Well, this is big. The U.K.’s competition regulator looks set to get an emergency brake that will allow it to stop Google from ending support for third-party cookies, a technology that’s currently used for targeting online ads if it believes competition would be harmed by the depreciation going ahead.
The development follows an investigation by the Competition and Markets Authority (CMA) into Google’s self-styled ‘Privacy Sandbox’ earlier this year. The regulator will have the power to order a standstill of at least 60 days on any move by Google to remove support for cookies from Chrome if it accepts a set of legally binding commitments the latter has offered — and which the regulator has today issued a notification of intention to buy.
The CMA could also reopen a fuller investigation if it’s unhappy with how things look when it orders any standstill to stop Google from crushing tracking cookies. It follows that the watchdog could also block Google’s wider ‘Privacy Sandbox’ technology transition entirely — if it decides the shift cannot be done in a way that doesn’t harm competition. However, the CMA said today it takes the “provisional” view that Google’s set of commitments will address competition concerns related to its proposals.
It’s now opened a consultation to see if the industry agrees — with the feedback line open until July 8. Commenting in a statement, Andrea Coscelli, the CMA’s chief executive, said: “The emergence of tech giants such as Google has presented competition authorities around the world with new challenges that require a new approach.
“That’s why the CMA is taking a leading role in setting out how we can work with the most powerful tech firms to shape their behavior and protect competition to benefit consumers. “If accepted, the commitments we have obtained from Google become legally binding, promoting competition in digital markets, helping to protect the ability of online publishers to raise money through advertising, and safeguarding users’ privacy.”
In a blog post sketching what it’s pledged — under three broad headlines of ‘Consultation and collaboration’; ‘No data advertising advantage for Google products’; and ‘No self-preferencing’ — Google writes that if the CMA accepts its commitments, it will “apply them globally”, making the U.K.’s intervention potentially hugely significant.
It’s perhaps one slightly unexpected twist of Brexit that puts the U.K. in a position to make critical decisions about the rules for global digital advertising. (The European Union is also working on new regulations for platform giants’ operations, but the CMA’s intervention on Privacy Sandbox does not yet have a direct equivalent in Brussels.)
That Google is choosing to offer to turn a U.K. competition intervention into a global commitment is itself very interesting. It may be partly an added sweetener — nudging the CMA to accept the offer so it can feel like a global standard setter.
At the same time, businesses do love operational certainty. So if Google can hash out a set of rules accepted by one (relatively) primary market because they’ve been co-designed with national oversight bodies and then scale those rules everywhere, it may create a shortcut path to avoiding any more regulator-enforced bumps in the future.
So Google may see this as a smoother path toward the sought-for transition for its adtech business to a post-cookie future. Of course, it also wants to avoid being ordered to stop entirely (or, well, maybe not! Either outcome would indeed work for Google).
More broadly, engaging with the fast-paced U.K. regulator could be a strategy for Google to try to surf over the political deadlocks and risks which can characterize discussions on digital regulation in other markets (especially its home turf of the U.S. — where there has been a growing drumbeat of calls to break up tech giants; and where Google specifically now faces several antitrust investigations).
The outcome it may be hoping for is being able to point to regulator-stamped ‘compliance’ — so that it can claim it as evidence, there’s no need for its ad empire to be broken up. (Or to have a regulator order that it can’t make privacy-centric changes.)
Google’s offering of commitments also signifies that regulators who move fastest to tackle the power of tech giants will be the ones helping to define and set the standards and conditions that apply to web users everywhere. At least — unless or until — more radical interventions rain down on big tech.
What is Privacy Sandbox?
Privacy Sandbox is a complex stack of interlocking technology proposals for replacing current ad tracking methods (which are widely seen as horrible for user privacy) with alternative infrastructure that Google claims will be better for individual privacy and also still allow the adtech and publishing industries to generate (it claims much the same) revenue by targeting ads at cohorts of web users — who will be put into ‘interest buckets’ based on what they look at online.
The full details of the proposals (which include components like FLoCs, aka Google’s proposed new ad I.D. based on federated learning of cohorts, and Fledge/Turtledove, Google’s suggested new ad delivery technology) have not yet been set in stone. Nonetheless, Google announced in January 2020 that it intended to end support for third-party cookies within two years. So that rather nippy timeframe has likely concentrated opposition, with pushback coming from the adtech industry and (some) publishers concerned it will significantly impact their ad revenues when individual-level ad targeting goes away.
The CMA began to look into Google’s planned depreciating of tracking cookies after complaints that the transition to a new infrastructure of Google’s devising will merely increase Google’s market power — by locking down third parties’ ability to track Internet users for ad targeting while leaving Google with a high dimension view of what people get up to online as a result of its expansive access to first-party data (gleaned through its dominance for consumer web services). The executive summary of today’s CMA notice lists its concerns that, without proper regulatory oversight, Privacy Sandbox might:
- distort competition in the market for the supply of ad inventory and in the market for the supply of ad tech services by restricting the functionality associated with user tracking for third parties while retaining this functionality for Google;
- distort competition by the self-preferencing of Google’s advertising products and services and owned and operated ad inventory; and
- allow Google to exploit its dominant position by denying Chrome web users a substantial choice regarding whether and how their data is used to target and deliver advertising.
At the same time, privacy concerns around the ad tracking and targeting of Internet users are undoubtedly putting pressure on Google to retool Chrome (which dominates web browser marketshare) — given that other web browser have been stepping up efforts to protect their users from online surveillance by doing stuff like blocking trackers for years.
