Google Tracking Cookies: Support Won't End Without UK Approval

U.K. Regulator Poised to Gain Power Over Google's Cookie Deprecation

A significant development is unfolding as the United Kingdom’s competition regulator is expected to receive an emergency measure. This will enable it to halt Google’s planned termination of support for third-party cookies, a technology currently vital for targeted online advertising, should it determine that competition would be negatively impacted by this change.

Investigation into Privacy Sandbox

This advancement stems from an investigation initiated by the Competition and Markets Authority (CMA) earlier in the year, focusing on Google’s “Privacy Sandbox” initiative.

Should the CMA accept a set of legally binding commitments offered by Google – a notification of intention to accept has been issued today – the regulator will possess the authority to impose a standstill of at least 60 days on any action by Google to discontinue cookie support in Chrome.

Potential for Further Investigation

The CMA retains the option to launch a more comprehensive investigation if it remains dissatisfied with the situation when a standstill is ordered to prevent Google from suppressing tracking cookies.

Furthermore, the watchdog could potentially block Google’s broader “Privacy Sandbox” technology transition altogether, should it conclude that the shift cannot be implemented without harming competition. However, the CMA currently holds the “provisional” view that Google’s proposed commitments will adequately address competition concerns.

Industry Consultation Underway

A consultation period is now open to gauge industry consensus, with feedback being accepted until July 8.

Andrea Coscelli, the CMA’s chief executive, stated the following regarding the matter:

Google's Global Commitments

In a blog post outlining its pledges – categorized under “Consultation and collaboration,” “No data advertising advantage for Google products,” and “No self-preferencing” – Google indicates that if the CMA approves its commitments, it will “apply them globally.” This makes the U.K.’s intervention potentially highly impactful.

Interestingly, one somewhat unforeseen consequence of Brexit is that it has positioned the U.K. to make crucial decisions regarding the regulations governing global digital advertising. (While the European Union is also developing new rules for platform giants, the CMA’s intervention on Privacy Sandbox currently lacks a direct parallel in Brussels.)

Google’s willingness to transform a U.K. competition intervention into a global commitment is noteworthy. This may be partially intended as an incentive, encouraging the CMA to accept the offer and establish a global standard.

Operational Certainty and Regulatory Strategy

Businesses generally value operational predictability. Therefore, if Google can establish a set of rules accepted by a significant market like the U.K., through collaboration with national oversight bodies, and then implement those rules universally, it could streamline the process of avoiding further regulator-imposed obstacles.

Consequently, Google may view this as a more efficient path toward transitioning its adtech business to a post-cookie future. Avoiding a complete cessation of its plans – or perhaps even benefiting from the outcome – is also a key consideration for Google.

More broadly, proactively engaging with the U.K.’s responsive regulator could be a strategic move for Google to navigate the political complexities and risks associated with digital regulation in other markets, particularly its home country, the U.S. – where calls for breaking up tech giants are increasing, and Google faces multiple antitrust investigations.

Demonstrating Compliance

The desired outcome for Google may be to demonstrate regulator-approved “compliance,” which it can then present as evidence against the need for dismantling its advertising empire. (Or to prevent a regulator from prohibiting its privacy-focused changes.)

Google’s offer of commitments underscores that regulators who act swiftly to address the power of tech giants will be instrumental in defining and establishing the standards and conditions applicable to web users worldwide – at least until more substantial interventions are enacted against big tech.

Understanding the Privacy Sandbox Initiative

The Privacy Sandbox represents a multifaceted collection of technological proposals designed to supersede existing ad tracking methodologies – often criticized for compromising user privacy. Google posits that this new infrastructure will simultaneously enhance individual privacy and sustain revenue generation for the adtech and publishing sectors through targeted advertising directed at groups of users categorized by shared interests.

While the specifics of these proposals, encompassing elements like FLoCs – Google’s cohort-based ad ID system utilizing federated learning – and Fledge/Turtledove, their proposed ad delivery technology, remain subject to refinement, the core objectives are becoming clearer.

In January 2020, Google announced its intention to discontinue support for third-party cookies within a two-year timeframe. This relatively short deadline has intensified opposition from the adtech industry and certain publishers, who express concerns about potential revenue declines resulting from the loss of individual-level ad targeting capabilities.

The Competition and Markets Authority (CMA) initiated an investigation following complaints that Google’s transition to its own infrastructure could strengthen its market dominance. This concern stems from the potential for limiting third-party tracking while Google maintains extensive access to user data through its dominant web services.

