Google agrees with UK’s CMA to deeper oversight of Privacy Sandbox

As part of an ongoing antitrust investigation into Google’s Privacy Sandbox by the UK’s competition regulator, the adtech giant has agreed to an expanded set of commitments related to oversight of its planned migration away from tracking cookies, the regulator announced today.

Google has also put out its own blog post on the revisions — which it says are intended to “underline our commitment to ensuring that the changes we make in Chrome will apply in the same way to Google’s ad tech products as to any third party, and that the Privacy Sandbox APIs will be designed, developed and implemented with regulatory oversight and input from the CMA [Competition and Markets Authority] and the ICO [Information Commissioner’s Office]”.

Google announced its intention to deprecate support for the third party tracking cookies that are used for targeting ads at individuals in its Chrome browser all the way back in 2019 — and has been working on a stack of what it claims are less intrusive alternative ad-targeting technologies (aka, the “Privacy Sandbox”) since then.

The basic idea is to shift away from ads being targeted at individuals (which is horrible for Internet users’ privacy) to targeting methods that put Internet users in interest-based buckets and serve ads to so-called “cohorts” of users (aka, FloCs) which may be less individually intrusive — however it’s important to note that Google’s proposed alternative still has plenty of critics (the EFF, for example, has suggested it could even amplify problems like discrimination and predatory ad targeting).

And many privacy advocates would argue that pure-play contextual targeting poses the least risk to Internet users’ rights while still offering advertisers the ability to reach relevant audiences and publishers to monetize their content.

Google’s Sandbox plan has attracted the loudest blow-back from advertisers and publishers, who will be directly affected by the changes. Some of whom have raised concerns that the shift away from tracking cookies will simply increase Google’s market power — hence the Competition and Markets Authority (CMA) opening an antitrust investigation into the plan in January.

As part of that probe, the CMA had already secured one set of commitments from Google around how it would go about the switch, including that it would agree to halt any move to deprecate cookies if the regulator was not satisfied the transition could take place in a way that respects both competition and privacy; and agreements on self-preferencing, among others.

A market consultation on the early set of commitments drew responses from more than 40 third parties — including, TechCrunch understands, input from international regulators (some of who are also investigating Google’s Sandbox, such as the European Commission, which opened its own probe of Google’s adtech in June) .

Following that, the first set of proposed commitments has been expanded and beefed up with additional requirements (see below for a summary; and here for fuller detail from the CMA’s “Notice of intent to accept the modified commitments”).

The CMA will now consult on the expanded set — with a deadline of 5pm on December 17, 2021, to take fresh feedback.

It will then make a call on whether the beefed up bundle bakes in enough checks-and-balances to ensure that Google carries out the move away from tracking cookies with the least impact on competition and the least harm to user privacy (although it will be the UK’s ICO that’s ultimately responsible for oversight of the latter piece).

If the CMA is happy with responses to the revised commitments, it would then close the investigation and move to a new phase of active oversight, as set out in the detail of what it’s proposing to agree with Google.

A potential timeline for this to happen is early 2022 — but nothing is confirmed as yet.

Commenting in a statement, CMA CEO Andrea Coscelli said:

“We have always been clear that Google’s efforts to protect user’s privacy cannot come at the cost of reduced competition.

That’s why we have worked with the Information Commissioner’s Office, the CMA’s international counterparts and parties across this sector throughout this process to secure an outcome that works for everyone.

We welcome Google’s co-operation and are grateful to all the interested parties who engaged with us during the consultation.

If accepted, the commitments we have obtained from Google become legally binding, promoting competition in digital markets, helping to protect the ability of online publishers to raise money through advertising and safeguarding users’ privacy.”

More market reassurance

In general, the expanded commitments look intended to offer a greater level of reassurance to the market that Google will not be able to exploit loopholes in regulatory oversight of the Sandbox to undo the intended effect of addressing competition risks and privacy concerns.

Notably, Google has agreed to appoint a CMA approved monitoring trustee — as one of the additional measures it’s suggesting to improve the provisions around reporting and compliance.

It will also dial up reporting requirements, agreeing to ensure that the CMA’s role and the regulator’s ongoing process — which the CMA now suggests should continue for a period of six years — are mentioned in its “key public announcements”; and to regular (quarterly) reporting to the CMA on how it is taking account of third party views as it continues building out the tech bundle.

Transparency around testing is also being beefed up.

On that, there have been instances, in recent months, where Google staffers have not been exactly fulsome in articulating the details of feedback related to the Origin Trial of its FloCs technology to the market, for example. So it’s notable that another highlighted change requires Google to instruct its staff not to make claims to customers which contradict the commitments.

Another concern reflected in the revisions is the worry of market participants of Google removing functionality or information before the full Privacy Sandbox changes are implemented — hence it has offered to delay enforcement of its Privacy Budget proposal and offered commitments around the introduction of measures to reduce access to IP addresses. 

We understand that concerns from market participants also covered Google removing other functionality — such as the user agent string — and that strengthened commitments are intended to address those wider worries too.

Self-preferencing requirements have also been dialled up. And the revised commitments include clarifications on the internal limits on the data that Google can use — and monitoring those elements will be a key focus for the trustee.

The period of active oversight by the CMA has also been extended vs the earlier plan — to six years from the date of any decision to accept Google’s modified commitments (up from around five).

This means that if the CMA agrees to the commitments next year they could be in place until 2028. And by then the UK expects to have reformed competition rules wrapping tech giant — as

In its own blog post, Google condenses the revised commitments thus:

  1. Monitoring and reporting. We have offered to appoint an independent Monitoring Trustee who will have the access and technical expertise needed to ensure compliance.
  2. Testing and consultation. We have offered the CMA more extensive testing commitments, along with a more transparent process to take market feedback on the Privacy Sandbox proposals.
  3. Further clarity on our use of data. We are underscoring our commitment not to use Google first-party personal data to track users for targeting and measurement of ads shown on non-Google websites. Our commitments would also restrict the use of Chrome browsing history and Analytics data to do this on Google or non-Google websites.

As with the earlier set of pledges, it has agreed to apply the additional commitments globally — assuming the package gets accepted by the UK regulator.

So the UK regulator continues playing a key role in shaping how key web infrastructure evolves.

Google’s blog most also makes reference to an opinion published yesterday by the UK’s information commission — which urged the adtech industry of the need to move away from current tracking and profiling methods of ad targeting.

“We also support the objectives set out yesterday in the ICO’s Opinion on Data protection and privacy expectations for online advertising proposals, including the importance of supporting and developing privacy-safe advertising tools that protect people’s privacy and prevent covert tracking,” Google noted.

This summer Google announced a delay to its earlier timeline for the deprecation of tracking cookies — saying support wouldn’t start being phased out in Chrome until the second half of 2023.

There is no suggestion from the tech giant as this point of any additional delay to that timeline — assuming it gets the regulatory greenlight to go ahead.