The latest around Google and the Privacy Sandbox

On Monday the US State AGs filed an amended complaint against Google with respect to ad tech, joined by five additional States. (Reminder: the State AGs sued Google in December 2020, arguing that the tech company has engaged in anticompetitive conduct and even entered into an unlawful agreement with Facebook to restrict competition in the ad tech sector). The key additional elements in the amended complaint are the following.

  • First, Google allegedly updated its search algorithm in June 2019 to penalize publishers applying differential price floors in Google’s ad tech solution for publishers. Penalized publishers would receive less search traffic as a result.
  • Second, Google had access to WhatsApp users’ communications backed up to Google Drive, despite Google telling users that their WhatsApp backups were private.
  • Third, the Privacy Sandbox project is Google’s scheme to wall off the internet users access through Chrome while deflecting regulatory attention away from its own privacy practices. The Privacy Sandbox browser changes are said to be anticompetitive, in that they will result in marketers shifting their ad spend to Google’s “walled garden” of owned and operated properties and away from the open web. At the same time, it is alleged that Google’s ad tech solutions will also have an advantage over rivals, as they will have access to data from Chrome and Android OS.

I would like to spend a bit more time on the Privacy Sandbox issue. As the readers of this blog know, Google’s Chrome browser changes are currently the subject of an investigation by the CMA. Meanwhile, on 3 March 2021, Google made headlines for stating through a blog post it will not use alternative identifiers to track users across the web once third-party cookies are phased out; rather, Google’s ad tech products will use the Privacy Sandbox APIs (see here for my take on Google’s blog post). Last week Deepti Bhatnagar, Group Product Manager at Google Ad Manager, published another blog post, stating that besides the Privacy Sandbox solutions publishers and advertisers will be able to leverage their first-party data, that is the data they directly collect from their users. And Google executives Chetna Bindra and Jerry Dischler have stated firmly that Google will not build any “backdoors” or workarounds to give itself the upper hand.

Considering the regulatory pressure it is subject to, it may come as little surprise that Google is trying to give the impression it will not have any special advantage in a world without third-party cookies. But is that so? I think it is useful to make a distinction between Google’s role as (a) an ad intermediary in the open web; and (b) as a publisher selling its owned and operated properties.

  • As regards Google’s role as an ad intermediary in the open web, it is in principle possible that Google will have no special advantage post-third-party cookie deprecation. Now, whether this will indeed happen remains to be seen. Even if we take Google’s blog posts at face value (so that Google will not use data from, say, Chrome’s sign-in mode to power its ad tech tools), there are still issues that need to be addressed. It would for instance be necessary to ensure that Google’s ad tech solutions do not exhibit enhanced interoperability with the Privacy Sandbox APIs compared to rivals, that Google does not charge rivals for using the Privacy Sandbox solutions etc.
  • Things are more complicated when it comes to Google’s role as a publisher of its owned and operated properties like YouTube or Search. It is far less clear whether Google will be competing with other publishers on a level-playing field once third-party cookies are deprecated. While Google has said its ad tech business will be affected like that of its rivals, it has not said much as to how its activities as a publisher will be impacted.

If anything is clear, it is that Google is doubling down on the ability of publishers (including itself) to leverage their first-party data. And, rather conveniently, Google has an edge here, collecting troves of data and commingling them across disparate service. As mentioned in my previous post, Google will most likely continue to track users within its “walled garden”. This will also include Google tracking users across its sites and combining the collected data for advertising purposes (at least I have not come across any source stating that Google will not do so). This seems problematic; Google’s stated intention for the Privacy Sandbox is to limit cross-site tracking, so that activity from site A cannot be associated with activity on site B. Why should cross-site tracking be allowed to take place within Google’s “walled garden”? Google’s distinction between the “open web” (where cross-site tracking is bad for user privacy) and its “walled garden” (where cross-site tracking is fine from a privacy perspective) is not so easy to justify.

One could imagine that a user expects and to exchange data about her. I doubt the same would apply with respect to e.g., and YouTube or Maps and Gmail. Even assuming that the average user is aware that these services are operated by the same company (which is not a given), it is very hard to see how the user would expect her activity on one service (say, YouTube) to be correlated with activity in a completely different service (like Gmail). This cross-site tracking is not only bad for user privacy; it also grants Google an unfair advantage over rival publishers.

To cut a long story short: I think that Google should extend certain Privacy Sandbox solutions to its owned & operated properties, so that for example users will be tracked across Google sites only as parts of large cohorts (in line with one of the Privacy Sandbox proposals, namely Federated Learning of Cohorts). Not only will this increase user privacy; it will also ensure Google will have the right incentives to develop successful Privacy Sandbox solutions. Or perhaps Google should have in place data siloes between its various services. In fact, the purpose limitation principle in the General Data Protection Regulation could be used to achieve just that, so it may be just a matter of enforcing the latter – which as of today, has mainly been left in the hands of the Irish DPC…

Photo by Mitchell Luo on Unsplash

3 thoughts on “The latest around Google and the Privacy Sandbox

Leave a Reply