Digital marketing firms file UK competition complaint against Google’s Privacy Sandbox

Google’s push to phase out third party tracking cookies — aka its ‘Privacy Sandbox’ initiative — is facing a competition challenge in Europe. A coalition of digital marketing companies announced today that it’s filed a complaint with the UK’s Competition and Markets Authority (CMA), calling for the regulator to block implementation of the Sandbox.

The coalition wants Google’s phasing out of third party tracking cookies to be put on ice to prevent the Sandbox launching in early 2021 to give regulators time to devise or propose what it dubs “long term competitive remedies to mitigate [Google’s dominance]”.

“[Our] letter is asking for the introduction of Privacy Sandbox to be delayed until such measures are put in place,” they write in a press release.

The group, which is badging itself as Marketers for an Open Web (MOW), says it’s comprised of “businesses in the online ecosystem who share a concern that Google is threatening the open web model that is vital to the functioning of a free and competitive media and online economy”.

A link on MOW’s website to a list of “members” was not functioning at the time of writing. But, per Companies House, the entity was incorporated on September 18, 2020 — listing James Roswell, CEO and co-founder of UK mobile marketing company, 51 Degrees, as its sole director.

The CMA confirmed to us that it’s received MOW’s complaint, adding that some of the coalition’s concerns reflect issues identified in a detailed review of the online ad market it published this summer.

However it has not yet taken a decision on whether or not to investigate.

“We can confirm we have received a complaint regarding Google raising certain concerns, some of which relate to those we identified in our online platforms and digital advertising market study,” said the CMA spokesperson. “We take the matters raised in the complaint very seriously, and will assess them carefully with a view to deciding whether to open a formal investigation under the Competition Act.

“If the urgency of the concerns requires us to intervene swiftly, we will also assess whether to impose interim measures to order the suspension of any suspected anti-competitive conduct pending the outcome of a full investigation.”

In its final report of the online ad market, the CMA concluded that the market power of Google and Facebook is now so great that a new regulatory approach — and a dedicated oversight body — is needed to address what it summarized as “wide ranging and self reinforcing” concerns.

Although the regulator chose not to take any enforcement action at that point — preferring to wait for the UK government to come forward with pro-competition legislation.

In its statement today, the CMA makes it clear it could still choose to act on related competition concerns if it feels an imperative to do so — including potentially blocking the launch of Privacy Sandbox to allow time for a full investigation — while it waits for legislators to come up with a regulatory framework. Though, again, it has not made any decisions yet.

Reached for a response to the MOW complaint, Google sent us this statement — attributed to a spokesperson:

The ad-supported web is at risk if digital advertising practices don’t evolve to reflect people’s changing expectations around how data is collected and used. That’s why Google introduced the Privacy Sandbox, an open initiative built in collaboration with the industry, to provide strong privacy for users while also supporting publishers.

Also commenting in a statement, MOW’s director Roswell said: “The concept of the open web is based on a decentralised, standards-based environment that is not under the control of any single commercial organisation.  This model is vital to the health of a free and independent media, to a competitive digital business environment and to the freedom and choice of all web users.  Privacy Sandbox creates new, Google-owned standards and is an irreversible step towards a Google-owned ‘walled garden’ web where they control how businesses and users interact online.”

The group’s complaint follows a similar one filed in France last month (via Reuters) — albeit, in that case targeting privacy changes incoming to Apple’s smartphone platform that are also set to limit advertisers access to an iPhone-specific tracking ID that’s generated for that purpose (IDFA).

Apple has said the incoming changes — which it recently delayed until early next year — will give users “greater control over whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers”. But four online ad associations — IAB France, MMAF, SRI and UDECAM — bringing the complaint to France’s competition regulator argue Apple is abusing its market power to distort competition.

The move by the online ad industry to get European competition regulators to delay Apple’s and Google’s privacy squeeze on third party ad tracking is taking place at the same time as industry players band together to try to accelerate development of their own replacement for tracking cookies — announcing a joint effort called PRAM (Partnership for Responsible Addressable Media) this summer to “advance and protect critical functionalities like customization and analytics for digital media and advertising, while safeguarding privacy and improving consumer experience”, as they put it.

The adtech industry now appears to be coalescing behind a cookie replacement proposal called UnifiedOpen ID 2.0 (UID2).

A document detailing the proposal which had been posted to the public Internet — but was taken down after a privacy researcher drew attention to it — suggests they want to put in place a centralized system for tracking Internet users that’s based on personal data such as an email address or phone number.

“UID2 is based on authenticated PII (e.g. email, phone) that can be created and managed by constituents across advertising ecosystem, including Advertisers, Publishers, DSPs, SSPs,” runs a short outline of the proposal in the paper, which is authored by two people from a Demand Side Platform called The Trade Desk that’s proposing to build the tech but then hand it off to an “independent and non-partial entity” to manage.

One component of the UID2 proposal consists of a “Unified ID Service” that it says would apply a salt and hash process to the PII to generate UID2 and encrypting that to create a UID2 Token, as well as provision login requests from publishers to access the token.

The other component is a user facing website that’s described as a “transparency & consent service” — to handle user requests for data or UID2 logouts etc.

However the proposal by the online ad industry to centralize Internet users’ identity by attaching it to hashed pieces of actual personal data — and with a self-regulating “Trusted Ads Ecosystem” slated to be controlling the mapping of PII to UID2 — seems unlikely to assuage the self-same privacy concerns fuelling the demise of tracking cookies in the first place (to put it mildly).

Trusting the mass surveillance industry to self regulate a centralized ID system for Internet users is for the birds.

But adtech players are clearly hoping they can buy themselves enough time to cobble together a self-serving cookie alternative — and sell it to regulators as a competition remedy. (Their parallel bet is they can buy off inactive privacy regulators with dubious claims of ‘transparency and consent’.)

So it will certainly be interesting to see whether the adtech industry succeeds in forcing competition regulators to stand in the way of platform-level privacy reforms, while pulling off a major reorg and rebranding exercise of privacy-hostile tracking operations.

In a counter move this month, European privacy campaign group, noyb, filed two complaints against Apple for not obtaining consent from users to create and store the IDFA on their devices.

So that’s one bit of strategic pushback.

Real-time bidding, meanwhile, remains under regulatory scrutiny in Europe — with huge questions over the lawfulness of its processing of Internet users’ personal data. Privacy campaigners are also now challenging data protection regulators over their failure to act on those long-standing complaints.

A flagship online ad industry tool for gathering web users’ consent to tracking is also under attack and looks to be facing imminent action under the bloc’s General Data Protection Regulation (GDPR).

Last month an investigation by Belgium’s data protection agency found the IAB Europe’s so-called Transparency and Consent Framework (TCF) didn’t offer either — failing to meet the GDPR standard for transparency, fairness and accountability, and the lawfulness of data processing. Enforcement action is expected in early 2021.