Greetings to our readers – I haven’t published in a while, but Google’s latest announcement could not keep waiting.
Google has just announced its plan to build the Privacy Sandbox on Android, with the stated aim of “introducing new, more private advertising solutions.” This comes only a couple of days after the UK Competition and Markets Authority issued a decision accepting Google’s commitments with respect to the Privacy Sandbox browser changes on Chrome. For a detailed explanation of the CMA’s analysis and Google’s commitments, you may check my post of 14 June 2021 commenting on the first set of commitments proposed by Google (while Google has since modified its commitments, the core architecture has remained the same). As I explained at the time, this is a landmark decision for several reasons, one being that it signals the willingness of the CMA to get actively involved in shaping complex solutions of technology companies with a view to safeguarding competition (in this sense, this could be a preview of what we may expect once the Digital Markets Unit regime is formally established). The CMA’s task is far from being done – in fact the hard part of monitoring compliance and evaluating the effectiveness of the Privacy Sandbox technologies has only just begun.
What is this new Google announcement about?
By way of background, it is recalled that Google’s Privacy Sandbox project has so far been limited to the web, where user tracking takes place, among others, through cookies (and third-party cookies in particular). The stated goal of the Privacy Sandbox is to improve user privacy on the web without breaking the latter’s ad-funded business model. In this context, it aims to remove tracking functionality from Chrome (first and foremost by deprecating third-party cookies), and replace it with a set of Application Programming Interfaces (APIs) that should provide greater privacy while allowing legitimate advertising use cases. Of course, the jury is still out as to whether these APIs will eventually be effective substitutes to third-party cookies (and indeed this was one of the chief concerns of the CMA), as they are still being developed, and industry feedback has at times been quite harsh.
In effect, Google has announced it will extend its Privacy Sandbox project to the app ecosystem (on its Android platform). While the blog post is rather short, it is fair to say that Google intends to apply the same philosophy for Android: (1) remove functionality associated with user tracking in the app ecosystem (which is performed not through third-party cookies, but through device advertising identifiers – in the case of Android, this is the Android Advertising ID or “AAID”); and (2) replace such functionality with alternative solutions that are (supposed to be) more private.
To be clear, the blog post does not explicitly state that Google will deprecate the AAID, but there is no reason to doubt Google will not do so, just like Google will deprecate third-party cookies in Chrome. After all, if Google does not deprecate the AAID, the industry will have no reason to use its Privacy Sandbox solutions.
An expected move
Google’s announcement should not come as a surprise. The writing was on the wall for mobile advertising identifiers, just like the writing was on the wall for third party cookies. The specialized press has long noted that the question is “when”, not “if” mobile ad IDs will crumble. The pattern of Google following Apple’s policy changes in this area is clear. Here’s a simplified overview:
- 2017: Apple launches Intelligent Tracking Prevention (ITP) on Safari, blocking third-party cookies.
- 2020: Google announces it will replace third-party cookies on Chrome with Privacy Sandbox APIs.
- 2021: Apple launches the App Tracking Transparency (ATT) feature, requiring developers to obtain user permission through an Apple-designed prompt in order to “track” users, as defined by Apple. If a user taps “Ask App Not to Track”, the app cannot technically access the IDFA (Identifier for Advertisers – the equivalent of AAID for iOS).
- 2022: Google announces it will extend the Privacy Sandbox on Android. While not stating this explicitly, Google will most likely deprecate the AAID. Google had earlier tightened its policy for AAID, signaling its intention to impose greater limits.
Apple’s “blunt” and “ineffective” approach
Despite the above similarities, Google has taken a different (and in fact more nuanced) approach compared to Apple. The latter has taken – or perhaps pretended to take for marketing reasons – an absolutist approach, with Safaris’ ITP and ATT cracking down on ad identifiers (cookies and the IDFA respectively) while offering no realistic alternative in place (the Private Click Measurement on Safari and the SKAdNetwork for iOS have been lamented for their primitive functionalities).
Google, on the other hand, intends to deprecate ad identifiers (cookies and the AAID), but not before replacing them with effective alternatives. Of course, to which extent it will succeed in this effort remains to be seen, but the fact that the CMA will keep a “close eye” over Google is to some extent reassuring (see below).
There is perhaps a certain level of irony that, despite the above, Google has been subject to intense antitrust scrutiny with respect to the Privacy Sandbox (on the web), while Apple has so far been able to get away with its crude approach. True, Safari may not have the market share of Chrome (albeit in some countries this may be different), and Google is at its core an advertising business, hence any product change that reduces rivals’ ability to perform effective advertising is rightly looked at with a magnifying glass. But Apple also has market power on iOS (as the CMA found in its Mobile Ecosystems market study), and it has a sprawling advertising business that has directly benefited from ATT, plus the latter may further reinforce Apple’s market power in app distribution (as again found by the CMA in its market study). If anything, Apple should be subject to the same level of antitrust scrutiny.
Apple has so far been able to get off the hook by portraying itself as a sort of privacy champion, but in fact its privacy credentials are not so impressive, and regulators are taking note of this.
Take the ATT changes for example. Research by ex-Apple engineers (cited by Google in its blog post) found that “ATT was functionally useless in stopping third-party tracking, even when users explicitly choose ‘Ask App Not To Track’.” In my view, the reason is simple: if a user taps “Ask App Not to Track”, the app (and third-party trackers integrated in the app through Software Development Kits) is technically prevented only from accessing the IDFA; it can still access other pieces of information (e.g., IP address, information on device battery, screen size, etc.) to fingerprint users. The ATT system essentially relies on third parties honoring user’s choices, and the above-mentioned research found that more often than not this does not happen. Apple’s privacy story is to large extent an illusion.
Now, by citing this study to criticize Apple’s approach, Google has at the same time raised the bar for itself. It will clearly not be enough for Google to simply replace the AAID with Privacy Sandbox APIs, if at the same time third parties can continue tracking through alternative methods. In this respect, Google states it is “exploring technologies that reduce the potential for covert data collection, including safer ways for apps to integrate with advertising SDKs.” Let’s see if this will indeed happen.
The CMA’s role
At the end of its post, Google refers to the role of the CMA:
“We’re also committed to working closely with regulators. We’ve offered public commitments for our Privacy Sandbox efforts on the web, including ensuring that we don’t give preferential treatment to Google’s ads products or sites. We’ll apply these principles to our Android work as well, and continue working with the U.K. Competition and Markets Authority, and others.”
So far, the CMA’s investigation (and Google’s commitments) concerned only the Privacy Sandbox changes on the web, so it is interesting to read that Google will apply the principles of its commitments to Android and continue “working with” the CMA. It is not clear whether this will be done within the context of the commitments accepted by the CMA, but in any event I expect the CMA (and in the mid-term, the DMU) to be closely involved in the development and implementation of the Privacy Sandbox changes on Android. It would make little sense for the CMA to invest resources with respect to the Privacy Sandbox changes on the web while ignoring Android, at a time when users spend an increasing amount of time on their mobile devices. I expect the CMA to adopt a similar approach regarding Android, aimed at ensuring that Google’s Privacy Sandbox changes do not end up distorting competition or exploiting users. In that regard, it is interesting to note that Google has apparently been a big beneficiary of ATT (as Meta CFO recently grumbled following Meta’s disappointing earning’s report for Q4 2021); it would definitely make a bad impression, to say the least, if something similar were to happen with Google’s Privacy Sandbox browser changes on Android.
Disclosure: Geradin Partners advises various clients on matters adverse to Google. All views are mine and should not be attributed to any client.