CMA publishes commitments offered by Google with respect to its Privacy Sandbox proposals, seeks comments

Uncategorized 12 Minutes

Last Friday the UK Competition and Markets Authority (“CMA”) published a 93-page long notice of intention to accept commitments offered by Google in relation to its Privacy Sandbox proposals, inviting all interested parties to submit their observations.

By way of reminder, the CMA launched an investigation back in January 2021 into Google’s removal of third-party cookies on its Chrome browser, expected to take place in early 2022. The investigation was launched under Chapter II of the Competition Act 1998 (the UK equivalent of Article 102 TFEU prohibiting the abuse of a dominant position). Throughout the investigation, the CMA has been closely working with the Information Commissioner’s Office (the UK’s Data Protection Authority). It appears that Google indicated early on its intention to offer commitments to address the CMA’s competition concerns. Following several discussions, Google eventually proposed the commitments that were published last Friday. The CMA is of the view that the commitments address its concerns, and is thus minded to close the investigation with a commitments decision. Meanwhile, Google has announced in a blog post that if the commitments are accepted, it will apply them globally.

The timing of the proposed commitments is interesting. Last week also saw the publication of a decision by the French Autorité de la concurrence finding that Google has breached competition rules in ad tech and rendering binding a series of commitments offered by the latter. Last week, Google also announced an overhaul of its Android choice screen (which it had rolled out as part of its compliance with the Google Android decision) in the face of mounting criticisms from search engines such as DuckDuckGo or Ecosia. It may be that Google is trying to settle (or avoid) as many investigations as possible, perhaps to concentrate its efforts to the lawsuits that threaten it the most, namely the various complaints filed by federal and state agencies in the US last year (see here and here).

In what follows I will go through some key parts of the notice published by the CMA. After providing some background to the discussion (i), I will focus on the theory of harm put forward by the CMA (ii); and the commitments offered by Google (iii).

Background to the case

As readers of this blog may be aware, in January 2020 Google announced its intention to remove third-party cookies from Chrome within two years in order to enhance privacy on the web. Third-party cookies have long raised privacy concerns, as they allow for cross-site tracking, namely tracking of users across different websites to build a corresponding user profile. At the same time, however, third-party cookies are a fundamental building block of online advertising on the open web, as they are required to perform tasks such as behavioral targeting (which according to a Google study results in more than 50% revenue for publishers) and ad measurement (which is equally necessary for contextual advertising). To overcome this tension, Google has proposed to phase out third-party cookies and replace them with a set of alternative technologies as part of its Privacy Sandbox initiative. There are various Privacy Sandbox proposals, each dealing with a different advertising use case, e.g., there is a proposal for behavioural targeting called FLoC (Federated Learning of Cohorts), another proposal for retargeting called TURTLEDOVE and so on. At a high level, the key concept is that the various proposals will not allow for the cross-site tracking of individual users; rather, the user will be tracked by the browser, which in turn will share only aggregated information about the user, so that the latter cannot be identified as an individual. Note that the various proposals are still being developed and debated in development fora and the W3C (a standard-setting body for web technologies).

As the CMA already noted in its seminal report on online platforms and digital advertising, the key concern with Google’s announced phase out of third-party cookies is that it may strengthen Google’s position in online advertising. The reason is that (a) third-party cookies are necessary for effective marketing, while (b) Google itself does not rely on third-party cookies to track users and perform effective marketing. If third-party cookies are thus phased out and no adequate alternative is put in place, marketers will shift their ad spend towards Google.

Damien, Theano and I examined this concern in greater detail in a recent paper of ours, considering that Google’s proposed phase out of third-party cookies may amount to anticompetitive leveraging of its market power in the browser market (where Google is active with Chrome) to the market of online display advertising (where Google competes with other publishers for the sale of its online display inventory). As I shall now explain, the CMA seems to follow this approach in its preliminary assessment of Google’s conduct.

The CMA’s theory of harm

The relevant markets and Google’s dominance

The CMA took the preliminary view that the relevant markets in the present case are (i) the supply of web browsers to web users and publishers (where Google is active with Chrome); (ii) the supply of display ad inventory to advertisers (where Google is active with YouTube, Maps, etc.); (iii) the supply of search ad inventory to advertisers (where Google is active with Google Search); and (iv) the supply of ad tech services to publishers and advertisers (where Google is active with its numerous ad tech services, such as its ad exchange AdX, its ad buying tools Google Ads and DV360, and its publisher ad server DoubleClick for Publishers).

The CMA is of the preliminary view that Google is dominant in the market for the supply of web browsers in the period covered by its investigation (January 2019 – present). It based this view on (a) Google’s high market share, calculated as share of page views across devices (around 49% for Chrome, around 76% if all Chromium-supported browsers are taken into account); (b) the presence of high barriers to entry and expansion (e.g., high development costs, pre-installation arrangements, default choice architectures); and (c) the absence of countervailing buyer power on the part of publishers and ad tech providers.

