Well this is big. The UK’s competition regulator looks set to get an emergency brake that will allow it to stop Google ending support for third party cookies, a technology that’s currently used for targeting online ads, if it believes competition would be harmed by the depreciation going ahead.
The development follows an investigation opened by the Competition and Markets Authority (CMA) into Google’s self-styled ‘Privacy Sandbox’ earlier this year.
The regulator will have the power to order a standstill of at least 60 days on any move by Google to remove support for cookies from Chrome if it accepts a set of legally binding commitments the latter has offered — and which the regulator has today issued a notification of intention to accept.
The CMA could also reopen a fuller investigation if it’s not happy with how things are looking at the point it orders any standstill to stop Google crushing tracking cookies.
It follows that the watchdog could also block Google’s wider ‘Privacy Sandbox’ technology transition entirely — if it decides the shift cannot be done in a way that doesn’t harm competition. However the CMA said today it takes the “provisional” view that the set of commitments Google has offered will address competition concerns related to its proposals.
It’s now opened a consultation to see if the industry agrees — with the feedback line open until July 8.
Commenting in a statement, Andrea Coscelli, the CMA’s chief executive, said:
“The emergence of tech giants such as Google has presented competition authorities around the world with new challenges that require a new approach.
“That’s why the CMA is taking a leading role in setting out how we can work with the most powerful tech firms to shape their behaviour and protect competition to the benefit of consumers.
“If accepted, the commitments we have obtained from Google become legally binding, promoting competition in digital markets, helping to protect the ability of online publishers to raise money through advertising and safeguarding users’ privacy.”
In a blog post sketching what it’s pledged — under three broad headlines of ‘Consultation and collaboration’; ‘No data advertising advantage for Google products’; and ‘No self-preferencing’ — Google writes that if the CMA accepts its commitments it will “apply them globally”, making the UK’s intervention potentially hugely significant.
It’s perhaps one slightly unexpected twist of Brexit that it’s put the UK in a position to be taking key decisions about the rules for global digital advertising. (The European Union is also working on new rules for how platform giants can operate but the CMA’s intervention on Privacy Sandbox does not yet have a direct equivalent in Brussels.)
That Google is choosing to offer to turn a UK competition intervention into a global commitment is itself very interesting. It may be there in part as an added sweetener — nudging the CMA to accept the offer so it can feel like a global standard setter.
At the same time, businesses do love operational certainty. So if Google can hash out a set of rules that are accepted by one (fairly) major market, because they’ve been co-designed with national oversight bodies, and then scale those rules everywhere it may create a shortcut path to avoiding any more regulator-enforced bumps in the future.
So Google may see this as a smoother path toward the sought for transition for its adtech business to a post-cookie future. Of course it also wants to avoid being ordered to stop entirely.
More broadly, engaging with the fast-paced UK regulator could be a strategy for Google to try to surf over the political deadlocks and risks which can characterize discussions on digital regulation in other markets (especially its home turf of the U.S. — where there has been a growing drumbeat of calls to break up tech giants; and where Google specifically now faces a number of antitrust investigations).
The outcome it may be hoping for is being able to point to regulator-stamped ‘compliance’ — in order that it can claim it as evidence there’s no need for its ad empire to be broken up.
Google’s offering of commitments also signifies that regulators who move fastest to tackle the power of tech giants will be the ones helping to define and set the standards and conditions that apply for web users everywhere. At least unless or until any more radical interventions rain down on big tech.
What is Privacy Sandbox?
Privacy Sandbox is a complex stack of interlocking technology proposals for replacing current ad tracking methods (which are widely seen as horrible for user privacy) with alternative infrastructure that Google claims will be better for individual privacy and also still allow the adtech and publishing industries to generate (it claims much the same) revenue by targeting ads at cohorts of web users — who will be put into ‘interest buckets’ based on what they look at online.
The full details of the proposals (which include components like FLoCs, aka Google’s proposed new ad ID based on federated learning of cohorts; and Fledge/Turtledove, Google’s suggested new ad delivery technology) have not yet been set in stone.
Nonetheless, Google announced in January 2020 that it intended to end support for third party cookies within two years — so that rather nippy timeframe has likely concentrated opposition, with pushback coming from the adtech industry and (some) publishers who are concerned it will have a major impact on their ad revenues when individual-level ad targeting goes away.
The CMA began to look into Google’s planned depreciating of tracking cookies after complaints that the transition to a new infrastructure of Google’s devising will merely increase Google’s market power — by locking down third parties’ ability to track Internet users for ad targeting while leaving Google with a high dimension view of what people get up to online as a result of its expansive access to first party data (gleaned through its dominance for consumer web services).
The executive summary of today’s CMA notice lists its concerns that, without proper regulatory oversight, Privacy Sandbox might:
distort competition in the market for the supply of ad inventory and in the market for the supply of ad tech services, by restricting the functionality associated with user tracking for third parties while retaining this functionality for Google;
distort competition by the self-preferencing of Google’s own advertising products and services and owned and operated ad inventory; and
allow Google to exploit its apparent dominant position by denying Chrome web users substantial choice in terms of whether and how their personal data is used for the purpose of targeting and delivering advertising to them.
At the same time, privacy concerns around the ad tracking and targeting of Internet users are undoubtedly putting pressure on Google to retool Chrome (which ofc dominates web browser marketshare) — given that other web browsers have been stepping up efforts to protect their users from online surveillance by doing stuff like blocking trackers for years.
Web users hate creepy ads — which is why they’ve been turning to ad blockers in droves. Numerous major data scandals have also increased awareness of privacy and security. And — in Europe and elsewhere — digital privacy regulations have been toughened up or introduced in recent years. So the line of ‘what’s acceptable’ for ad businesses to do online has been shifting.
