Google appears to have thrown regulators for a loop with its surprise announcement on Monday that it no longer plans to deprecate third-party cookies in Chrome.
The UK’s Competition and Markets Authority (CMA) said it will delay publication of its planned quarterly report on the Chrome Privacy Sandbox as it evaluates the situation.
The next report was supposed to come out at the end of this month.
In partnership with the Information Commissioner’s Office – the UK’s data protection authority and privacy regulator – the CMA will now weigh the implications of Google’s not-so-little bombshell. Although the details remain scant, Google’s proposal involves launching some type of user choice mechanism for Chrome browser users in lieu of removing third-party cookies altogether.
The CMA is also encouraging all interested parties and stakeholders to get in touch with the agency to share their views by August 12.
(That scraping sound you hear is James Rosewell sharpening his pencil.)
See ya, CMA?
But it’s not clear what Google’s about-face on third-party cookies means for the future of its relationship with the CMA.
In 2022, Google agreed to ongoing CMA supervision over development of the Privacy Sandbox APIs. The regulator tasked itself with the responsibility of ascertaining whether the proposals would give Google an advantage over competitors once Chrome removed third-party cookies. Google also said it wouldn’t phase out cookies in Chrome without the CMA’s approval.
As part of Monday’s announcement, Google said it plans to continue investing in the Privacy Sandbox.
But if third-party cookies aren’t going away, the Chrome Privacy Sandbox’s future may no longer depend on the CMA’s approval.
(Re)enter the ICO
Even if the CMA is satisfied with the user choice options and washes its hands of Privacy Sandbox oversight, the ICO still may step in with concerns about whether the Chrome Privacy Sandbox does enough to protect consumer privacy.
The CMA and ICO have been working closely together for years to evaluate the Privacy Sandbox from a hybrid competition and privacy perspective.
The CMA’s last quarterly report on the Privacy Sandbox, released in April, incorporates feedback from the ICO (which was leaked to the Journal, including concerns about the privacy and data protection impacts of the Sandbox APIs).
For example, the ICO is worried that the Privacy Sandbox doesn’t give individuals “sufficient clarity” about how their data is used by the Topics API and that there may be ways to exploit flaws in PAAPI to identify anonymous users.
So, even if the CMA’s Privacy Sandbox work is done sooner rather than later, from a competition point of view, the ICO could jump in and take the lead using its data privacy protection powers to further investigate the Sandbox.
Because, frankly, it already sounds like the ICO wants to send Google to its room without supper (and without cookies).
“We are disappointed that Google has changed its plans and no longer intends to deprecate third-party cookies from the Chrome browser,” Stephen Bonner, the ICO’s deputy commissioner, said in a statement shared with AdExchanger.
Bonner also noted that it’s been the ICO’s view since Google first started working on the Sandbox project 8,000 (sorry, four) years ago, “that blocking third-party cookies would be a positive step for consumers.”
“The new plan set out by Google is a significant change and we will reflect on this new course of action when more detail is available,” Bonner stated. “We will monitor how the industry responds and consider regulatory action where systemic non-compliance is identified for all companies, including Google.”