UK’s CMA accepts Google’s post-cookie pledges, will ‘closely monitor’ Privacy Sandbox plan

The U.K.’s competition authority has accepted commitments from Google over how it develops the post-cookie future of interest-based ad targeting online under its self-styled “Privacy Sandbox” proposal.

In an announcement today, the Competition and Markets Authority (CMA) said it is satisfied that the legally binding commitments secured from Google will ensure that the evolution of ad tracking will promote competition, support publishers to raise revenue from ads while also safeguarding consumer privacy. So quite the juggling act.

In a statement, the CMA’s chief exex, Andrea Coscelli, said:

Our intervention in this case demonstrates our commitment to protecting competition in digital markets and our global role in shaping the behaviour of world-leading tech firms.

The commitments we have obtained from Google will promote competition, help to protect the ability of online publishers to raise money through advertising and safeguard users’ privacy.

While this is an important step, we are under no illusions that our work is done. We now move into a new phase where we will keep a close eye on Google as it continues to develop these proposals.

We will engage with all market participants in this process, in order to ensure that Google is taking account of concerns and suggestions raised.

The CMA has been investigating Google’s plan to deprecate support for tracking cookies in its Chrome browser for over a year — following complaints by a coalition of digital marketing companies that the move risked further entrenching Google’s dominance of the digital advertising market.

The competition watchdog very much agrees there are competition problems in the mobile market — per preliminary findings of its mobile market study, which were published in December. (And it continues to consult on potential interventions aimed at boosting competition and increasing consumer choice in both Apple’s iOS and Google’s Android mobile ecosystems — such as making it easier to switch between the two ecosystems and sideload apps or access web apps; mandating the ability for apps to use alternative payment tech; and making it easier for users to choose an alternative [non-bundled] services as the default, such as browsers.)

But the CMA is also, today, giving Google the greenlight to continue developing Privacy Sandbox — just with a set of legally binding conditions attached to how it does that.

An earlier set of commitments offered by Google on the Sandbox were not deemed sufficient, following market feedback, leading to an improved offer last November — which added the key element of a monitoring trustee, as well as a slightly longer time frame for the reporting requirements (six years) and other tweaks intended to provide greater reassurance to the market.

It’s this beefed up set of commitments the CMA has accepted now. Although it notes that it could choose to reopen an investigation if it’s not satisfied with how the Sandbox is being developed — also retaining the ability to impose interim measures in the future if necessary.

Otherwise, Google’s commitments are set to terminate six years from February 11, 2022 — so running until 2028 — unless it is granted an early release by the regulator.

The full list binding Google — which spans development and implementation criteria for the Sandbox; transparency and consultation requirements with third parties; mechanisms for regulatory involvement in the design process and more — can be found here.

In its press release, the CMA highlights a few elements, noting the agreement commits Google to involving the CMA and the U.K.’s Information Commissioner’s Office (ICO), which leads on consumer privacy issues, in the development and testing of the Sandbox proposals; boosts transparency and engagement for third parties, including the publication of test results and an option for the CMA to require Google to address specific concerns; and binds Google by banning self-preferencing of its own ad services and through restrictions on data-sharing within its own ecosystem to ensure it doesn’t gain an advantage over competitors when third-party cookies are removed.

It also reaffirms that Google will not remove tracking cookies until it is satisfied that its competition concerns have been addressed.

The appointment of a monitoring trustee — which will clearly be a crucial role in ensuring Google actually does what it has agreed it will here — is expected to be made “shortly”, per the CMA.

In its own blog post on this latest chunk of the tracking cookie deprecation saga, Google writes that the aim of the commitments is “to provide reassurance that the Privacy Sandbox will protect consumers and support a competitive ad-funded web, and not favor Google”.

The adtech giant sumarizes the package of pledges into three main “principles”:

First, the changes we will make in Chrome in the context of the Privacy Sandbox initiative will apply in the same way to Google’s advertising products as to products from other companies. Second, we will design, develop and implement Privacy Sandbox with regulatory oversight and input from the CMA and the ICO. And third, we will inform the CMA in advance of our intention to remove third-party cookies and agree to wait for their feedback on whether any competition law concerns remain.

“We’re pleased that today the CMA has accepted these commitments, which now go into immediate effect,” Google adds, before reiterating its promise to apply the agreed approach everywhere: “We will apply the commitments globally because we believe that they provide a roadmap for how to address both privacy and competition concerns in this evolving sector.”

It is still tbc what the Privacy Sandbox will actually be and mean in practice — as the stack of alternative ad targeting and measurement technologies remains in development.

Just recently, for example, Google announced a major change by killing off FLoCs — aka, its erstwhile flagship replacement ad targeting idea to put web users into buckets of interest-based cohorts for targeting (aka FLoCs), which critics such as the EFF had dubbed a privacy disaster — swapping in a new idea to target web users based on “topics” tracked locally in the browser.