The key issue is how privacy and competition regulation interacts — and potentially conflicts — with the very salient risk that ill-thought through and overly blunt competition interventions could essentially lock in privacy abuses of web users as a result of a legacy of weak enforcement around online privacy, which allowed for rampant, consent-less ad tracking and targeting of Internet users to develop and thrive in the first place.
Poor privacy enforcement coupled with banhammer-wielding competition regulators does not look like a good recipe for protecting web users’ rights.
However there is cautious reason for optimism here.
Last month the CMA and the UK’s Information Commissioner’s Office (ICO) issued a joint statement in which they discussed the importance of having competition and data protection in digital markets — citing the CMA’s Google Privacy Sandbox probe as a good example of a case that requires nuanced joint working.
Or, as they put it then: “The CMA and the ICO are working collaboratively in their engagement with Google and other market participants to build a common understanding of Google’s proposals, and to ensure that both privacy and competition concerns can be addressed as the proposals are developed in more detail.”
Although the ICO’s record on enforcement against rights-trampling adtech is, well, non-existent.
So its preference for regulatory inaction in the face of adtech industry lobbying should off-set any quantum of optimism derived from the bald fact of the UK’s privacy and competition regulators’ ‘joint working’. (The CMA, by contrast, has been very active in the digital space since gaining, post-Brexit, wider powers to pursue investigations. And in recent years took a deep dive look at competition in the digital ad market, so it’s armed with plenty of knowledge. It is also in the process of configuring a new unit that will oversee a pro-competition regime which the UK explicitly wants to clip the wings of big tech.)
What has Google committed to?
The CMA writes that Google has made “substantial and wide-ranging” commitments vis-a-vis Privacy Sandbox — which it says include:
A commitment to develop and implement the proposals in a way that avoids distortions to competition and the imposition of unfair terms on Chrome users. This includes a commitment to involve the CMA and the ICO in the development of the Proposals to ensure this objective is met.
Increased transparency from Google on how and when the proposals will be taken forward and on what basis they will be assessed. This includes a commitment to publicly disclose the results of tests of the effectiveness of alternative technologies.
Substantial limits on how Google will use and combine individual user data for the purposes of digital advertising after the removal of third-party cookies.
A commitment that Google will not discriminate against its rivals in favour of its own advertising and ad-tech businesses when designing or operating the alternatives to third-party cookies.
A standstill period of at least 60 days before Google proceeds with the removal of third party cookies giving the CMA the opportunity, if any outstanding concerns cannot be resolved with Google, to reopen its investigation and, if necessary, impose any interim measures necessary to avoid harm to competition.
Google also writes that: “Throughout this process, we will engage the CMA and the industry in an open, constructive and continuous dialogue. This includes proactively informing both the CMA and the wider ecosystem of timelines, changes and tests during the development of the Privacy Sandbox proposals, building on our transparent approach to date.”
“We will work with the CMA to resolve concerns and develop agreed parameters for the testing of new proposals, while the CMA will be getting direct input from the ICO,” it adds.
Google’s commitments cover a number of areas directly related to competition — such as self-preferencing, non-discrimination, and stipulations that it will not combine user data from specific sources that might give it an advantage vs third parties.
However privacy is also being explicitly baked into the competition consideration, here, per the CMA — which writes that the commitments will [emphasis ours]:
Establish the criteria that must be taken into account in designing, implementing and evaluating Google’s Proposals. These include the impact of the Privacy Sandbox Proposals on: privacy outcomes and compliance with data protection principles; competition in digital advertising and in particular the risk of distortion to competition between Google and other market participants; the ability of publishers to generate revenue from ad inventory; and user experience and control over the use of their data.
An ICO spokeswoman was also keen to point out that one of the first commitments obtained from Google under the CMA’s intervention “focuses on privacy and data protection”.
In a statement, the data watchdog added:
“The commitments obtained mark a significant moment in the assessment of the Privacy Sandbox proposals. They demonstrate that consumer rights in digital markets are best protected when competition and privacy are considered together.
“As we outlined in our recent joint statement with the CMA, we believe consumers benefit when their data is used lawfully and responsibly, and digital innovation and competition are supported. We are continuing to build upon our positive and close relationship with the CMA, to ensure that consumer interests are protected as we assess the proposals.”
This development in the CMA’s investigation raises plenty of questions, large and small — most pressingly over the future of key web infrastructure and what the changes being hashed out here between Google and UK regulators might mean for Internet users everywhere.
The really big issue is whether ‘co-design’ with oversight bodies is the best way to fix the market power imbalance flowing from a single tech giant being able to combine massive dominance in consumer digital services with duopoly dominance in adtech.
Others would say that breaking up Google’s consumer tech and Google’s adtech is the only way to fix the abuse — and eveything else is just fiddling while Rome burns.
Google, for instance, is still in charge of proposing the changes itself — regardless of how much pre-implementation consultation and tweaking goes on. It’s still steering the ship and there are plenty of people who believe that’s not an acceptable governance model for the open web.
But, for now at least, the CMA wants to try to fiddle.
It should be noted that, in parallel, the UK government and CMA are speccing out a wider pro-competition regime that could result in deeper interventions into how Google and other platform giants operate in the future.
For now, though, Google is probably feeling pretty happy for the opportunity to work with UK regulators. If it can pull oversight bodies deep down in the detail of the changes it wants to make that’s likely a far more comfortable spot for Mountain View vs being served with an order to break its business up — something the CMA has previously taken feedback on.
Google has been contacted with questions on its Privacy Sandbox commitments.