The sandbox saga continues.
Google has pledged to work closely with regulators on its newly announced Android Privacy Sandbox and voluntarily apply the same binding principles to Android that it just agreed on with the UK’s Competition and Market Authority (CMA) to govern the Chrome Privacy Sandbox.
Good?
But the people whose complaint first triggered the CMA’s now-settled investigation over antitrust concerns about the Chrome Privacy Sandbox are feeling pretty skeptical about whether Google will actually stick to its commitments when it comes to Android.
In short: “Google appears to be playing fast and loose with their commitments – and the CMA seem to be oblivious,” Movement for an Open Web (MOW) said in a statement Friday.
The backstory
MOW is a consortium of digital marketing firms, publishers and advertisers founded by James Rosewell mainly as a lobbying body to serve as a thorn in Google’s side.
In November 2020, the group filed a complaint with the CMA, which led to the opening of a formal probe into Google’s plan to phase out third-party cookies and replace them with a set of privacy-preserving APIs.
From there, Google and the CMA went back and forth for months hashing out a series of commitments addressing anticompetition concerns over the Chrome Privacy Sandbox. The CMA also gathered public feedback, including from publishers, ad trade orgs and ad tech companies, some of which was incorporated into a revised set of final – and now legally binding – commitments Google has promised to roll out globally.
The commitments include not preferencing Google’s own sites and apps and working more openly with third parties on development.
Problem is, those commitments don’t mention the Android Privacy Sandbox – only the Chrome Privacy Sandbox.
Which begs the question of whether the CMA has oversight into the development work that will be happening in the Android Privacy Sandbox on the long road to eventual Google Ad ID deprecation.
“Uncertainty in the market”
In a statement released by the CMA on February 16 – the same day Google announced the launch of its Android Privacy Sandbox – the competition body said Google had “informed us of its intentions in this area” and “indicated that it intends to apply – on a voluntary basis – the principles of the commitments” it made for the Chrome Privacy Sandbox to the Android version.
The CMA then said it plans to “continue to monitor this closely and engage with Google and other market participants on the nature and detail of [Google’s] proposals before reaching any view on the best way forward.” The CMA also noted that it’s “conscious of the possible parallels with Apple’s AppTrackingTransparency framework.”
Well, some of those aforementioned “other market participants” are a little confused about the situation.
In the CMA’s notice of intention to accept Google’s modified Privacy Sandbox commitments released in November, the regulator noted that one of its chief concerns had to do with Google causing “uncertainty in the market” over what specific alternative solutions will be available to publishers and ad tech providers once third-party cookies aren’t available in Chrome anymore.
“Yet Google’s Android Privacy Sandbox announcement creates the very uncertainty the settlement agreement prohibits,” MOW argues. “This leaves only the impression that CMA either didn’t recognize this – or deemed it acceptable.”
But what does that actually mean for regulatory scrutiny of the Android Privacy Sandbox?
Well, looks like Google is promising to be good, and the CMA is promising to keep its eyes open. But unless the CMA reopens its Privacy Sandbox investigation or kicks off a new one, it seems like the regulator is going to just have to take Google at its word.
The CMA – which does have the authority to directly oversee Google’s development work in the Chrome Privacy Sandbox (and it’s going to be a big job) – is also in the midst of working on the final version of its market study into Apple’s and Google’s mobile ecosystems. That report will include a look at Apple’s ATT and, ostensibly, the Android Privacy Sandbox.
That report will be released by June 14.
