The CMA is consulting on legally binding commitments from Google that seek to address the competition concerns it has in relation to Google’s browser changes announced in Google’s ‘Privacy Sandbox’.
The CMA’s consultation is open until 8 July 2021. See CMA Notice: Notice of intention to accept binding commitments offered by Google (publishing.service.gov.uk)
MOW is optimistic that Google’s offer to settle the case will be groundbreaking and provide a new and different basis for oversight of Google’s business behaviour. MOW considers the proposals to be a good starting point for consultation and applauds the CMA’s hard work.
Unfortunately, Google’s track record undermines trust and confidence that its behaviour will change. There is a serious risk that this case will be another example of Google’s “all mouth and no trousers” approach. Careful scrutiny of the proposed commitments is needed. We are looking for a clear break with past abuse and good faith commitment to a new approach.
The CMA makes two preliminary findings:
- That Google’s announcements of the Privacy Sandbox broke the law. They caused uncertainty in the market which adversely affected market participants and harmed competition, to the advantage of Google’s own business (see 5.85-5.100 CMA notice). For example, Google’s salespeople were able to promote Google’s own advertising solutions and analytics services to advertisers as more effective than those of its advertising and analytics rivals.
- That without further oversight and regulatory scrutiny, Google’s further implementation of its Privacy Sandbox proposals would be likely to abuse its dominance – it would be likely to discriminate against rival publishers and competitive third-party supply chain vendors and exploit Chrome web users.
The commitments should address these concerns, in outlining necessary changes in behaviour from Google going forward. When responding to the CMA’s consultation, you may wish to consider the points set out below.
Striking-out the preambles.
- In a UK set of legally binding undertakings addressing CMA concerns as set out in its Notice, there is no purpose to preambles, nor is there a reason to have them as an aid to understanding or interpretation of the Notice or the commitments. The commitments should address the competition concerns identified by the CMA. The CMA concerns are the CMA Concerns as set out in the CMA’s Notice; no further explanation is required. The preambles make a series of references to self-serving statements of disputed fact such as Google’s intention in putting forward its browser changes as “making the web a more private and secure”. MOW considers that Googles changes would degrade privacy. Note that the CMA has preliminarily found that the proposed browser changes are anticompetitive and discriminatory. Is Google attempting to faithfully record this finding when it states in the preamble the “privacy preserving open standards mechanisms like privacy sandbox”? We suggest that Google is in fact putting statements into the preambles designed to help it in future disputes or litigation; as such, these statements in preambles have no place in the legal commitments and should be struck out.
Adequacy of the remedy meeting the CMA’s preliminary views that Google has broken the law?
- Do Google’s commitments address all the findings made by the CMA? Do they address your concerns as to how ‘Privacy Sandbox’ would impact on your business? If not, let the CMA know how they should be amended to mitigate or eliminate that impact. If you find it ambiguous as to whether it will or not, let the CMA know that too; if it’s not clear to you then it might not be clear to others either.
Announcements and Communications
- Do Google’s commitments as to announcements of future changes meet requirements for both sufficient prominence and clarity in terms of audience reached and content? Should there be a requirement for Google to notify all parties via similar means by which it previously made claims regarding the Privacy Sandbox, rather than creating a microsite or blog post to address the potential for harm identified by the CMA on a forward looking basis? Should this include contacting all parties to whom Google’s sales teams have advocated using their advertising, analytics, or other services, on the basis that there is a question mark over whether and how well competing services would have been or be effective after the implementation of the changes?
- It should be possible to assess the amount of coverage the initial and subsequent announcements relating to the Privacy Sandbox have received, and the reach sales packs referring to it etc. had. Once this number (n) has been calculated, should Google be required to make an announcement regarding the CMA’s whose coverage and reach is equal to n? This is similar to the principle in other examples of tortious harm caused by publication under libel law in England whereby any retraction or apology must be published with the same prominence and circulation as the original statement.
Definitions: the importance of avoiding overly narrow framing of the issues in the commitments
- Do the commitments included definitions or framing which could be construed as narrowing their applicability? Are they framed in such a way that could be construed as failing to address all of the CMA’s competition concerns?
- Could paragraph 8 of the commitments be construed as narrowing their applicability to only one area of the CMA’s competition concerns? Is this an attempt to move the goalposts in the middle of the match? Perhaps you will note that:
- In 8(a.) it only refers to “functionality associated with user tracking for third parties” linked narrowly to supply of “ad inventory” an “supply of ad tech services”. Does this capture the full scope of the CMA’s concerns? Some of the Privacy Sandbox proposals don’t necessarily relate only to this functionality, such as the User Agent String impairment proposals. There may be concerns that are not easily characterised as user tracking or have impacts beyond ad inventory and ad tech.
- In 8(b.), there is a limitation to “advertising products” – does this address the problem that “advertising services” offered solely on Google’s properties and unimpaired by Privacy Sandbox may continue to provide superior value and cause shift of budgets away from rival publishers, reducing competitive constraint on Google and forcing others to host their content on larger publishers?
- In 8(c.) there is a reference to unfair terms to Chrome users, but there may be many other concerns which are not immediately user facing. Does the definition of the Privacy Sandbox truly include all the proposals and behaviour to like effect?
- As described above Google should publicise the CMA’s initial findings and consultation as widely and prominently as it has publicised its own publicity for the Privacy Sandbox. This includes requiring its sales and marketing teams to contact parties they have sought to persuade to use, or use more of, Google’s advertising and analytics services on the basis that the changes were being implemented and the efficacy of competing services was in question. Such contacts should be informed that this is not the case, that the changes are subject to CMA oversight, and that they will not be implemented if they have a detrimental impact on competition.
E: CMA oversight.
