on them when the time comes. Regulators should take it upon themselves to advertise those opportunities as a first-class feature rather than treating them as an afterthought.
With every useful protocol, with every well-designed regulation, we get one step closer to having an actual, tangible commerce layer, and that’s something I, for one, can get behind.