Web users hate creepy ads, so they’ve been turning to ad blockers in droves. Numerous major data scandals have also increased awareness of privacy and security. And — in Europe and elsewhere — digital privacy regulations have been toughened up or introduced in recent years. So the ‘what’s acceptable’ line for ad businesses to do online has been shifting.
But the critical issue here is how privacy and competition regulation interact — and potentially conflict — with the very salient risk that ill-thought-through and overly direct competition interventions could essentially lock in privacy abuses of web users (as a result of a legacy of weak enforcement around online privacy, which allowed for rampant, consent-less ad tracking and targeting of Internet users to develop and thrive in the first place). Poor privacy enforcement and banhammer-wielding competition regulators are not a good recipe for protecting web users’ rights.
However, there is a cautious reason for optimism here. Last month the CMA and the U.K.’s Information Commissioner’s Office (ICO) issued a joint statement in which they discussed the importance of having competition and data protection in digital markets — citing the CMA’s Google Privacy Sandbox probe as an excellent example of a case that requires nuanced joint working.
Or, as they put it then: “The CMA and the ICO are working collaboratively in their engagement with Google and other market participants to build a common understanding of Google’s proposals and to ensure that both privacy and competition concerns can be addressed as the proposals are developed in more detail.”
Although the ICO’s record on enforcement against rights-trampling adtech is non-existent, its preference for regulatory inaction in the face of adtech industry lobbying should offset any quantum of optimism derived from the bald fact of the U.K.’s privacy and competition regulators’ ‘joint working’.
(The CMA, by contrast, has been very active in the digital space since gaining more expansive powers to pursue investigations post-Brexit. And in recent years, took a deep dive look at the competition in the digital ad market, so it’s armed with plenty of knowledge. It is also configuring a new unit that will oversee a pro-competition regime in which the U.K. explicitly wants to clip the wings of big tech.)
What has Google committed to?
The CMA writes that Google has made “substantial and wide-ranging” commitments vis-a-vis Privacy Sandbox — which it says include:
- A commitment to develop and implement the proposals to avoid distortions to competition and the imposition of unfair terms on Chrome users. This includes a commitment to involve the CMA and the ICO in developing the Proposals to ensure this objective is met.
- Increased transparency from Google on how and when the proposals will be taken forward and on what basis they will be assessed. This includes a commitment to publicly disclose the results of tests on the effectiveness of alternative technologies.
- Substantial limits on how Google will use and combine individual user data for digital advertising after removing third-party cookies.
- It is a commitment that Google will not discriminate against its rivals in favor of its advertising and ad-tech businesses when designing or operating alternatives to third-party cookies.
- A standstill period of at least 60 days before Google proceeds with the removal of third-party cookies allows the CMA to reopen its investigation if any outstanding concerns cannot be resolved with Google and, if necessary, impose any interim measures needed to avoid harm to competition.
Google also writes: “Throughout this process, we will engage the CMA and the industry in an open, constructive, and continuous dialogue. This includes proactively informing the CMA and the wider ecosystem of timelines, changes, and tests while developing the Privacy Sandbox proposals, building on our transparent approach to date.”
“We will work with the CMA to resolve concerns and develop agreed parameters for the testing of new proposals, while the CMA will be getting direct input from the ICO,” it adds. Google’s commitments cover several areas directly related to competition — such as self-preferencing, non-discrimination, and stipulations that it will not combine user data from specific sources that might give it an advantage over third parties.
However, privacy is also being explicitly baked into the competition consideration here, per the CMA — which writes that the commitments will [emphasize ours]: Establish the criteria to consider when designing, implementing, and evaluating Google’s Proposals.
These include the impact of the Privacy Sandbox Proposals on privacy outcomes and compliance with data protection principles; competition in digital advertising and, in particular, the risk of distortion to competition between Google and other market participants; the ability of publishers to generate revenue from ad inventory; and user experience and control over the use of their data.
An ICO spokeswoman also pointed out that one of the first commitments obtained from Google under the CMA’s intervention “focuses on privacy and data protection”. In a statement, the data watchdog added:
“The commitments obtained are significant in assessing the Privacy Sandbox proposals. They demonstrate that consumer rights in digital markets are best protected when competition and privacy are considered together.
“As outlined in our recent joint statement with the CMA, consumers benefit when their data is used lawfully and responsibly, and digital innovation and competition are supported. We continue to build upon our positive and close relationship with the CMA to protect consumer interests as we assess the proposals.”
This development in the CMA’s investigation raises plenty of questions, large and small — most pressingly over the future of crucial web infrastructure and what the changes being hashed out here between Google and U.K. regulators might mean for Internet users everywhere.
The huge issue is whether ‘co-design with oversight bodies is the best way to fix the market power imbalance flowing from a single tech giant to combine massive dominance in digital consumer services with duopoly dominance in adtech.
Google, for instance, is still in charge of proposing the changes itself — regardless of how much pre-implementation consultation and tweaking goes on. It’s still steering the ship, and many people believe that’s not an acceptable governance model for the open web. Others would say that breaking up Google’s consumer tech and Google’s adtech is the only way to fix the abuse — and everything else is just fiddling while Rome burns.
It should be noted that, in parallel, the U.K. government and CMA are seeking a broader pro-competition regime that could result in more profound interventions into how Google and other platform giants operate. So more interventions are all but guaranteed. But, for now, at least, the CMA wants to try to fiddle.
For now, though, Google is probably happy about the opportunity to work with U.K. regulators. Suppose it can pull oversight bodies deep down into the detail of the changes. In that case, it wants to (or feels it has to) make that’s likely a far more comfortable spot for Mountain View vs. being served with an order to break its business up — something the CMA has previously taken feedback on. Google has been contacted with questions on its Privacy Sandbox commitments.
