Google won’t end support for tracking cookies unless UK’s competition watchdog agrees

Well this is big. The U.K.’s competition regulator looks set to get an emergency brake that will allow it to stop Google ending support for third-party cookies, a technology that’s currently used for targeting online ads, if it believes competition would be harmed by the depreciation going ahead.

The development follows an investigation opened by the Competition and Markets Authority (CMA) into Google’s self-styled “Privacy Sandbox” earlier this year.

The regulator will have the power to order a standstill of at least 60 days on any move by Google to remove support for cookies from Chrome if it accepts a set of legally binding commitments the latter has offered — and which the regulator has today issued a notification of intention to accept.

The CMA could also reopen a fuller investigation if it’s not happy with how things are looking at the point it orders any standstill to stop Google crushing tracking cookies.

It follows that the watchdog could also block Google’s wider “Privacy Sandbox” technology transition entirely — if it decides the shift cannot be done in a way that doesn’t harm competition. However, the CMA said today it takes the “provisional” view that the set of commitments Google has offered will address competition concerns related to its proposals.

It’s now opened a consultation to see if the industry agrees — with the feedback line open until July 8.

Commenting in a statement, Andrea Coscelli, the CMA’s chief executive, said:

The emergence of tech giants such as Google has presented competition authorities around the world with new challenges that require a new approach.

That’s why the CMA is taking a leading role in setting out how we can work with the most powerful tech firms to shape their behaviour and protect competition to the benefit of consumers.

If accepted, the commitments we have obtained from Google become legally binding, promoting competition in digital markets, helping to protect the ability of online publishers to raise money through advertising and safeguarding users’ privacy.

In a blog post sketching what it’s pledged — under three broad headlines of “Consultation and collaboration”; “No data advertising advantage for Google products”; and “No self-preferencing” — Google writes that if the CMA accepts its commitments it will “apply them globally”, making the U.K.’s intervention potentially hugely significant.

It’s perhaps one slightly unexpected twist of Brexit that it’s put the U.K. in a position to be taking key decisions about the rules for global digital advertising. (The European Union is also working on new rules for how platform giants can operate but the CMA’s intervention on Privacy Sandbox does not yet have a direct equivalent in Brussels.)

That Google is choosing to offer to turn a U.K. competition intervention into a global commitment is itself very interesting. It may be there in part as an added sweetener — nudging the CMA to accept the offer so it can feel like a global standard-setter.

At the same time, businesses do love operational certainty. So if Google can hash out a set of rules that are accepted by one (fairly) major market, because they’ve been co-designed with national oversight bodies, and then scale those rules everywhere, it may create a shortcut path to avoiding any more regulator-enforced bumps in the future.

So Google may see this as a smoother path toward the sought-for transition for its adtech business to a post-cookie future. Of course it also wants to avoid being ordered to stop entirely (or, well, maybe not! Either outcome would surely work for Google).

More broadly, engaging with the fast-paced U.K. regulator could be a strategy for Google to try to surf over the political deadlocks and risks which can characterize discussions on digital regulation in other markets (especially its home turf of the U.S. — where there has been a growing drumbeat of calls to break up tech giants; and where Google specifically now faces a number of antitrust investigations).

The outcome it may be hoping for is being able to point to regulator-stamped “compliance” — in order that it can claim it as evidence there’s no need for its ad empire to be broken up. (Or to have a regulator order that it can’t make privacy-centric changes.)

Google’s offering of commitments also signifies that regulators who move fastest to tackle the power of tech giants will be the ones helping to define and set the standards and conditions that apply for web users everywhere. At least — unless or until — more radical interventions rain down on big tech.

What is Privacy Sandbox?

Privacy Sandbox is a complex stack of interlocking technology proposals for replacing current ad tracking methods (which are widely seen as horrible for user privacy) with alternative infrastructure that Google claims will be better for individual privacy and also still allow the adtech and publishing industries to generate (it claims much the same) revenue by targeting ads at cohorts of web users — who will be put into “interest buckets” based on what they look at online.

The full details of the proposals (which include components like FLoCs, aka Google’s proposed new ad ID based on federated learning of cohorts, and Fledge/Turtledove, Google’s suggested new ad delivery technology) have not yet been set in stone.

