What is going on with Google’s long-touted migration to an alternative adtech stack (aka its Privacy Sandbox proposal)? What indeed. The entire multi-year endeavour to reshape the commercial web looks dangerously close to being killed off after the latest intervention by the U.K.’s antitrust regulator, the Competition and Markets Authority (CMA).
This comes on top of the u-turn that Google made around third-party tracking cookies. Originally they were going to be depreciated; as of July, cookies look like they are here to stay.
The CMA has been probing Google’s Privacy Sandbox plan since January 2021, following a November 2020 complaint by a coalition of digital marketing companies — which is one reason the project has been so tortuously slow. But slow is starting to look like a flat out ‘no’ from the U.K. regulator.
In a case update Tuesday, the CMA’s tossed yet another spanner in Google’s works, writing that it has “competition concerns” about its most recent revisions. Earlier commitments the tech giant had given it would also need to be updated to reflect “the evolution in Google’s planned Privacy Sandbox browser changes”, it said.
Meaning — at the very least — further delays to a project that’s already years over its original schedule.
The CMA said it’s discussing changes with Google, and Google would be required to address its competition concerns — but it has yet to specifying exactly which elements of the revised proposal are not yet meeting the mark. But one thing is clear: Google’s proposed shift to a user-choice architecture is on ice while the regulator weighs impacts.
“If the CMA is not able to agree changes to the commitments with Google which address the competition concerns, then the CMA will consider what further action may be necessary,” the regulator also wrote, again without stipulating what options might be on the table at that point (note: Google already agreed not to end support for tracking cookies without the CMA’s agreement), adding that it will “publicly consult before taking any decision on whether to accept changes to the commitments, and is aiming to do this in Q4 2024”.
The regulator plans to provide an update on what it couches as its “views relating to the Privacy Sandbox tools and its assessment of testing and trialling results” in the last quarter of the year. So that tinkling noise you can hear is the sound of a very battered can being kicked down the road yet again.
Ad targeting: Who gets to choose?
This latest CMA intervention pertains to a revised approach Google announced this summer when the tech giant suggested it might not to kill off third party tracking cookies after all.
Instead, Google suggested it could provide users of its dominant Chrome browser with a choice over whether they want to see ads based on third party surveillance of their web activity (i.e. tracking cookies); or opt for ads targeted using Privacy Sandbox, Google’s alternative tech for personalized ad targeting, which does not rely on cookies to track and profile users.
The implication of Google’s offer was also that its proposed choice architecture for Chrome could let users opt out of tracking-based or personalized ads entirely — i.e. by offering a free choice to say no to any such tracking (and, presumably, be served contextual ads instead). Which would be great news for people’s privacy.
However, the digital marketing companies that have set their sights on derailing Chrome’s deprecation of tracking cookies aren’t likely to be fans of letting web users get that much agency over online ads.
The CMA’s assessment of Privacy Sandbox is also obviously being conducted through a pure-play competition lens — so its jobs is to pay close attention to such complaints.
The competition regulator declined to respond to questions about its approach. But we understand the CMA is concerned Google’s revised plan to present users with a choice could lead to a significant reduction in availability of third party cookies for ad targeting — leading to an increased reliance on alternatives like Google’s Privacy Sandbox tools.
If the concern is that Google could use the Privacy Sandbox project to further entrench its dominance in the adtech stack — including as a result of giving web users more agency to protect their privacy from advertisers — then that’s a competition-shaped problem.
On privacy, the CMA has previously said it’s working with the UK’s Information Commissioner’s Office (ICO), the regulator responsible for enforcing national data protection laws, to consider relevant privacy and user choice design concerns. However, as we’ve pointed out before, the ICO has a long history of under-enforcing the adtech industry — despite recognizing its lawfulness problem.
More recently, the ICO’s actions in this area — going after certain types of non-compliant cookie consent pop-ups — have fuelled the rise of another problematic ad-industry dodge: Consent or pay mechanisms. This controversial approach, which is under legal challenge in the European Union, sees web users presented with a consent pop-up that gates content until they either accept tracking or else pay a subscription to access content. So it’s the literal opposite of a free choice.
And what has the ICO been doing about consent or pay? It ran a consultation earlier this year but has yet to adopt a public position on the legality of the controversial business model — letting a privacy-hostile mechanism mushroom unchecked in the meanwhile.
All of which is to say that if the U.K. regulator is the best hope web users have to champion their privacy rights in a high stakes battle for the future of the commercial web — that pits Google against digital marketers plus the CMA sitting in their corner — it doesn’t look like a very fair fight. It’s more like competition is being allowed to dominate a hierarchy of interests.
Reached for a response to the CMA’s latest intervention, Google spokeswomen Jo Ogunleye said the company is engaging with regulators and believes its revised proposal supports competition.
She also emailed a statement in which the company wrote: “We are engaging with the CMA on Privacy Sandbox following the updated approach we’ve proposed, which lets people make an informed choice that applies across their web browsing. As we finalize this approach, we’ll continue to consult with the CMA, ICO and other regulators globally and look forward to ongoing collaboration with the ecosystem to build for a private, ad-supported internet.”
We also sought a response from Lukasz Olejnik, an independent consultant who has been tracking the Privacy Sandbox proposal from the start. “Keeping third party cookies is harmful for user welfare,” he warned, highlighting an apparent change of direction by the CMA.
“I was extremely satisfied with how professionally the CMA approached the migration to a privacy-improved web in ways to respect competition,” he also told TechCrunch. “However, since the last few months I see a significant shift in priorities of enforcement.”
Speculating on what might be behind a shift, Olejnik noted there has been a change of government in the U.K. — but said it’s difficult to explain why the regulator may have reconfigured its priorities in this area.
“Until now the CMA had a full understanding that third-party cookies are problematic for privacy, data protection and trust in digital advertising sector,” he said, adding: “While I believe that a business case for Privacy Sandbox would still exist, such a stance could jeopardise the privacy qualities, and trust in businesses, of UK users.”