The CMA’s preliminary findings highlight potential risks if the Privacy Sandbox is implemented without adequate regulatory oversight. These risks include reduced competition and potential harm to user privacy.

Simultaneously, growing privacy concerns surrounding online ad tracking are compelling Google to revise Chrome – the leading web browser – as other browsers have already implemented measures to protect users from online surveillance, such as tracker blocking.

Users increasingly dislike intrusive advertising, leading to widespread adoption of ad blockers. High-profile data breaches and scandals have also heightened awareness of privacy and security issues. Furthermore, stricter digital privacy regulations have been enacted in Europe and other regions, redefining the boundaries of acceptable online advertising practices.

A central challenge lies in balancing privacy and competition regulation, recognizing that overly aggressive competition interventions could inadvertently perpetuate privacy abuses stemming from historically lax enforcement of online privacy standards. This has allowed for the widespread development of consent-less ad tracking and targeting.

A combination of weak privacy enforcement and stringent competition regulation is unlikely to effectively safeguard the rights of web users.

However, there are grounds for cautious optimism regarding this situation.

Recently, the CMA and the U.K.’s Information Commissioner’s Office (ICO) released a joint statement emphasizing the importance of both competition and data protection in digital markets. They cited the CMA’s Google Privacy Sandbox probe as an example of a case requiring collaborative effort.

As they articulated: “The CMA and the ICO are working collaboratively in their engagement with Google and other market participants to build a common understanding of Google’s proposals, and to ensure that both privacy and competition concerns can be addressed as the proposals are developed in more detail.”

Despite this, the ICO’s historical lack of enforcement against privacy-infringing adtech raises questions about its commitment to action. Therefore, any optimism stemming from the regulators’ “joint working” should be tempered.

(In contrast, the CMA has been actively involved in digital investigations since gaining expanded powers post-Brexit. It has conducted thorough analyses of competition within the digital advertising market and is establishing a new unit to enforce a pro-competition regime aimed at curbing the influence of large technology companies.)

Google’s Commitments to the CMA

According to the Competition and Markets Authority (CMA), Google has provided “substantial and wide-ranging” commitments concerning the Privacy Sandbox initiative. These commitments encompass several key areas.

• A pledge to develop and deploy these proposals in a manner that safeguards competition and ensures equitable treatment for Chrome users. This includes ongoing engagement with both the CMA and the Information Commissioner's Office (ICO) to achieve this goal.
• Enhanced transparency from Google regarding the timeline and assessment criteria for the proposals’ implementation. Public disclosure of testing results for alternative technologies is also included in this commitment.
• Significant restrictions on Google’s ability to utilize and combine individual user data for digital advertising purposes following the phasing out of third-party cookies.
• An assurance that Google will not favor its own advertising and ad-tech ventures over competitors when designing or operating cookie alternatives.
• A minimum 60-day pause before the removal of third-party cookies, allowing the CMA to revisit the investigation and potentially implement interim measures to protect competition if concerns remain unresolved.

Google has also stated its intention to maintain an “open, constructive and continuous dialogue” with the CMA and the industry throughout this process. This includes proactively sharing timelines, changes, and test results related to the Privacy Sandbox proposals.

Collaboration with the CMA to address concerns and establish agreed-upon parameters for testing new proposals is also planned, with the ICO providing direct input.

These commitments directly address competitive concerns, including self-preferencing, non-discrimination, and limitations on combining user data in ways that could provide an unfair advantage.

The CMA emphasizes that privacy considerations are also integral to these competitive assessments, as the commitments will:

A spokesperson for the ICO highlighted that one of the initial commitments secured from Google under the CMA’s intervention “focuses on privacy and data protection”.

The data protection authority further stated:

This development within the CMA’s investigation prompts numerous questions, both significant and minor. A primary concern revolves around the future of core web infrastructure and the potential implications of these negotiations between Google and U.K. regulators for internet users globally.

A central debate centers on whether a “co-design” approach, with oversight from regulatory bodies, is the most effective method for addressing the power imbalance resulting from a single technology company’s dominance in both consumer digital services and adtech.

Alternative perspectives suggest that dismantling Google’s consumer technology and adtech divisions is the only viable solution, dismissing other efforts as insufficient.

Despite the planned consultation and adjustments, Google retains control over proposing the changes. Critics argue that this governance model is unacceptable for an open web, as Google remains at the helm.

However, the CMA currently intends to pursue this collaborative approach.

Concurrently, the U.K. government and CMA are developing a broader pro-competition framework that could lead to more substantial interventions in the operations of Google and other major platform companies. Further interventions are therefore highly probable.