- Ongoing oversight from the CMA is welcomed and appears to be likely to be operationally effective. However, MOW is concerned that as we have learned from the FLoC is “95% as effective” debacle, Google sharing the results of internal tests with the CMA is not adequate; there must be a mechanism whereby there is an objective measurement of the efficacy of any proposal. In addition to involvement in designing the tests, the CMA must be involved in defining what the measure of efficacy will be. MOW also considers that any commitment from Google to “work” with the CMA must be qualified by terms such as “in good faith” and “with best efforts” to help with enforceability.
F. Standstill before the Removal of Third-Party Cookies
- MOW is concerned that the standstill period only applies to the proposal to remove third-party cookies, not any of the proposals which will limit data interoperability and accessibility. Should it be broader than currently drafted?
- Should the standstill period be longer?
G: Data definition
- The removal of third-party cookies is not the only proposal contained in the Privacy Sandbox which will block players other than Google from seeing certain data. The totality of the proposals are also not workarounds for third party cookies, or privacy purposes, nor are they there as alternatives or substitutes for third party cookies being removed. Each has an individual function. Each needs to be addressed individually; the drafting of the commitments is currently limited by purpose and workaround, making it arguably inapplicable to many of the Privacy Sandbox elements. Data transmitted between browser and website is used for many purposes, including fraud detection and website performance optimisation; the commitments seek to exclude such functions in inappropriately.
- This commitment also fails to address privacy concerns about Google’s very widescale collection of user data across the web (i.e. in addition to ads systems, consumer software and hardware, via its dominant operating system and browser market share). There needs to be a process for verification and audit of the commitments in this section. Currently there is not such a process proposed.
- It is not clear that the definitions currently adopted would affect past or aggregated data. This limited scope of data a potentially major omission.
- The proposal also only restricts integration of (i) Chrome and (ii) Google Analytics data in the case of Google owned and operated adverts (Section G, para 24), even after the retirement of third-party cookies. However, discrimination in favour of owned and operated inventory may be much broader than just Chrome and Google Analytics supplied data, and competitive constraint may be weak even if the review of third-party cookies retirement takes place. There is a need for a much broader approach to potential discrimination in data access, to ensure continuing competitive constraint.
Section H: Non-Discrimination
- Given limitations in other sections there is an acute need for a broadly framed non-discrimination remedy that preserves a residual power for the CMA to act, overriding other sections in the event that concerns arise. Should this be clearly spelt out to avoid scope to argue that specific provisions displace the general non-discrimination provision in H?
- The commitment not to discriminate needs to be referred back to the obligation in the law- so that Google’s commitment is tied back to a legal benchmark and defined meaning- not something that Google can claim is compliant with the meaning of language that it can reference at a later point. The “Development and Implementation Criteria” defined in the draft, currently fail to achieve this as they are broad and open to interpretation. Moreover, the commitment should not be limited to “self-preferencing Google’s advertising products and services”. Firstly, it is not clear which services would fall within the language which is offered. Secondly, Google should not use the browser changes to self-preference any of its products or services, not just those related to advertising. Elsewhere, the CMA has noted dominance in the browser, not only in advertising.
- Examples of practices raising concerns from affected companies would be extremely valuable to the CMA, as they can be used as examples of whether Section H would bite, reducing scope for argumentation later.
Sections I-M: Reporting and Compliance, Duration, Variation or Substitution, Effect of Invalidity, Governing Law and Jurisdiction
- Reporting and Compliance: Google appears to only be committing here to various reporting requirements, not actually to compliance. Monitoring is not enough, there should be an active obligation to comply. Given the severity of the situation the commitments are meant to remedy, MOW considers that only CEOs should sign any compliance statements, not a delegated authority. It is important that the responsibility for compliance goes right to the top. Finally, MOW considers that commitments to remedy any breach or to provide information should include a specific timeframe, not words like “promptly” which are open to interpretation.
- Duration: there should be some sort of review process before the commitments terminate, to avoid the possibility that Google simply delays the implementation of its anticompetitive proposals until after the commitments will have terminated.
- Anti-avoidance: there should be a general anti avoidance provision that is related back to the effect on competition and competitors that prevents Google from making anticompetitive or discriminatory changes “to like effect” to those that are identified in the CMA notice and to which the commitments have been offered. This is frequently used in other Chapter II commitments decisions (see e.g. Scottish Road Fuels; Epyx).
 See for example: Google’s offer to provide a remedy in the interim (Article 9) process in the EU Commission’s Search (Shopping) case that was demonstrated by the complainants (ICOMP), to be worthless, such that the Commission then took the decision to abandon the Article 9 process (interim remedies) and took a decision to go for an Article 7 case because, in part, that process allows for fines, and then took the case to its final conclusion issuing a decision and fine of E2.4 bn. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52018XC0112(01)&from=EN, see also: https://www.ftc.gov/system/files/documents/public_comments/2018/07/ftc-2018-0052-d-0005-147574.pdf , https://privacyrights.org/resources/privacy-and-civil-liberties-organizations-urge-google-suspend-gmail, https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110330googlebuzzagreeorder.pdf, https://www.theguardian.com/technology/2015/jun/23/google-eavesdropping-tool-installed-computers-without-permission, https://www.propublica.org/article/google-has-quietly-dropped-ban-on-personally-identifiable-web-tracking, https://www.cnet.com/news/youtube-faces-complaint-demanding-ftc-probe-over-kids-data/, and https://www.theguardian.com/technology/2014/jan/16/google-uk-courts-privacy-breach-iphone-safari, See also Google’s behavioural changes following the Fitbit merger commitments.
 See 5.5 “The CMA is also concerned that certain announcements made by Google with respect to the Privacy Sandbox Proposals are themselves likely to amount to an abuse of a dominant position in the market for the supply of web browsers”