Google’s initiative to eliminate support for third-party tracking cookies – known as its ‘Privacy Sandbox’ – is currently under review by competition authorities in Europe. A group of digital marketing businesses has recently submitted a formal complaint to the UK’s Competition and Markets Authority (CMA), requesting that the implementation of the Sandbox be halted.

The coalition is seeking a pause on Google’s plans to discontinue third-party tracking cookies to allow regulators sufficient time to develop or suggest “long-term competitive remedies” designed to address Google’s significant market position.

According to a press release, “[Our] submission requests a delay in the introduction of Privacy Sandbox until appropriate measures are established.”

The organization, identifying itself as Marketers for an Open Web (MOW), represents “businesses within the online ecosystem who are concerned that Google is jeopardizing the open web model, which is essential for a functioning, competitive media and online economy.”

At the time of writing, a link on MOW’s website leading to a list of “members” was not operational. However, records at Companies House indicate the entity was established on September 18, 2020, with James Roswell, CEO and co-founder of UK mobile marketing firm 51 Degrees, listed as the sole director.

The CMA has confirmed receipt of MOW’s complaint, noting that some of the concerns raised align with issues identified in its comprehensive review of the online advertising market, published earlier this year.

However, the CMA has not yet determined whether to launch a formal investigation.

A CMA spokesperson stated, “We can confirm we have received a complaint regarding Google, raising certain concerns, some of which relate to those we identified in our online platforms and digital advertising market study. We are taking the matters raised in the complaint very seriously and will carefully assess them to determine whether to initiate a formal investigation under the Competition Act.

“Should the urgency of the concerns necessitate swift action, we will also evaluate the possibility of imposing interim measures to suspend any potentially anti-competitive practices while a full investigation is underway.”

In its concluding report on the online ad market, the CMA determined that the market power held by Google and Facebook is substantial enough to warrant a new regulatory framework and a dedicated oversight body to address what it characterized as “wide-ranging and self-reinforcing” issues.

Despite this conclusion, the regulator opted not to take immediate enforcement action, preferring to await pro-competition legislation from the UK government.

The CMA’s statement today clarifies its willingness to act on related competition concerns if deemed necessary, potentially including blocking the launch of Privacy Sandbox to allow for a thorough investigation, while awaiting the development of a regulatory framework. However, no decisions have been made at this time.

In response to the MOW complaint, Google provided the following statement through a spokesperson:

Also commenting in a statement, MOW’s director Roswell said: “The concept of the open web is founded on a decentralized, standards-based environment that isn’t controlled by any single commercial organization. This model is crucial for a healthy, free, and independent media, a competitive digital business landscape, and the freedom of choice for all web users. Privacy Sandbox introduces new, Google-owned standards and represents an irreversible move towards a Google-controlled ‘walled garden’ web, where they dictate how businesses and users interact online.”

This complaint mirrors a similar one filed in France last month (as reported by Reuters), though that case focused on privacy changes planned for Apple’s smartphone platform, which are also intended to restrict advertisers’ access to the iPhone-specific tracking identifier (IDFA).

Apple has stated that the upcoming changes – which were recently postponed until early next year – will provide users with “greater control over whether apps can track them by linking their information with data from third parties for advertising purposes, or sharing their information with data brokers.” However, four online ad associations – IAB France, MMAF, SRI, and UDECAM – argue in their complaint to France’s competition regulator that Apple is leveraging its market power to distort competition.

The online advertising industry’s efforts to secure delays in Apple’s and Google’s privacy measures regarding third-party ad tracking are occurring concurrently with industry-wide collaboration to develop a replacement for tracking cookies, announced this summer as PRAM (Partnership for Responsible Addressable Media), with the goal of “advancing and protecting essential functionalities like customization and analytics for digital media and advertising, while upholding privacy and enhancing consumer experience.”

The adtech industry is now largely focused on a cookie replacement proposal known as UnifiedOpen ID 2.0 (UID2).

A document outlining the proposal, previously available online but later removed following concerns raised by a privacy researcher, indicates a desire to establish a centralized system for tracking Internet users based on personal data like email addresses or phone numbers.

“UID2 is based on authenticated PII (e.g., email, phone) that can be created and managed by participants across the advertising ecosystem, including Advertisers, Publishers, DSPs, SSPs,” reads a brief description of the proposal in the document, authored by representatives from The Trade Desk, a Demand Side Platform proposing to build the technology and then transfer management to an “independent and non-partisan entity.”

The UID2 proposal includes a “Unified ID Service” that would apply a salt and hash process to the PII to generate UID2 and encrypt it to create a UID2 Token, as well as provide login requests from publishers to access the token.

The other component is a user-facing website described as a “transparency & consent service” – to handle user requests for data or UID2 logouts, etc.

However, the ad industry’s proposal to centralize Internet users’ identities by linking them to hashed personal data – and with a self-regulating “Trusted Ads Ecosystem” controlling the mapping of PII to UID2 – appears unlikely to alleviate the privacy concerns that are driving the decline of tracking cookies (to say the least).

Entrusting the mass surveillance industry to self-regulate a centralized ID system for Internet users is questionable.

Adtech companies are evidently hoping to gain enough time to develop a self-serving cookie alternative and present it to regulators as a competition remedy. (Their secondary strategy involves influencing inactive privacy regulators with claims of ‘transparency and consent’.)

It will be interesting to observe whether the adtech industry can successfully persuade competition regulators to impede platform-level privacy reforms while simultaneously undertaking a significant restructuring and rebranding of privacy-compromising tracking operations.

In a related development this month, European privacy advocacy group, noyb, filed two complaints against Apple for failing to obtain user consent before creating and storing the IDFA on their devices.

This represents a separate challenge.

Real-time bidding continues to face regulatory scrutiny in Europe, with significant questions surrounding the legality of its processing of Internet users’ personal data. Privacy advocates are also now challenging data protection regulators to address long-standing complaints.

A prominent online ad industry tool for obtaining web users’ consent to tracking is also under attack and is expected to face enforcement action under the bloc’s General Data Protection Regulation (GDPR).

Last month, an investigation by Belgium’s data protection agency found that IAB Europe’s Transparency and Consent Framework (TCF) failed to deliver on either count – not meeting the GDPR standard for transparency, fairness, and accountability, and the lawfulness of data processing. Enforcement action is anticipated in early 2021.