Well, this is big. The U.K.’s competition regulator looks set to get an emergency brake that will allow it to stop Google from ending support for third-party cookies, a technology that’s currently used for targeting online ads if it believes competition would be harmed by the depreciation going ahead. The development follows an investigation by the Competition and Markets Authority (CMA) into Google’s self-styled “Privacy Sandbox” earlier this year. The regulator will have the power to order a standstill of at least 60 days on any move by Google to remove support for cookies from Chrome if it accepts a set of legally binding commitments the latter has offered — and which the regulator has today issued a notification of intention to get.
The CMA could also reopen a fuller investigation if it’s unhappy with how things look when it orders any standstill to stop Google from crushing tracking cookies. It follows that the watchdog could also block Google’s more comprehensive “Privacy Sandbox” technology transition entirely — if it decides the shift cannot be done in a way that doesn’t harm competition. However, the CMA said today it takes the “provisional” view that Google’s set of commitments will address competition concerns related to its proposals. It’s now opened a consultation to see if the industry agrees — with the feedback line open until July 8. Commenting in a statement, Andrea Coscelli, the CMA’s chief executive, said:
If accepted, the commitments we have obtained from Google become legally binding, promoting competition in digital markets, helping to protect the ability of online publishers to raise money through advertising, and safeguarding users’ privacy. In a blog post sketching what it’s pledged — under three broad headlines of “Consultation and collaboration,”; “No data advertising advantage for Google products,” and “No self-preferencing” — Google writes that if the CMA accepts its commitments, it will “apply them globally”, making the U.K.’s intervention potentially hugely significant.
It’s perhaps one slightly unexpected twist of Brexit that puts the U.K. in a position to make critical decisions about the rules for global digital advertising. (The European Union is also working on new regulations for platform giants’ operations, but the CMA’s intervention on Privacy Sandbox does not yet have a direct equivalent in Brussels.) That Google is choosing to offer to turn a U.K. competition intervention into a global commitment is itself very interesting. It may be partly an added sweetener — nudging the CMA to accept the offer so it can feel like a global standard-setter.
At the same time, businesses do love operational certainty. So if Google can hash out a set of rules accepted by one (relatively) primary market because they’ve been co-designed with national oversight bodies and then scale those rules everywhere, it may create a shortcut path to avoiding any more regulator-enforced bumps So Google may see this as a smoother path toward the sought-for transition for its adtech business to a post-cookie lot. Of course, it also wants to avoid being ordered to stop entirely (or, well, maybe not! Either outcome would indeed work for Google).
More broadly, engaging with the fast-paced U.K. regulator could be a strategy for Google to try to surf over the political deadlocks and risks that can characterize discussions on digital regulation in other markets (especially its home turf of the U.S. — where there has been a growing drumbeat of calls to break up tech giants; and where Google specifically now faces several antitrust investigations). The outcome it may be hoping for is being able to point to regulator-stamped “compliance” — so that it can claim it as evidence that there’s no need for its ad empire to be broken up. (Or to have a regulator order that it can’t make privacy-centric changes.) Google’s offering of commitments also signifies that regulators who move fastest to tackle the power of tech giants will be the ones helping to define and set the standards and conditions that apply to web users everywhere. At least — unless or until — more radical interventions rain down on big tech.
What is Privacy Sandbox?
Privacy Sandbox is a complex stack of interlocking technology proposals for replacing current ad tracking methods (which are widely seen as horrible for user privacy) with alternative infrastructure that Google claims will be better for individual privacy and also still allow the adtech and publishing industries to generate (it claims much the same) revenue by targeting ads at cohorts of web users — who will be put into “interest buckets” based on what they look at online. The full details of the proposals (which include components like FLoCs, aka Google’s proposed new ad I.D. based on federated learning of cohorts, and Fledge/Turtledove, Google’s suggested new ad delivery technology) have not yet been set in stone.
Nonetheless, Google announced in January 2020 that it intended to end support for third-party cookies within two years. So that rather nippy time frame has likely concentrated opposition, with pushback from the adtech industry and (some) publishers concerned it will significantly impact their ad revenues when individual-level ad targeting goes away. The CMA began to look into Google’s planned depreciating of tracking cookies after complaints that the transition to a new infrastructure of Google’s devising will merely increase Google’s market power — by locking down third parties’ ability to track internet users for ad targeting while leaving Google with a high dimension view of what people get up to online as a result of its expansive access to first-party data (gleaned through its dominance for consumer web services). The executive summary of today’s CMA notice lists its concerns that, without proper regulatory oversight, Privacy Sandbox might:
- Distort competition in the market for the supply of ad inventory and in the market for the supply of ad tech services by restricting the functionality associated with user tracking for third parties while retaining this functionality for Google;
- distort competition by the self-preferencing of Google’s advertising products and services, operated ad inventory, and
- allow Google to exploit its dominant position by denying Chrome web users a substantial choice regarding whether and how their data is used to target and deliver advertising.