The conduct

Considering that Google’s conduct consisted in the announcement of future events (the phase out of third-party cookies), the CMA followed of a two-party approach. First, it examined whether the phase out of third-party cookies, once implemented, would likely amount to an abuse of Google’s dominant position. Second, the CMA examined whether the announcement itself is already at the present an abuse.

The likely impact of the phase out of third-party cookies

After summarizing the key Privacy Sandbox proposals, the CMA examined three competition law concerns over Google’s planned browser changes. The first two concerns are exclusionary while the third is of exploitative nature.

First concern: unequal access to the functionality associated with user tracking

First, the CMA is concerned that Google’s removal of third-party cookies will limit the functionality available to its rivals in open display advertising (both rival publishers and rival ad tech providers), while leaving Google’s ability to offer these functionalities relatively unaffected.

More specifically, the CMA is concerned that the Privacy Sandbox proposals (as they stand today, in the absence of commitments from Google) will not be effective substitutes for the different functionalities currently enabled by third-party cookies. For instance, FLoC-enabled advertising will likely be less granular and less personalized, while TURTLEDOVE limits the ability for real-time optimization of advertising campaigns.

Google, on the other hand, will retain the ability to carry out the functionality affected by having recourse to first-party data. The CMA notes that Google is able to rely on various sources of data to inform its advertising, including data collected from its user-facing services (which Google commingles), data from Chrome browsing history, third-party data that marketers upload when running a campaign on Google, and third-party data captured by Google Analytics.

The combined result is that the removal of third-party cookies, if implemented without regulatory oversight, would likely foreclose rival publishers and ad tech providers by worsening the quality of the inventory they can offer to marketers. At its core, this is a concern of anticompetitive leveraging, whereby Google would use its dominant position in the browser market to distort competition in the related markets for online display ad inventory and ad tech services.

Second concern: self-preferencing Google’s own ad tech solutions and owned and operated inventory

The second exclusionary concern of the CMA relates to the pivotal role Chrome will assume under various Privacy Sandbox proposals in selecting the ad to be shown to the user. Considering Google is also active as a publisher selling ads and a very strong (in fact the strongest) ad tech vendor, the CMA notes that this is likely to lead to conflicts of interests, and would give Google the ability and incentive to use Chrome’s new role to favour its own ad inventory and ad tech services (by e.g., degrading interoperability with rivals, altering the decision logic in favour of itself etc.). [Note: Google’s conflicts of interests in the ad tech supply chain was one of the key themes in the CMA’s report on digital advertising]

Third concern: imposition of unfair terms on Chrome web users

The third concern of the CMA is that in the absence of regulatory oversight, Google would be able to exploit its likely dominant position in the market for web browsers by denying web users any substantial choice in terms of whether and how their personal data is used for advertising purposes. This is essentially a concern over imposition of unfair trading conditions. The CMA noted that it is currently unclear whether (i) Chrome users will have the option of keeping third-party cookies enabled in their browser; and (ii) Chrome users will have control over how the browser will use their personal data as part of the Privacy Sandbox proposals.

The announcement of the phase out as an abuse in itself

The CMA also took the preliminary view that Google’s announcement of the phase out of third-party cookies could in itself be viewed as anticompetitive, as it has caused considerable uncertainty in the market. According to the CMA, the concerns expressed by third parties over the impact of the Privacy Sandbox proposals reflect in part (a) an asymmetry of information between Google and third parties regarding the development of the Privacy Sandbox proposals, especially with respect to the criteria that Google will use to evaluate the effectiveness of the various solutions; and (b) a lack of confidence on the part of third parties vis-à-vis Google, considering the latter’s commercial incentives may not be aligned with the success of the proposals.

The commitments proposed by Google

To address the concerns of the CMA, Google put forward a series of wide-ranging commitments.

Purpose of the commitments: The commitments have a clear purpose, namely to ensure that the design, development, and implementation of the Privacy Sandbox proposals will not lead to a distortion of competition in digital advertising markets (in line with the first two concerns described above) and/or the imposition of unfair terms on Chrome’s web users (the “Purpose”). To this end, Google will take a number of factors into account when designing, implementing, and evaluating the Privacy Sandbox proposals (the “Development and Implementation Criteria”), namely:

  • the impact on privacy outcomes and compliance with data protection;
  • the impact on competition;
  • the impact on publishers and advertisers;
  • the impact on user experience (including transparency over the use of personal data); and
  • technical feasibility.

Transparency: Google will publicly announce that it will design, develop and implement the Privacy Sandbox proposals in line with the Development and Implementation Criteria. Google will publicly disclose the timing of key Privacy Sandbox proposal, as well as the results of the tests evaluating the effectiveness of the various proposals, while describing the methodology used and the underlying data. Importantly, the CMA may ask Google for access to the underlying data. The CMA may also ask Google to facilitate its participation in W3C discussions.