For the time being, Google likely views the opportunity to collaborate with U.K. regulators favorably. Engaging oversight bodies in the details of desired changes may be preferable to facing an order to break up its business, a possibility the CMA has previously considered.

Google has been contacted for comment regarding its Privacy Sandbox commitments. (Update: responses are available below.)

Jon Mew, CEO of the Internet Advertising Bureau (IAB) UK, released a statement in response to this development:

Broader Inquiries and Google’s Response

Following our initial inquiries, Google has provided supplementary information. The company refutes the notion of a “co-design” arrangement for the Privacy Sandbox under the proposed commitments, asserting instead that the arrangement centers on oversight and collaborative efforts with the Competition and Markets Authority (CMA).

However, this distinction may simply represent a semantic nuance on Google’s part. The company has validated that the commitments offered—regarding design and testing—encompass all technologies proposed within the Privacy Sandbox framework.

This signifies that the scope extends beyond merely tracking cookies, applying to any potential replacements as well. Google further confirmed that, upon formal acceptance, these commitments would be implemented globally, not limited to the U.K.

Contingency Planning and Project Continuation

When questioned about alternative strategies should the CMA prohibit the deprecation of tracking cookies, Google refrained from speculation. Such an order, they implied, could potentially jeopardize the entire Privacy Sandbox initiative.

Despite this, Google maintains its conviction that the future of the web hinges on adapting to evolving user privacy expectations. They express a strong commitment to the Privacy Sandbox project and anticipate that engagement with the CMA will address industry apprehensions regarding the planned transition.

Importantly, Google affirmed its intention to continue development on the project, irrespective of awaiting the CMA consultation’s outcome. A response regarding potential timeline adjustments due to the regulator’s intervention was not provided.

Governance and Collaborative Concerns

Addressing the governance structure of the Privacy Sandbox, and the appropriateness of Google leading the redesign of core web infrastructure, Google emphasized its collaborative approach with the industry through forums like the W3C.

However, W3C groups lack the authority to overrule Google’s decisions. This raises concerns that Google may be engaging in a superficial display of collaboration, masking a unilateral overhaul with widespread implications for online industries.

While Google is now expanding its outreach to include U.K. regulators in proposal discussions, the ultimate proposals and decisions remain under Google’s control.

Expert Perspective on Governance

Dr. Lukasz Olejnik, a privacy and cybersecurity researcher and consultant, shared his insights with TechCrunch. He noted Google’s efforts at collaboration within venues like the W3C, but questioned the existence of a formal governance model for the Privacy Sandbox.

“There has to be a mechanism for agreeing on changes or modifications,” Dr. Olejnik stated. “What guarantees are there that a good proposal will actually be implemented? Furthermore, the future maintenance and development of proposals remain unclear. What legitimizes this process?”

He continued, “Google cannot legitimately claim sole decision-making authority. A semi-formal governance structure representing users, publishers, user agents, advertisers, and privacy experts is needed. This is the first attempt at privacy-preserving ad systems, and it should be future-proofed.”

Ad Serving and User Privacy

TechCrunch also inquired about the ad serving aspects of the Privacy Sandbox proposals and how Google believes its architecture safeguards user privacy.

Google offered limited specifics but highlighted the Turtledove proposal, where advertisers target users based on interest groups without linking that group to individual user data or browsing history. This, they suggest, is more privacy-respecting than current tracking cookie practices.

The Fledge component aims to enhance Turtledove by incorporating a trusted third-party server to address concerns about data storage within the browser.

Ongoing Engagement with Regulators

Google confirmed its proactive engagement with the CMA regarding the design and testing of both technology proposals within the Privacy Sandbox. The competition watchdog will also receive direct input from the Information Commissioner’s Office (ICO) during this process.

This ensures U.K. regulators have direct access to discussions surrounding proposed changes. Google added that the proposed commitments represent a substantial step toward reassuring the market.

Potential Trade-offs and Regulatory Reckoning

Whether this “collaboration” will result in Privacy Sandbox modifications that prioritize competition at the expense of user privacy remains uncertain.

A failure by the CMA-ICO to jointly address both privacy and competition concerns would be a significant setback. Historically, user rights have often been overlooked by privacy regulators under pressure from adtech lobbying efforts.

However, by seeking to involve competition regulators, the adtech lobby may inadvertently trigger a crucial regulatory review of a key issue. Similar concerns regarding privacy abuses are also emerging as competition issues elsewhere in Europe, suggesting a need for caution.

This report has been updated to include additional commentary and context.