At the same time, privacy concerns around the ad tracking and targeting of internet users are undoubtedly putting pressure on Google to retool Chrome (which dominates the web browser market share) — given that other web browsers have been stepping up efforts to protect their users from online surveillance by doing stuff like blocking trackers for years. Web users hate creepy ads, so they’ve been turning to ad blockers in droves. Numerous major data scandals have also increased awareness of privacy and security. And — in Europe and elsewhere — digital privacy regulations have been toughened up or introduced in recent years. So, the “what’s acceptable” line for ad businesses to do online has been shifting.
But the critical issue here is how privacy and competition regulation interact — and potentially conflict — with the very salient risk that ill-thought-through and overly direct competition interventions could essentially lock in privacy abuses of web users (as a result of a legacy of weak enforcement around online privacy, which allowed for rampant, consent-less ad tracking and targeting of Internet users to develop and thrive in the first place). Poor privacy enforcement and banhammer-wielding competition regulators are not a good recipe for protecting web users’ rights. However, there is a cautious reason for optimism here.
Last month, the CMA and the U.K.’s Information Commissioner’s Office (ICO) issued a joint statement in which they discussed the importance of having competition and data protection in digital markets — citing the CMA’s Google Privacy Sandbox probe as an excellent example of a case that requires nuanced joint working. Or, as they put it: “The CMA and the ICO are working collaboratively in their engagement with Google and other market participants to build a common understanding of Google’s proposals and to ensure that both privacy and competition concerns can be addressed as the proposals are developed in more detail.”
Although the ICO’s record on enforcement against rights-trampling adtech is non-existent, its preference for regulatory inaction in the face of adtech industry lobbying should offset any quantum of optimism derived from the bald fact of the U.K.’s privacy and competition regulators’ “joint working”. (The CMA, by contrast, has been active in the digital space since gaining more expansive powers to pursue investigations post-Brexit. It is also configuring a new unit that will oversee a pro-competition regime in which the U.K. explicitly wants to clip the wings of big tech.) an recent years, I took a deep dive look at the competition in the digital ad market. Hence, it’s armed with plenty of knowledge.
What has Google committed to?
The CMA writes that Google has made “substantial and wide-ranging” commitments vis-à-vis Privacy Sandbox — which it says include:
- A commitment to develop and implement the proposals to avoid distortions to competition and the imposition of unfair terms on Chrome users. This includes a commitment to involve the CMA and the ICO in developing the Proposals to ensure this objective is met.
- Increased transparency from Google on how and when the proposals will be taken forward and on what basis they will be assessed. This includes a commitment to publicly disclose the results of tests on the effectiveness of alternative technologies.
- Substantial limits on how Google will use and combine individual user data for digital advertising after removing third-party cookies.
- It is a commitment that Google will not discriminate against its rivals in favor of its advertising and ad-tech businesses when designing or operating alternatives to third-party cookies.
- A standstill period of at least 60 days before Google proceeds with the removal of third-party cookies allows the CMA to reopen its investigation if any outstanding concerns cannot be resolved with Google and, if necessary, impose any interim measures needed to avoid harm to competition.
Google also writes: “Throughout this process, we will engage the CMA and the industry in an open, constructive, and continuous dialogue. This includes proactively informing the CMA and the wider ecosystem of timelines, changes, and tests while developing the Privacy Sandbox proposals, building on our transparent approach to date.” “We will work with the CMA to resolve concerns and develop agreed parameters for the testing of new proposals, while the CMA will be getting direct input from the ICO,” it adds. Google’s commitments cover several areas directly related to competition — such as self-preferencing, non-discrimination, and stipulations that it will not combine user data from specific sources that might give it an advantage versus third parties.
However, privacy is also being explicitly baked into the competition consideration here, per the CMA — which writes that the commitments will [emphasis ours]: An ICO spokeswoman also pointed out that one of the first commitments obtained from Google under the CMA’s intervention “focuses on privacy and data protection”. As outlined in our recent joint statement with the CMA, we believe consumers benefit when their data is used lawfully and responsibly and digital innovation and competition are supported. We continue to build upon our positive and close relationship with the CMA to protect consumer interests as we assess the proposals.
This development in the CMA’s investigation raises plenty of questions, large and small — most pressingly over the future of crucial web infrastructure and what the changes being hashed out here between Google and U.K. regulators might mean for internet users everywhere. The huge issue is whether “co-design” with oversight bodies is the best way to fix the market power imbalance flowing from a single tech giant to combine massive dominance in digital consumer services with duopoly dominance in adtech. Others would say that breaking up Google’s consumer tech and Google’s adtech is the only way to fix the abuse — and everything else is just fiddling while Rome burns.
