Pre-empting competitive harm in the Open Web: No more “catch me if you can”

On 11th of February 2022, the CMA accepted binding commitments on Google’s conduct regarding the Privacy Sandbox Proposals (the “Commitments”).[1] Google has stated it will honour these Commitments on a global basis, setting the rules Google must follow in deploying next generation of its B2C consumer software, such as Chrome browser and operating system. Importantly, these Commitments require any changes to the B2C software for alleged “privacy” reasons to be evaluated by the CMA on whether and how they restrict competition for B2B ad tech providers and the abilities of rival publishers to operate and grow their business via advertising. 

The CMA is now in an acknowledged position of oversight, because Google must involve the CMA in any proposed changes under the Privacy Sandbox or any browser changes.  

The CMA is therefore in the driving seat. This is a dramatic and welcome change. At the moment, the law is game of cat and mouse: ‘catch me if you can’. The new commitments are pre-emptive, “ex ante” regulation. The CMA will assess the impact in advance of the abuse hitting market and has levers to pull before the impact from such an implementation would occur until the CMA’s concerns can be adequately addressed.

There are some very significant debates to come:

  • Third party cookies: If Google proposes the withdrawal of addressable identifiers stored in third-party cookies to be replaced by its own Ad Systems’ collection and processing, the CMA must assess the competitive impact for a range of use cases, and whether such proposed alternatives enable rival ad tech providers and rival publishers can continue to compete against Google’s B2B advertising solutions. Rival providers who need to handle data to compete, and who use third party cookies to do so, can raise concerns via the CMA.
  • Adequacy of alternative proposals: The CMA can challenge alternative proposals if inadequate, insufficient, or if they fail to provide competitive equivalence.
  • Requirements for additional technologies: Before the withdrawal of third-party cookies, the CMA must review testing results for each alternative technology proposals to judge its likely impact on competition on both rival ad tech providers and rival publishers.

The Information Commissioner’s Office (ICO) is also involved in overseeing Google’s development of the Privacy Sandbox Proposals to ensure they actually follow definitions of “privacy” as laid out in GDPR and the Data Protection Act.. This is designed to ensure that privacy washing arguments are not made and that the DPA applies in the same way to all players, addressing a major competitive concern in that the Privacy Sandbox, as originally proposed, would have impeded handling of DPA-compliant data. The ICO is developing new guidance which is designed to help distinguish robust privacy arguments from self-serving ones.

As further explained in Annex 1, the CMA has expressly noted concerns that, without sufficient regulatory oversight, the Privacy Sandbox Proposals would:

  • Distort competition in the market for the supply of ad inventory and the supply of ad tech services, by restricting the functionality associated with user tracking for third parties while retaining this functionality for Google;
  • Distort competition by the self-preferencing of Google’s own advertising products and services and owned and operated ad inventory;
  • Allow Google to exploit its likely dominant position by denying Chrome web users substantial choice in terms of whether and how their personal data is used for the purpose of targeting and delivering advertising to them;
  • The announcements of the Privacy Sandbox Proposals have caused uncertainty in the market in relation to the specific alternative solutions which will be available to other market players once third-party cookies are deprecated.

Immediately, there are several issues that the CMA will need to address under the commitments to meet these concerns. For example, Google supports changing the meaning of key data protection regulations using its board presence in industry trade bodies, such as “pseudonymization” in DAA and NAI codes that contradict the ICO’s definitions published earlier this month. This could have a major competitive impact.

There are also some significant comments on the long-running debate about so-called “first- and “third-party data”. This is the argument that who handles the data matters more than what they do with it or what that data is – a puzzling, and anti-consumer, argument put forward by large players who have much to gain by restricting third party data handling. The core definition here is “Personal Data.” This has been drafted with reference to the Data Protection Act. This means that only principled privacy arguments based on the DPA can be advanced as a reason to prevent competing data handling. Significantly, the distinction between first- and third-party cookies is not the relevant question here: the question is compliance with DPA law and the data handling standards it requires.

The commitments provide many significant powers to the CMA:

  • Oversight: the CMA and the ICO have a robust role in overseeing the development and testing of the Privacy Sandbox Proposals;
  • Process and testing parameters: Google must engage in a transparent process, including consideration of competitive impacts on rival ad tech providers and rival publishers and the publication of test results and testing metrics. This gives the CMA the information it will need to require Google to address issues raised by it or any third parties;
  • Standstill period: The CMA will have a final say (“standstill”) before third-party cookies are disabled. This extends to certain IP address-related measures (“Gnatcatcher”): alternatives must be developed before third party cookies can be removed. Thus Google will not remove third-party cookies until the CMA is satisfied that its competition concerns have been addressed. If the CMA has concerns not resolved at the expiration of the standstill period, it has stated that it will take further action such as re-opening its investigation, imposing interim measures or proceeding to a decision;
  • Monitoring: A Monitoring Trustee will be appointed to work alongside the CMA to ensure the commitments are monitored effectively and Google complies with its obligations;

There are also some significant limits to prevent anti-competitive harm from the dominance of Google Chrome and Google advertising products:

  • Browsing histories: Google has agreed to a firewall preventing Personal Data from browsing histories in its advertising systems, defined to include Google Ad Manager and Privacy Sandbox. This prevents the browsing history from becoming the de-facto monopoly replacement for third-party cookies.
  • Analytics data: Similar restrictions on the use of Personal Data from a Google Analytics account are applied so that this cannot be used to circumvent the eventual removal of third-party cookies in manner that is self-preferencing.

What if it doesn’t work?

If the commitments dialogue fails, Google has agreed that the CMA can re-open its Competition Act 1998 investigation if concerns go unresolved. It is notable that interim measures directions are available in open investigations, i.e. an order to maintain the availability of a technology (e.g. third party cookies).

The commitments have a duration of six years from 4 February 2022, unless released earlier in accordance with section 31A(4) of the Competition Act 1998.

As mentioned by both the CMA chief executive Andrea Coscelli and the CMA’s press update in relation to its mobile ecosystems market study,[2] the acceptance of the binding commitments is just the beginning of the CMA’s journey in overseeing Google’s development of the Privacy Sandbox Proposals:

“While this is an important step, we are under no illusions that our work is done. We now move into a new phase where we will keep a close eye on Google as it continues to develop these proposals. We will engage with all market participants in this process, in order to ensure that Google is taking account of concerns and suggestions raised.”

It will be important for affected parties to answer this call and engage with the CMA. That is the only way to prevent any “illusions” about the competitive impact of the Privacy Sandbox from arising.

Header image: Image courtesy of FLY:D on Unsplash (Licensed for use under the Unsplash license)