Nonetheless, Google announced in January 2020 that it intended to end support for third-party cookies within two years — so that rather nippy time frame has likely concentrated opposition, with pushback coming from the adtech industry and (some) publishers that are concerned it will have a major impact on their ad revenues when individual-level ad targeting goes away.

The CMA began to look into Google’s planned depreciating of tracking cookies after complaints that the transition to a new infrastructure of Google’s devising will merely increase Google’s market power — by locking down third parties’ ability to track internet users for ad targeting while leaving Google with a high dimension view of what people get up to online as a result of its expansive access to first-party data (gleaned through its dominance for consumer web services).

The executive summary of today’s CMA notice lists its concerns that, without proper regulatory oversight, Privacy Sandbox might:

  • distort competition in the market for the supply of ad inventory and in the market for the supply of ad tech services, by restricting the functionality associated with user tracking for third parties while retaining this functionality for Google;
  • distort competition by the self-preferencing of Google’s own advertising products and services and owned and operated ad inventory; and
  • allow Google to exploit its apparent dominant position by denying Chrome web users substantial choice in terms of whether and how their personal data is used for the purpose of targeting and delivering advertising to them.

At the same time, privacy concerns around the ad tracking and targeting of internet users are undoubtedly putting pressure on Google to retool Chrome (which ofc dominates web browser market share) — given that other web browsers have been stepping up efforts to protect their users from online surveillance by doing stuff like blocking trackers for years.

Web users hate creepy ads — which is why they’ve been turning to ad blockers in droves. Numerous major data scandals have also increased awareness of privacy and security. And — in Europe and elsewhere — digital privacy regulations have been toughened up or introduced in recent years. So the line of “what’s acceptable” for ad businesses to do online has been shifting.

But the key issue here is how privacy and competition regulation interacts — and potentially conflicts — with the very salient risk that ill-thought-through and overly blunt competition interventions could essentially lock in privacy abuses of web users (as a result of a legacy of weak enforcement around online privacy, which allowed for rampant, consent-less ad tracking and targeting of Internet users to develop and thrive in the first place).

Poor privacy enforcement coupled with banhammer-wielding competition regulators does not look like a good recipe for protecting web users’ rights.

However. there is cautious reason for optimism here.

Last month the CMA and the U.K.’s Information Commissioner’s Office (ICO) issued a joint statement in which they discussed the importance of having competition and data protection in digital markets — citing the CMA’s Google Privacy Sandbox probe as a good example of a case that requires nuanced joint working.

Or, as they put it then: “The CMA and the ICO are working collaboratively in their engagement with Google and other market participants to build a common understanding of Google’s proposals, and to ensure that both privacy and competition concerns can be addressed as the proposals are developed in more detail.”

Although the ICO’s record on enforcement against rights-trampling adtech is, well, non-existent. So its preference for regulatory inaction in the face of adtech industry lobbying should off-set any quantum of optimism derived from the bald fact of the U.K.’s privacy and competition regulators’ “joint working”.

(The CMA, by contrast, has been very active in the digital space since gaining, post-Brexit, wider powers to pursue investigations. And in recent years took a deep dive look at competition in the digital ad market, so it’s armed with plenty of knowledge. It is also in the process of configuring a new unit that will oversee a pro-competition regime which the U.K. explicitly wants to clip the wings of big tech.)

What has Google committed to?

The CMA writes that Google has made “substantial and wide-ranging” commitments vis-à-vis Privacy Sandbox — which it says include:

  • A commitment to develop and implement the proposals in a way that avoids distortions to competition and the imposition of unfair terms on Chrome users. This includes a commitment to involve the CMA and the ICO in the development of the Proposals to ensure this objective is met.
  • Increased transparency from Google on how and when the proposals will be taken forward and on what basis they will be assessed. This includes a commitment to publicly disclose the results of tests of the effectiveness of alternative technologies.
  • Substantial limits on how Google will use and combine individual user data for the purposes of digital advertising after the removal of third-party cookies.
  • A commitment that Google will not discriminate against its rivals in favour of its own advertising and ad-tech businesses when designing or operating the alternatives to third-party cookies.
  • A standstill period of at least 60 days before Google proceeds with the removal of third-party cookies giving the CMA the opportunity, if any outstanding concerns cannot be resolved with Google, to reopen its investigation and, if necessary, impose any interim measures necessary to avoid harm to competition.

