Google Commits To More Oversight Of Its Privacy Sandbox By The UK’s Competition Watchdog

Google has shared updated commitments with the CMA, the UK's antitrust watchdog, and agreed to more regulatory scrutiny over the Privacy Sandbox.

Roast turkey wasn’t the only thing to gorge on this Thanksgiving weekend.

On Friday, the Competition and Markets Authority (CMA), the UK’s top antitrust regulator, published a 125-page document outlining the next phase of its ongoing antitrust investigation into Google’s Privacy Sandbox. (You can read the whole shebang here.)

The document contains an updated set of commitments from Google designed to prevent the company from developing its Privacy Sandbox proposals in ways that impede competition.

The CMA announced its investigation of the Privacy Sandbox in January after receiving complaints that Google’s plan to phase out third-party cookies in Chrome will give it an unfair advantage in the digital ad market over anyone that isn’t Google.

The CMA will consult on the new commitments – and receive public feedback – until December 17. If the CMA accepts its changes, Google said in a blog post that it will apply them globally.

Take one

But let’s take a step back.

This spring, roughly six months after the CMA launched its investigation into the Privacy Sandbox, Google made a series of initial commitments to the CMA, including a pledge not to discriminate against its rivals in favor of its own ad tech business when it comes to third-party cookie alternatives.

Google also agreed to be more transparent about how Privacy Sandbox proposals are implemented and not develop or implement the proposals in the Privacy Sandbox without regulatory approval.

These commitments were open to public comment until early July … and not everyone was pleased.

The CMA received more than 40 responses from ad tech providers, advertisers, publishers, trade associations and academics, many of whom raised concerns that Google was glossing over important details.

For instance, it wasn’t clear how technology developed within the Privacy Sandbox and Google’s non-discrimination obligations would be monitored by regulators and the industry at large. There’s no point in making commitments if there’s no mechanism to enforce them.

Multiple respondents also commented that Google's original commitments appeared to define “Privacy Sandbox” as exclusively focused on third-party cookie alternatives when, in fact, many of the proposals within the Privacy Sandbox have a wider scope.

Comic: Privacy TheaterFor example, see Google’s anti-fingerprinting Gnatcatcher proposal, which reduces access to IP address data without messing up a site’s functionality, and the User-Agent Client Hints API, which would allow developers to request specific information about a user’s browser rather than getting all of it by default.

Neither proposal is a third-party cookie alternative, but both are in the Privacy Sandbox, which could create a gray area for Google to make changes without authorization if its obligations to the CMA are specifically related to the removal of third-party cookies.

Take two

So, what’s new?

To address these concerns, Google, in consultation with the CMA, has offered up a revised set of commitments that are now open for more consultation through mid-December. (The wheels of justice, and cookie deprecation, turn slowly, but grind exceedingly fine.)

Google’s updated commitments fall into three main buckets: better monitoring and reporting, more transparency and additional clarity into Google’s use of data.

Specifically, Google has promised to:

  • involve the CMA on an ongoing basis in any announcements related to the Privacy Sandbox;
  • not make claims to customers that contradict its commitments to the CMA;
  • report regularly to the CMA on how it’s taking third-party views into consideration;
  • not implement proposals, like Gnatcatcher, before making a reasonable effort to help publishers combat fraud and spam;
  • delay enforcement of its Privacy Budget proposal, which blocks user-level identification by rationing the data available to digital media and marketing companies, until after removing third-party cookies;
  • clarify the internal limits Google will place on how browser data is used for targeting and measuring digital advertising;
  • not design or use any of the tools in the Privacy Sandbox in a way that could self-preference Google;
  • provide more certainty and information to third parties that are developing alternative technologies to the ones in the Privacy Sandbox;
  • be more transparent about reporting and compliance, including by appointing a CMA-approved trustee to monitor Google’s compliance and notify the CMA of any breach;
  • and, finally, to extend the duration of Google’s commitments to six years.

Blurred lines

But there’s an additional wrinkle here, and that’s the role of data protection and privacy concerns in antitrust law.

Google’s planned removal of third-party cookies in Chrome is a case study on the complications that arise when privacy and competition concerns intersect.

Last week, in a statement on Google’s revised Privacy Sandbox commitments, the CMA’s chief executive, Andrea Coscelli, noted that the CMA has been working with the Information Commissioner's Office (ICO) – the UK’s data protection authority – to strike the right balance between protecting competition and protecting user privacy.

“We have always been clear that Google’s efforts to protect users’ privacy cannot come at the cost of reduced competition,” Coscelli said.

Especially if reduced competition is the secret end goal of Google’s public efforts to protect privacy, as is alleged in the multistate antitrust lawsuit into Google’s ad tech business filed last year. (The suit, originally led by the Texas attorney general, was moved to the Southern District of New York over the summer to serve as a centralized forum for complaints against Google. In August, a New York judge unsealed the full complaint.)

Comic: Privacy PatrolOne of the main accusations in the Texas suit has to do with Project NERA, a precursor to the Privacy Sandbox and part of Google’s alleged plan, as per the suit, to “turn the web into a walled garden” by using its ownership of Chrome to steer users to log into its services – and make the experience worse if they don’t.

Beyond the Sandbox

Both competition and data protection regulators are keenly aware that a move to protect privacy could impact competition and curb innovation, while more competition often correlates to adverse consumer privacy. What a life.

On Thursday, the day before the CMA published Google’s revised Privacy Sandbox commitments, the ICO published an opinion on privacy expectations for all developers working on online advertising proposals (not just Google).

The ICO has been making inquiries into the ad tech industry since 2019, including a focus on privacy issues related to real-time bidding and the use of cookies and similar technologies for tracking.

Although Google’s Privacy Sandbox is under the microscope right now, the entire ad tech industry is on notice.

“What we found during our ongoing ad tech work is that companies are collecting and sharing a person’s information with hundreds, if not thousands of companies … this must change,” said outgoing ICO commissioner Elizabeth Denham in a statement. (Denham’s tenure ends in January, when John Edwards, currently New Zealand’s privacy commissioner, is set to take on the top job at the UK’s ICO.)

“That,” Denham said, “is why we want to influence current and future commercial proposals on methods for online advertising early on, so that the changes made are not just window dressing, but actually give people meaningful control over their personal data.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!

 

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>