Google, for instance, is still in charge of proposing the changes itself — regardless of how much pre-implementation consultation and tweaking goes on. It’s still steering the ship, and many people believe that’s not an acceptable governance model for the open web. It should be noted that, in parallel, the U.K. government and CMA are seeking a more comprehensive pro-competition regime that could result in more profound interventions into how Google and other platform giants operate. So, more interventions are all but guaranteed. For now, though, Google is probably happy about the opportunity to work with U.K. regulators. Suppose it can pull oversight bodies deep down into the ddetailsof the changes. In that case, it wants to (or feels it has to) make that’s likely a far more comfortable spot for Mountain View versus being served with an order to break its business up — something the CMA has previously taken feedback on.
Some wider questions
In response to our questions, Google has sent some additional background information. Via these other remarks, the company resists suggesting there will be any “co-designing” of Privacy Sandbox under the proposed commitments, saying that this is about oversight from and collaboration with the CMA. But, well, that might just be Google seeking to split hairs. It confirmed tits commitments(around design and testing) covering all the proposed technologies in the Privacy Sandbox. So this isn’t just about tracking cookies — and will apply to whatever may (or may not) replace them.
Asked whether it has an alternative/s in mind if the CMA orders that it can’t depreciate tracking cookies — or whether such an order would essentially mean Privacy Sandbox is dead — Google declined to speculate. But it also said it believes the web is at risk if it doesn’t keep up with users’ expectations around privacy, claiming it’s firmly committed to the Privacy Sandbox project and hoping the engagement with the CMA will help alleviate industry concerns about the planned transition. It also told us it would continue to work on the project rather than halt work to wait for the CMA’s consultation outcome.
But it declined to respond when asked if it sees any implications (e.g., a delay) for the original timeline for implementing Privacy Sandbox due to the regulator’s intervention. Asked about the governance model for Privacy Sandbox — and whether it’s fair that Google is redesigning such a core web infrastructure — it argued it’s doing this collaboratively with the industry via fora such as the W3C. However, W3C groups don’t have leverage over Google’s decisions. And while it is being made to widen its outreach now — by looping U.K. regulators into proposal discussions — the proposals and decisions are still Google’s own. So the concern for some is that Google is engaging in what amounts to a “theatre of collaboration” — providing cover as it unilaterally conducts a major retooling with implications for entire online industries.
Commenting on the governance point, Dr. Lukasz Olejnik, an independent privacy and cybersecurity researcher and consultant who has written about the governance of privacy-preserving systems, told TechCrunch: “It seems that Google is certainly trying its best at collaborations and trying to hear the feedback from various parties. This happens, for example, within the W3C Group venue. It is unclear to me if there is any governance model of the Privacy Sandbox at the present moment. I would say there is none. And the devil here is in the details. “The issue is, there has to be a way of agreeing to some changes or modifications being deployed. What are the guarantees that assuming a good proposal is put forward, it is taken for implementation? What is the legitimization now? Furthermore, it is unclear what the future maintenance or development of the proposal stacks would look like.
“Google certainly cannot claim they have a legitimate right to decide unilaterally. I don’t think they also want to argue that this is the case. I would suggest a semi-formal governance structure that accepts feedback from or represents the actors involved — the users, publishers, user agents, advertisers, and privacy experts or researchers. It’s the first time we see an attempt to deploy privacy-preserving ad systems, so it would be great to have it future-proofed.” TechCrunch also asked Google about the ad-serving component of the Privacy Sandbox proposals — and how Google believes its proposed architecture respects user privacy. Google didn’t offer a lot of detail on this. Still, it suggested the Turtledove proposal — i.e., that advertisers serve ads based on one or more interest groups without combining that interest group with other information about the user (e.g., who they are or what page they are visiting) — is more privacy-preserving than the current way of doing things with tracking cookies (i.e., individual-level targeting).
It also suggested that the Fledge component of its proposal aims to build on Turtledove by proposing a trusted third-party server — to address concerns about information being stored in the browser. Google confirmed it would be engaging proactively with the CMA about the design and testing of both technology proposals, as they sit within the Privacy Sandbox, further noting the competition watchdog will be getting direct input from the ICO during this process. So, again, U.K. regulators will now have a front-row seat at the table where the proposed changes are being discussed. And Google added that it believes its proposed commitments are significant in reassuring the market.
Whether this “collaboration” results in tweaks to the Privacy Sandbox that are “pro-competition” but worse for people’s privacy remains to be seen. If so, it would be a massive failure of the CMA-ICO claims of joint working (“to ensure that both privacy and competition concerns can be addressed”). But it’s fair to say that privacy regulators faced with the fierce lobbying of adtech interests have often ignored users’ rights. Still, in seeking to co-opt competition regulators to their cause, the adtech lobby may at least force a regulatory reckoning on a key issue. Elsewhere in Europe, privacy abuse is also seen as a competition concern. So they should be careful what they wish for.