Google also writes that: “Throughout this process, we will engage the CMA and the industry in an open, constructive and continuous dialogue. This includes proactively informing both the CMA and the wider ecosystem of timelines, changes and tests during the development of the Privacy Sandbox proposals, building on our transparent approach to date.”

“We will work with the CMA to resolve concerns and develop agreed parameters for the testing of new proposals, while the CMA will be getting direct input from the ICO,” it adds.

Google’s commitments cover a number of areas directly related to competition — such as self-preferencing, non-discrimination and stipulations that it will not combine user data from specific sources that might give it an advantage versus third parties.

However privacy is also being explicitly baked into the competition consideration, here, per the CMA — which writes that the commitments will [emphasis ours]:

Establish the criteria that must be taken into account in designing, implementing and evaluating Google’s Proposals. These include the impact of the Privacy Sandbox Proposals on: privacy outcomes and compliance with data protection principles; competition in digital advertising and in particular the risk of distortion to competition between Google and other market participants; the ability of publishers to generate revenue from ad inventory; and user experience and control over the use of their data.

An ICO spokeswoman was also keen to point out that one of the first commitments obtained from Google under the CMA’s intervention “focuses on privacy and data protection”.

In a statement, the data watchdog added:

The commitments obtained mark a significant moment in the assessment of the Privacy Sandbox proposals. They demonstrate that consumer rights in digital markets are best protected when competition and privacy are considered together.

As we outlined in our recent joint statement with the CMA, we believe consumers benefit when their data is used lawfully and responsibly, and digital innovation and competition are supported. We are continuing to build upon our positive and close relationship with the CMA, to ensure that consumer interests are protected as we assess the proposals.

This development in the CMA’s investigation raises plenty of questions, large and small — most pressingly over the future of key web infrastructure and what the changes being hashed out here between Google and U.K. regulators might mean for internet users everywhere.

The really big issue is whether “co-design” with oversight bodies is the best way to fix the market power imbalance flowing from a single tech giant being able to combine massive dominance in consumer digital services with duopoly dominance in adtech.

Others would say that breaking up Google’s consumer tech and Google’s adtech is the only way to fix the abuse — and everything else is just fiddling while Rome burns.

Google, for instance, is still in charge of proposing the changes itself — regardless of how much pre-implementation consultation and tweaking goes on. It’s still steering the ship and there are plenty of people who believe that’s not an acceptable governance model for the open web.

But, for now at least, the CMA wants to try to fiddle.

It should be noted that, in parallel, the U.K. government and CMA are speccing out a wider pro-competition regime that could result in deeper interventions into how Google and other platform giants operate in the future. So more interventions are all but guaranteed.

For now, though, Google is probably feeling pretty happy for the opportunity to work with U.K. regulators. If it can pull oversight bodies deep down in the detail of the changes it wants to (or feels it has to) make that’s likely a far more comfortable spot for Mountain View versus being served with an order to break its business up — something the CMA has previously taken feedback on.

Google has been contacted with questions on its Privacy Sandbox commitments. (Update: see below for some responses.)

In a statement responding to the development, the Internet Advertising Bureau (IAB) UK’s CEO Jon Mew, said:

“At the IAB, we have always been really clear that the phasing out of third-party cookies is an opportunity to reset the ad-funded web for the better, which is why we have laid out clear principles that we believe any viable User ID solutions must meet. I think that the CMA’s investigation into Privacy Sandbox and Google’s commitments to address its concerns about the potential impact on competition are an important and valuable part of this process.

“The commitments allow the wider industry to have confidence that Google’s proposals are being developed in a way that takes into account both competition and privacy objectives, with the benefit of regulatory oversight brought by the CMA. The phasing out of third-party cookies is the most seismic shift that the digital ad industry has ever experienced and it’s only right that developments in this space are subject to appropriate scrutiny.”

Some wider questions

In response to our questions, Google has now sent some additional background information. Via these additional remarks the company resists the suggestion that there will be any “co-designing” of Privacy Sandbox under the proposed commitments, saying rather that this is about oversight from and collaboration with the CMA. But, well, that might just be Google seeking to split hairs.