Involvement of the CMA: The CMA will be closely involved in the development of the Privacy Sandbox proposals to ensure that the Purpose of the commitments can be achieved, taking into account the Development and Implementation Criteria. Specifically, Google undertakes to identify and resolve any competition concerns expressed by the CMA. Google will hold regular status meetings with the CMA to inform it of the progress of the various proposals. The CMA will be involved in the testing of the Privacy Sandbox proposals, and will agree with Google the specific parameters of the tests. The CMA may ask Google to make modifications to the Privacy Sandbox in case there are outstanding competition concerns. The CMA will work with the ICO throughout the process in particular in the assessment of impacts on privacy outcomes and compliance with data protection.

Standstill period: Once Google is ready to implement the browser changes, it will first carry out a test of the alternative technologies in combination to assess the impact of the removal of third-party cookies. It will share the results of such tests with the CMA (and the underlying data, if requested). Google may then notify to the CMA its intention to move forward with the rollout of its changes, and trigger a standstill period of 60 days (which may be extended to 120 days per the CMA’s request). The CMA will run a public consultation on the Privacy Sandbox proposals, based on the final tests, and notify Google if it has any outstanding competition concerns. If Google does not resolve such concerns, the CMA may reopen its investigation and, if necessary, adopt an interim measures decision. In practice, this means the CMA will have a sort of veto right.

Data silos: Google will not use individual-level user data for ads it shows on third-party inventory (in which case Google is acting as an ad tech vendor) from the following sources: (a) Google’s user-facing services, including Android; (b) Chrome’s browsing history; (c) Google Analytics; and (d) data uploaded by advertisers. Google will also not use data from sources (b) and (c) above to inform advertising shown on its owned and operated properties (in which case Google acts as a publisher). Google would still be able to commingle data across its services for ads shown on its owned and operated properties, however the CMA notes that if there are outstanding competition concerns, it may consider additional data silos. 

No self-preferencing: Google will not design, develop, and implement the Privacy Sandbox proposals in a way that will distort competition by self-preferencing Google’s advertising products and services. Google will also not use competitively sensitive information provided by an ad tech provider or publisher to Chrome in a way that distorts competition.

Reporting and compliance: Finally, there are certain provisions over Google’s reporting obligations. If accepted, the commitments will be binding for a period of two years from the date of Google’s removal of third-party cookies, or five years from the date of their acceptance (whichever is earlier).

The significance of the case and the commitments

My personal view is that the CMA’s commitments decision (if Google’s commitments are of course accepted) will be a landmark. The CMA is breaking new ground here, and I think it should be commended for doing so.

First, the commitments are based on clear principles. Rather than being a set of discordant rules, the commitments have a clear purpose: ensure that Google will not design, develop, or implement the Privacy Sandbox proposals in a manner that results in a distortion of competition and / or the imposition of unfair terms on users. This principled approach permeates the whole text of the commitments, and is completed by a set of criteria that Google will have to take into account when developing the various proposals. The criteria include, among others, the proposals’ impact on privacy and competition.

Second, and more fundamentally, the CMA will be closely involved in the development of the Privacy Sandbox proposals, such as in the design of the tests Google will run to evaluate the effectiveness of the various proposals. Perhaps more importantly, prior to rolling out its browser changes, Google will have to run a final comprehensive test of the Privacy Sandbox proposals, and there will be a standstill period of at least 60 days, during which the CMA will have the power to ask Google to make modifications to resolve any outstanding concerns – and if need be, reopen its investigation and impose interim measures on Google.

I would not be surprised if some commentators will jump to criticize the CMA for asserting a regulatory function that transcends the traditional role of a competition enforcer. Others may argue that monitoring compliance with such commitments will be very hard for a regulator. Yet in my view such criticisms would be wholly unjustified, and for several reasons.

  • In the first place, these are commitments offered by Google, not imposed on it. Google itself proposes to be “regulated.” I would not be surprised if Google itself actively seeks that outcome, as in that case it will have legal certainty in such a difficult area where competition and privacy considerations are inextricably linked.
  • In the second place, the nature of the case is such that any one-off intervention will do nothing (unless we talk about structural remedies, which are of course more burdensome for the investigated undertaking). This is a very complex area, where it is necessary to have expertise in data science and software development. Personally, I do not see any other way a regulator can tackle these issues save for going all in. The alternative of doing nothing and simply trusting Google is not an option.

It is for this last reason that I think the CMA should be commended for. It does not shy away from dealing with these issues despite their unprecedented technical complexity and the inevitable asymmetry of information between regulators and one of the most technologically advanced companies in the world. I bet the CMA will draw on the data scientists team it has gradually built to engage with Google in the technical discussions. In my view, this is how a competition authority should act in the digital era.

Disclosure: Damien and I are advising the European Publishers Council (a news trade association) in the CMA’s investigation into the Privacy Sandbox. This blog post reflects my own views and should not be attributed to the EPC or any of its members.

Author

Published by

Published

One thought on “CMA publishes commitments offered by Google with respect to its Privacy Sandbox proposals, seeks comments

  1. Pingback: Google announces Privacy Sandbox on Android – The Platform Law Blog

Leave a Reply