Whether or not topics-based tracking is a substantial improvement, in privacy terms, versus FLoCs — or, indeed, whether it’s substantially worse than contextual targeting (which does not require any user data to be processed to select relevant ads to serve but instead ads are targeted based on the website content that’s being accessed at the time, likely combined with broad-brush signals such as a general location) — all remains to be seen.

So we still don’t know exactly what will replace tracking cookies when/if Google finally turns off support (at the earliest next year).

But what we do know is that it won’t only be Google deciding what that future looks like — given it’s given a legally binding pledge to involve regulators, factor in feedback from third parties and act on concerns.

In its blog post today, Google writes that it will be “consulting with the CMA and ICO on a regular basis in relation to the design, development and implementation of the Privacy Sandbox (including testing and public announcements)”, as well as “increas[ing] its engagement with industry stakeholders (including publishers, advertisers and ad tech providers) by providing a systematic feedback process to take on board reasonable views and suggestions”.

Info on how Google is engaging with third parties in the design and development of the Sandbox are set out on a website — privacysandbox.com — which includes a project overview and a timeline; and, per the CMA, now includes new details on how it will engage with third parties.

For all the criticism Google can and does attract — including via some highly relevant antitrust lawsuits in the U.S., which certainly underline the need for close monitoring of its behavior — when it comes to Privacy Sandbox the tech giant is at least evolving its proposals in response to antitrust concern and critical feedback.

Meanwhile the U.K.-based coalition of marketers, which has been raising complaints against Privacy Sandbox — including in the EU — was still sounding off about Google’s proposal earlier this week.

The self-styled Movement for an Open Web (aka, MOW; neé Marketers for an Open Web) put out a press release calling for the CMA to include what it described as “non-discrimination remedies” against Sandbox in its ongoing mobile ecosystem study.

In it MOW appears to be lobbying to continue the privacy-horrible status quo — in which scores of faceless identity- and data-trading third parties are able to track web users’ browsing via the use of what are billed as “pseudonymous identifiers” — yet which, through syncing and matching (with other “alternative ID providers” in a surveillance-based tracking ecosystem) allow for ad IDs to be linked back to individuals to power user profiling and exploitative targeting, all of which are horrible for privacy.

The ICO itself has put the adtech industry on notice that a “keep on tracking” scenario simply won’t fly — with the outgoing commissioner writing in an opinion in November that adtech must move away from online tracking and profiling, stop obfuscating how it operates and provide consumers with genuine control over what’s done with their data.

“Any proposal that has the effect of maintaining or replicating existing tracking practices (such as those described in the 2019 Report) is not an acceptable response to the significant data protection risks that the Commissioner has already described,” the outgoing commissioner Elizabeth Denham also warned in a thinly veiled parting shot at unreformed adtech.

Google’s blog post today makes an explicit reference to this opinion — with the company writing:

Privacy by design and by default have been at the heart of the Privacy Sandbox from the outset, and we are also intent on ensuring that the new tools meet the requirements set out in the recent ICO’s Opinion on Data protection and privacy expectations for online advertising proposals. To that end, we are designing these new tools to avoid cross-site tracking, provide people with better transparency and control, and result in better outcomes for people and businesses on the web.

The data-mining tech giant’s claim to be championing privacy of course deserves plenty of critical scrutiny.

However when set against the vista of a trench-digging adtech industry at large — which desperately continues to reject calls for reform in favor of clinging to creepy tracking, whether by sicking up some new window dressing for the same old tracking wheeze via slightly respun jargon or through head-in-the-sand denials that its built its ad auction castle on illegal sands — Google’s Privacy Sandbox starts to look very enlightened indeed.

As ever, the devil will be in the detail. But if it’s a choice between change or the creepy status quo it’s clear where the web needs to go.

We asked MOW for its response to the package of commitments the CMA has now accepted. At the time of writing it did not have one but a spokesman it was preparing a press release to put out later this morning — so we’ll update this report when we get it.

Update: MOW has now published its statement — which we’ve broken down in more detail in this piece of related reporting (on another antitrust complaint against Google that’s been filed in the EU today). But the gist is it’s pressing for even more regulatory oversight of Google and other adtech giants.

The UK’s ICO has also put out a response to the CMA’s announcement in which it welcomes the commitments obtained from Google, writing that “consumers benefit when data protection, privacy and competition objectives have to be considered together” — which it says the commitments oblige Google to do.

Stephen Bonner, the ICO’s exec director for regulatory futures and innovation, adds:

“We will continue to work with both organisations to ensure Google’s Privacy Sandbox proposals are compliant with data protection law and deliver good privacy outcomes for individuals.

“Our Commissioner’s Opinion set outs clear data protection standards that organisations must meet when developing online advertising technologies. As several proposals are under active development, we will continue to engage with organisations developing them to ensure that they raise standards of data protection and privacy.”