It confirmed the commitments it’s offered (around design and testing) cover all the proposed technologies in the Privacy Sandbox. So this definitely isn’t just about tracking cookies — and will apply to whatever may (or may not) replace them.

Google also affirmed that — if formally accepted — it would apply commitments made to the U.K.’s CMA globally.

Asked whether it has an alternative/s in mind, if the CMA orders that it can’t depreciate tracking cookies — or whether such an order would essentially mean Privacy Sandbox is dead — Google declined to speculate.

But it also said it believes the web is at risk if it doesn’t keep up with users’ expectations around privacy, claiming it’s strongly committed to the Privacy Sandbox project and adding that it’s hopeful the engagement with the CMA will help alleviate industry concerns about the planned transition.

It also told us it will be continuing to work on the project — rather than halting work to wait for the outcome of the CMA’s consultation.

But it declined to provide a response when asked if it sees any implications (e.g. a delay) for the original timeline for implementing Privacy Sandbox as a result of the regulator’s intervention.

Asked about the governance model for Privacy Sandbox — and whether it’s fair that Google is the entity redesigning such a core piece of web infrastructure — it argued it’s doing this collaboratively with the industry via fora such as the W3C.

However W3C groups don’t have leverage over Google’s decisions. So the concern for some is that Google is engaging in what amounts to a “theatre of collaboration” — providing cover as it unilaterally conducts a major retooling with implications for entire online industries. And while it is being made to widen its outreach now — by looping U.K. regulators into proposal discussions — the proposals and decisions are still Google’s own.

Commenting on the governance point, Dr Lukasz Olejnik, an independent privacy and cybersecurity researcher and consultant who has written about the governance of privacy-preserving systems, told TechCrunch: “It seems that Google is certainly trying its best at collaborations and trying to hear the feedback from various parties. This happens, for example, within the W3C Group venue. It is not clear to me if at the present moment there is any governance model of the Privacy Sandbox. I would say there is none. And the devil here is in the details.

“The issue is, there has to be a way of agreeing to some changes or modifications being deployed. What are the guarantees that, assuming a good proposal is put forward, it is actually taken for implementation? Furthermore it is not clear how the future maintenance or development of the proposal stacks would look like. What is the legitimisation now?

“Google certainly cannot claim that they alone have a legitimate right to unilaterally take decisions. I don’t think they also want to argue that this is the case. I would suggest a semi-formal governance structure, that would accept feedback from, or represent, the actors involved — the users, the publishers, the user agents, the advertisers, and privacy experts or researchers. It’s the first time we see an attempt to deploy privacy-preserving ad systems, so it would be great to have it future-proofed.”

TechCrunch also asked Google about the ad serving component of the Privacy Sandbox proposals — and how Google believes its proposed architecture respects user privacy.

Google didn’t offer a lot of detail on this but it suggested the Turtledove proposal — i.e. that advertisers serve ads based on one or more interest groups without combining that interest group with other information about the user (e.g. who they are or what page they are visiting) — is more privacy-preserving than the current way of doing things with tracking cookies (i.e. individual level targeting).

It also suggested that the Fledge component of its proposal aims to build on Turtledove by proposing a trusted third-party server — to address concerns about information being stored in the browser.

Google confirmed it will be engaging proactively with the CMA about the design and testing of both technology proposals, as they sit within the Privacy Sandbox, further noting the competition watchdog will be getting direct input from the ICO during this process. So, again, U.K. regulators will now have a front row seat at the table where the proposed changes are being discussed.

And Google added that it believes its proposed commitments represent a significant step in reassuring the market.

Whether this “collaboration” results in tweaks to the Privacy Sandbox that are “pro-competition” but worse for people’s privacy remains to be seen.

It would be a massive failure of the CMA-ICO claims of joint working (“to ensure that both privacy and competition concerns can be addressed”) if so. But it’s fair to say that users’ rights have all too often been ignored by privacy regulators faced with the frenzied lobbying of adtech interests.

Still, in seeking to co-opt competition regulators to their cause, the adtech lobby may at least force a regulatory reckoning on a key issue. And, elsewhere in Europe, abuse of privacy is being seen as a competition concern too. So they should be careful what they wish for. 

This report was updated with additional comment and context